Junos
Junos

Pinging host on unnumbered interface

‎04-02-2016 01:45 AM

Hey,

On a lab setup we have an vSRX (firefly) managing the external connectivity and while setting up an VPN to it I realized that not only could I not get it to answer on IKE requests on the untrusted intefrace, but I could not even get it to respond to pings.

So that's where I need to start, to be able to get the Junos Host to respond to pings on 89.63.245.188 (fakeip).

What makes is a tad special, or at least to me challenging, is the point-to-point setup with the unnumbered ge-0/0/0.0. It works fine, it does what it should on all IP's and all, but its just this small detail of the system self not being reachable from the outside.

 

Very greatful for some insight in what I've missed Smiley Wink

 

cj@vSRX1> show configuration | except SECRET-DATA | no-more
## Last commit: 2016-04-01 21:53:00 UTC by cj
version 12.1X47-D10.4;
system {
    host-name vSRX1;
    root-authentication {
    }
    login {
        user cj {
            uid 2000;
            class super-user;
            authentication {
            }
        }
        user fs {
            full-name;
            uid 2001;
            class super-user;
            authentication {
            }
        }
    }
    services {
        ssh;
        web-management {
            http {
                interface [ fxp0.0 ge-0/0/1.0 ];
            }
        }
        dhcp {
            pool 10.49.0.0/24 {
                address-range low 10.49.0.64 high 10.49.0.127;
                domain-name proxmea.com;
                name-server {
                    10.31.0.207;
                    10.1.0.10;
                }
                router {
                    10.49.0.1;
                }
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
        file policy_session {
            user info;
            match RT_FLOW;
            archive size 1000k world-readable;
            structured-data;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                unnumbered-address lo0.0;
            }
            family inet6 {
                unnumbered-address lo0.0;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.49.0.1/24;
            }
            family inet6 {
                address 2001:4ba0:ffa0:008c:0000:0002:0000:0001/64;
            }
        }
    }
    fxp0 {
        unit 0;
    }
    lo0 {
        unit 0 {
            family inet {
                address 89.63.245.188/32;
                address 5.99.135.244/32;
            }
            family inet6 {
                address 2001:4ba0:ffa0:008c:0000:0001:0000:0001/128;
            }
        }
    }
}
routing-options {
    rib inet6.0 {
        static {
            route ::/0 {
                next-hop 2001:4ba0:ffa0:1:beef::1;
                resolve;
            }
            route 2001:4ba0:ffa0:1:beef::1/128 {
                qualified-next-hop ge-0/0/0.0;
            }
        }
    }
    static {
        route 0.0.0.0/0 {
            next-hop 89.63.235.129;
            resolve;
        }
        route 89.63.235.129/32 {
            qualified-next-hop ge-0/0/0.0;
        }
        route 10.31.0.0/22 next-hop 10.49.0.4;
        route 10.1.0.0/22 next-hop 10.49.0.4;
    }
}
security {
    forwarding-options {
        family {
            inet6 {
                mode flow-based;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            pool Default-out-NAT {
                address {
                    89.63.245.188/32 to 89.63.245.188/32;
                }
            }
            pool APP10-outgoing-NAT {
                address {
                    5.99.135.244/32 to 5.99.135.244/32;
                }
            }
            rule-set default_nat {
                from zone trust;
                to zone untrust;
                rule APP10-outgoing-NAT {
                    match {
                        source-address 10.49.0.210/32;
                    }
                    then {
                        source-nat {
                            pool {
                                APP10-outgoing-NAT;
                            }
                        }
                    }
                }
                rule NAT {
                    match {
                        source-address 10.49.0.0/23;
                    }
                    then {
                        source-nat {
                            pool {
                                Default-out-NAT;
                            }
                        }
                    }
                }
            }
        }
        destination {
            pool se-vpn-inbound-nat {
                address 10.49.0.15/32 port 5555;
            }
            pool servicex-inbound-nat {
                address 10.49.0.196/32 port 25565;
            }
            pool arbl-dns-nat {
                address 10.49.0.198/32 port 53;
            }
            pool ec22-smtp-nat {
                routing-instance {
                    default;
                }
                address 10.49.0.201/32 port 25;
            }
            pool app10-smtp-nat {
                address 10.49.0.211/32 port 25;
            }
            pool app10-http-nat {
                address 10.49.0.211/32 port 80;
            }
            pool app10-https-nat {
                address 10.49.0.211/32 port 443;
            }
            pool app10-pops-nat {
                address 10.49.0.211/32 port 995;
            }
            pool app10-imaps-nat {
                address 10.49.0.211/32 port 993;
            }
            rule-set se-vpn-inbound-nat {
                from zone untrust;
                rule se-vpn-inbound-nat {
                    match {
                        destination-address 89.63.245.188/32;
                        destination-port {
                            5555;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                se-vpn-inbound-nat;
                            }
                        }
                    }
                }
                rule servicex-inbound-nat {
                    match {
                        destination-address 89.63.245.188/32;
                        destination-port {
                            25565;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                servicex-inbound-nat;
                            }
                        }
                    }
                }
                rule arbl-dns {
                    match {
                        destination-address 89.63.245.188/32;
                        destination-port {
                            53;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                arbl-dns-nat;
                            }
                        }
                    }
                }
                rule ec22-smtp {
                    match {
                        destination-address 89.63.245.188/32;
                        destination-port {
                            25;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                ec22-smtp-nat;
                            }
                        }
                    }
                }
                rule app10-smtp {
                    match {
                        destination-address 5.99.135.244/32;
                        destination-port {
                            25;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                app10-smtp-nat;
                            }
                        }
                    }
                }
                rule app10-http {
                    match {
                        destination-address 5.99.135.244/32;
                        destination-port {
                            80;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                app10-http-nat;
                            }
                        }
                    }
                }
                rule app10-https {
                    match {
                        destination-address 5.99.135.244/32;
                        destination-port {
                            443;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                app10-https-nat;
                            }
                        }
                    }
                }
                rule app10-imaps {
                    match {
                        destination-address 5.99.135.244/32;
                        destination-port {
                            993;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                app10-imaps-nat;
                            }
                        }
                    }
                }
                rule app10-pops {
                    match {
                        destination-address 5.99.135.244/32;
                        destination-port {
                            995;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                app10-pops-nat;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy se-vpn-policy {
                match {
                    source-address any;
                    destination-address any;
                    application se-vpn;
                }
                then {
                    permit;
                }
            }
            policy servicex-policy {
                match {
                    source-address any;
                    destination-address any;
                    application servicex-application;
                }
                then {
                    permit;
                }
            }
            policy arbl-dns-policy {
                match {
                    source-address any;
                    destination-address ec23;
                    application junos-dns-udp;
                }
                then {
                    permit;
                }
            }
            policy ec22-smtp-policy {
                match {
                    source-address any;
                    destination-address ec22-extrenalsmtp;
                    application junos-smtp;
                }
                then {
                    permit;
                }
            }
            policy app10 {
                match {
                    source-address any;
                    destination-address app10-external;
                    application [ junos-imaps junos-http junos-https custom-pops junos-smtp ];
                }
                then {
                    permit;
                }
            }
            policy app10-external-ipv6 {
                match {
                    source-address any-ipv6;
                    destination-address app10-external-ipv6;
                    application [ junos-smtp junos-imaps custom-pops junos-https junos-http ];
                }
                then {
                    permit;
                }
            }
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            address-book {
                address ec23 10.49.0.198/32;
                address ec22-extrenalsmtp 10.49.0.201/32;
                address app10-external 10.49.0.211/32;
                address app10-external-ipv6 2001:4ba0:ffa0:008c:0000:0002:0001:0001/128;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
    }
}
applications {
    application se-vpn {
        application-protocol ignore;
        protocol tcp;
        destination-port 5555;
    }
    application servicex-application {
        application-protocol ignore;
        protocol tcp;
        destination-port 25565;
    }
    application custom-pops {
        application-protocol ignore;
        protocol tcp;
        destination-port 995;
    }
}
4 REPLIES 4
Junos

Re: Pinging host on unnumbered interface

‎04-02-2016 02:20 AM

Hello ,

 

Can you assign the loopback interface ( lo0.0 )  to a security zone and enable host inbound services .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Junos

Re: Pinging host on unnumbered interface

‎04-02-2016 02:54 AM

I tried this, but still no better result:

[edit security zones security-zone untrust interfaces]
      ge-0/0/0.0 { ... }
+     lo0.0 {
+         host-inbound-traffic {
+             system-services {
+                 ping;
+             }
+         }
+     }
Junos

Re: Pinging host on unnumbered interface

‎04-04-2016 06:12 AM

Hmm, noone?
This must be a quiet trivial fault from my side, but I can't figure it out for the world.

 

The only way I've managed to get a response from an untrust IP is to NAT it to the inside (trust) of the vSRX - which is nasty-not-done!

Junos
Solution
Accepted by topic author jrnker
‎04-04-2016 12:15 PM

Re: Pinging host on unnumbered interface

‎04-04-2016 12:14 PM

Ok, got it! Or rather I didn't, but a friend of a friend did. Thanks D! 

 

So the culprit was that we're having an interface and a loopback adapter in the same zone, but we also needed to have a policy allowing that traffic to take place.

set security policies from-zone untrust to-zone untrust policy ge-0_0_0-lo0_0-permit match source-address any
set security policies from-zone untrust to-zone untrust policy ge-0_0_0-lo0_0-permit match destination-address any
set security policies from-zone untrust to-zone untrust policy ge-0_0_0-lo0_0-permit match application junos-icmp-ping
set security policies from-zone untrust to-zone untrust policy ge-0_0_0-lo0_0-permit then permit

Cheers,

Chris