SRX Services Gateway
Highlighted
SRX Services Gateway

SRX 300 server from trusted unable to ping on untrusted server

‎11-06-2017 12:35 AM

Hi All, i configured srx 300 firewalls with HA but strange is i unable to ping from trusted to untrusted zone device. i already allow all services on security policy. is it anyone can help about this? i will upload the config and simple network diagram

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: SRX 300 server from trusted unable to ping on untrusted server

‎11-06-2017 12:41 AM

below is my configuration


## Last changed: 2017-10-09 14:57:49 UTC
version 15.1X49-D45;
groups {
node0 {
system {
host-name FWICCP1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.1.11/24;
}
}
}
}
}
node1 {
system {
host-name FWICCP2;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.1.12/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
root-authentication {
encrypted-password "$5$xWvOGEgr$wA5BIpbSz12X.ciy/ry7S5mv7Y4kUutHO.2PkHuW2K."; ## SECRET-DATA
}
services {
web-management {
http {
interface fxp0.0;
}
}
}
}
chassis {
cluster {
reth-count 3;
redundancy-group 0 {
node 0 priority 200;
node 1 priority 100;
}
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
}
}
}
security {
ike {
respond-bad-spi 1;
}
screen {
ids-option Untrust_screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
/* Using default value for timeout since not within range 0-50 */
syn-flood {
timeout 20;
}
land;
}
}
ids-option V1-Untrust_screen {
tcp {
/* Using default value for timeout since not within range 0-50 */
syn-flood {
timeout 20;
}
}
}
}
policies {
from-zone Trusted to-zone Untrusted {
policy Policy1 {
match {
source-address any;
destination-address any;
application any;
source-identity any;
}
then {
permit;
}
}
}
from-zone Untrusted to-zone Trusted {
policy UntrustP1 {
match {
source-address any;
destination-address any;
application any;
source-identity any;
}
then {
permit;
}
}
}
}
zones {
security-zone Trusted {
address-book {
address 192.168.1.1/32 192.168.1.1/32;
address 192.168.5.102/32 192.168.5.102/32;
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth0.0;
}
}
security-zone Untrusted {
address-book {
address 192.168.5.11/32 192.168.5.11/32;
address 192.168.5.0/24 192.168.5.0/24;
address 172.18.2.0/24 172.168.2.0/24;
address 172.18.2.9/32 172.18.2.9/32;
}
screen V1-Untrust_screen;
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth1.0;
reth2.0;
}
}
}
}
interfaces {
ge-0/0/3 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/4 {
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/5 {
gigether-options {
redundant-parent reth2;
}
}
ge-1/0/3 {
gigether-options {
redundant-parent reth0;
}
}
ge-1/0/4 {
gigether-options {
redundant-parent reth1;
}
}
ge-1/0/5 {
gigether-options {
redundant-parent reth2;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/2;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-1/0/2;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 192.168.5.11/24;
}
}
}
reth2 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 172.18.2.7/16;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 172.18.2.1;
route 10.130.21.0/24 next-hop 192.168.5.110;
route 192.168.5.11/32 next-hop 192.168.5.102;
}
auto-export {
disable;
}
}
firewall {
filter AllowManageTraffic_192_168_1_11 {
/* From set interface ... manage-ip/manageable */
term services-allow {
from {
destination-address {
192.168.1.11/32;
192.168.5.102/32;
172.18.2.8/32;
}
protocol tcp;
}
then accept;
}
term deny-remainder {
then {
reject;
}
}
}
}

 

SRX Services Gateway

Re: SRX 300 server from trusted unable to ping on untrusted server

‎11-06-2017 01:23 AM

Multiple comments/questions;

 

  1. I see you are running 15.1X49-D45. I will strongly recommend you to upgrade to 15.1X49-D110 as there is multiple bugs in the initial releases.
  2. As you don't have any NAT configured, does the destination device in the untrusted zone have a return route on how to reach your 192.168.1.0/24 network?
  3. I will recommend you to move your fxp0 IP-addresses to another range than your reth0 to avoid issues accessing the cluster (if you connect to fxp0 on the active node you will loose connectivity for your connecting device via reth0 until arp updates)

--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
SRX Services Gateway

Re: SRX 300 server from trusted unable to ping on untrusted server

‎11-06-2017 03:03 AM
Are you able to ping your respective peer devices in trust and untrust zones from SRX itself first? Also does your peer devices have routing for the network behind your FW?

*************************************
HTH.
Accept this as solution if it resolved your issue.
Kudos would be appreciated too.
Feedback