The config is pasted below, aside from censoring a few bits like passwords this what i am presently running.
1. Yes i can ping end to end. When i send packets that are over the FW mtu as one packet it does correctly fragment them and they're received at the far end, the problem is when i send a pre-fragmented packet that has left the sender machine already fragmented because thats how the software is creating the packets. I'm wondering whether reading already fragmented packets is not supported/a known bug?
2. At the moment they are both on the host, but in future I will need to exchange with a VM environment
3. UDP, yes I did and can confirm it does not reach it
Thanks for the help
## Last changed: 2014-12-10 11:22:12 GMT
version 12.1X44.3;
system {
host-name FWOpen;
time-zone GMT;
root-authentication {
encrypted-password "xxxxxxx";
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user xxxxxx {
uid 2001;
class super-user;
authentication {
encrypted-password "xxxxxxx";
}
}
}
services {
ssh;
telnet;
web-management {
http {
interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/7.0 ];
}
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/7.0 ];
}
session {
idle-timeout 60;
}
}
}
syslog {
host 192.168.1.4 {
authorization info;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.244.0.17/24;
}
}
}
ge-0/0/1 {
mtu 1800;
unit 0 {
family inet {
address 192.168.0.2/24;
}
}
}
ge-0/0/2 {
mtu 1800;
unit 0 {
family inet {
address 10.244.5.201/24;
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/7 {
unit 0 {
family inet {
address 192.168.123.1/24;
}
}
}
}
routing-options {
static {
route 10.0.0.0/8 next-hop 10.244.0.18;
route 192.168.1.0/24 next-hop 192.168.0.1;
}
}
protocols {
pim {
rp {
local {
family inet {
address 10.244.5.201;
}
}
}
interface all {
mode dense;
version 2;
}
interface fxp0.0 {
disable;
}
}
stp;
}
security {
log {
mode stream;
source-address 192.168.0.2;
stream SIEM {
format syslog;
host {
192.168.1.4;
}
}
}
ike {
traceoptions {
flag all;
}
}
application-tracking {
first-update;
}
policies {
from-zone Internal to-zone Internet {
policy internaltowan {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone Internal {
policy wantointernal {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone Internal {
policy internaltointernal {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
address-book {
address InternalAddresses 192.168.0.0/16;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
application-tracking;
}
security-zone Internet {
address-book {
address WANSources 10.0.0.0/8;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
application-tracking;
}
security-zone undefined;
security-zone Maintenance {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
access {
profile juniperUsers {
authentication-order password;
client juniper {
firewall-user {
password "xxxxxxx";
}
}
}
}