SRX Services Gateway
Highlighted
SRX Services Gateway

SRX device login can ping an IP on trusted interface can't

‎08-03-2019 09:56 PM

I'm been challenged with configuring an SRX 240 lately and one of the issues is with a port connected to another subnet with no VLANs.

 

ge-0/0/14 is assigned the static IP 192.168.10.101.

    ge-0/0/14 {
        unit 0 {
            family inet {
                address 192.168.10.101/24;
            }
        }
    }

When I connect it to a switch that is providing the subnet 192.168.10.0/24, I can ping this static IP and the defined router 192.168.10.254 at the switch while I'm logged into the SRX.

 

But if I obtain a trusted IP in Management-subnet from the SRX on a PC, I can ping ge-0/0/14's 192.168.10.101 but not the router 192.168.10.254. I have a trust-to-trust policy that looks like this

        from-zone trust to-zone trust {
            policy Intra-trust-allow {
                match {
                    source-address Management-subnet;
                    destination-address any;
                    application any;
                    source-identity any;
                }
                then {
                    permit;
                }
            }
        }

My trust zone looks like this

    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    dhcp;
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                vlan.72;
                vlan.82;
                vlan.99;
                ge-0/0/13.0;
                ge-0/0/14.0;
            }
        }

Management-subnet looks like this

    address-book {
        global {
            address Management-Subnet {
                range-address a.b.d.1 {
                    to {
                        a.b.d.254;
                    }
                }
            }
        .
        .
        }
        Trusted-Addresses {
            address Management-subnet {
                wildcard-address a.b.d.0/255.255.255.0;
            }
            attach {
                zone trust;
            }
        }

How can I trace rule application on the SRX?

 

Thanks!

5 REPLIES 5
Highlighted
SRX Services Gateway

Re: SRX device login can ping an IP on trusted interface can't

‎08-03-2019 10:34 PM

Where is this PC connected to?? to SRX directly or to Switch? is ip 192.168.10.254 assigned to Switch or a different router connected to Switch?

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX device login can ping an IP on trusted interface can't

‎08-03-2019 11:59 PM

Hi Klui,

 

It would be great if you could provide us a topology with IP addressing.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX device login can ping an IP on trusted interface can't

‎08-04-2019 02:23 PM

Thanks guys for your replies.

The PC is connected to another switch via trunk port at ge-0/0/15.

    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ vlan-Management vlan-User ];
                }
                native-vlan-id vlan-trust;
            }
        }
    }

The switch has ports that are in VLAN 82 and VLAN 72 and PC is connected to a port with PVID 82 and gets the IP a.b.d.100.

 

192.168.10.254 is assigned to that switch's virtual router. The only thing connected is between the port where the 192.168.10.0/24 subnet + router 192.168.10.254 is defined and ge-0/0/14. This switch's port is defined as untagged VLAN 10. ge-0/0/14 has no VLAN defined.

 

Let me know if things aren't clear or you need more information.

 

Thanks.

Highlighted
SRX Services Gateway

Re: SRX device login can ping an IP on trusted interface can't

‎08-04-2019 06:27 PM

Re-configure ge-0/0/14 as vlan 10 access port or configure another interface between Switch (192.168.10.254) and SRX as vlan10 access port. I hope the ip address of vlan.82 interface is in the range of 192.168.10.0/24.

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX device login can ping an IP on trusted interface can't

‎08-05-2019 01:11 AM

I tried to do this but it requires me to define a vlan (I just used 100 named vlan-Misc) and when I set it, I can't set an IP address for the port. This interface is intended for connecting to my modem's LAN (no VLANs) and I just want to set a static IP outside its DHCP scope so I can obtain its statistics.

 

Is there a reason why I could ping the router interface from the SRX's login but not through an IP in my management subnet? The management subnet is not in 192.168.10.0/24. I attempted to try running the show security match-policies command passing my management subnet IP as source and 192.168.10.254 as destination and it returns my Intra-trust-allow policy. The output leads me to believe my policies are correct but there is something else wrong in my configuration. But I'm not sure where the SRX is preventing me from accessing the remote gateway IP. From my switch I can ping 192.168.10.254 and ge-0/0/14's IP (192.168.10.101).

 

Thanks!