SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX - query

    Posted 08-03-2018 14:41
    Hello All ,

    This may be very simple question for you people bt i am not able to think why this is happening so asking your help or insight on the same .

    I have an ip on trusted interface on srx and i have nated or to be precise i have done source NAT for this subnet to reach internet and the devices connected under this subnet are able to reach to internet but my question is will i be able to ping to ips like of google dns or any other ip on the internet from the trusted firewall interface ip configured on the firewall interface if yes how and if not why

    Regards
    Shaan


  • 2.  RE: SRX - query

    Posted 08-03-2018 14:48

    It depends on if the interface IP address is included in your source NAT statement and if you have a policy to permit the traffic.  If so, you should be able to.  If you were to just do "ping 8.8.8.8", it should use the public interface though.



  • 3.  RE: SRX - query

    Posted 08-03-2018 14:54
    Yes , i do have the interface ip included in the subnet bt still interface ip not able to reach the internet and i have the rule already as the devices which are the subnet are able to reacg internet .

    Regards
    Shaan


  • 4.  RE: SRX - query

    Posted 08-03-2018 15:02

    Capture the traffic flow to see what is happening.

     

    Example 2 from

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16108&actp=METADATA



  • 5.  RE: SRX - query

    Posted 08-03-2018 18:05

    Hi,

    Please refer the KB to NAT the SRX self generated traffic:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB26372&cat=SRX_SERIES&actp=LIST

     



  • 6.  RE: SRX - query

    Posted 08-05-2018 03:13

    Thank You Nellika for your response , it works now

     

    Regards

    Shaan



  • 7.  RE: SRX - query

    Posted 08-03-2018 18:02

    You current nat rule is from the zone of the interface to the untrust which will cover all hosts connected to that subnet behind the SRX.

     

    But the SRX itself and all of its interfaces are in the junos-host zone.  So you need to add a rule from zone junos-host to zone untrust to apply nat to these interfaces.

     



  • 8.  RE: SRX - query

    Posted 08-05-2018 03:15

    Thanks spuluka .

     

    Regards

    shaan



  • 9.  RE: SRX - query

    Posted 08-05-2018 04:44

    Dear All ,

    As updated earlier my query has been answered and i tested and it works fine but my doubt is i dont have a rule for junos host from trust to untrust but the rule i have configured earlier is for remote access to junos host from untrust so that i can access junos remotely so how come only nating made trust interface ip on the junos reach the internet .

     

    Regards

    shaan



  • 10.  RE: SRX - query
    Best Answer

    Posted 08-05-2018 05:00

    By default access outbound from junos-host is always permitted so no configuration as needed to allow outbound ping from the SRX.

     

    For inbound connections to the SRX permissions are granted based on the zone configuration under host inbound traffic.  If the service or protocol is permitted by the zone setting then it allows all inbound to the SRX by default.

     

    You only need to configure security policy with the  junos-host zone if you want to override these settings to either restict outbound traffic from the default allow all.  Or restrict inbound traffic by ip address instead of just protocol or service.

     



  • 11.  RE: SRX - query

    Posted 08-05-2018 05:09

    Thank You for Quick Reply .

     

    Regards

    shaan