SRX Services Gateway
Highlighted
SRX Services Gateway

SRX - query

[ Edited ]
‎08-03-2018 02:40 PM
Hello All ,

This may be very simple question for you people bt i am not able to think why this is happening so asking your help or insight on the same .

I have an ip on trusted interface on srx and i have nated or to be precise i have done source NAT for this subnet to reach internet and the devices connected under this subnet are able to reach to internet but my question is will i be able to ping to ips like of google dns or any other ip on the internet from the trusted firewall interface ip configured on the firewall interface if yes how and if not why

Regards
Shaan
10 REPLIES 10
Highlighted
SRX Services Gateway

Re: SRX - query

‎08-03-2018 02:47 PM

It depends on if the interface IP address is included in your source NAT statement and if you have a policy to permit the traffic.  If so, you should be able to.  If you were to just do "ping 8.8.8.8", it should use the public interface though.

Highlighted
SRX Services Gateway

Re: SRX - query

‎08-03-2018 02:53 PM
Yes , i do have the interface ip included in the subnet bt still interface ip not able to reach the internet and i have the rule already as the devices which are the subnet are able to reacg internet .

Regards
Shaan
Highlighted
SRX Services Gateway

Re: SRX - query

‎08-03-2018 03:02 PM

Capture the traffic flow to see what is happening.

 

Example 2 from

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16108&actp=METADATA

Highlighted
SRX Services Gateway

Re: SRX - query

‎08-03-2018 06:02 PM

You current nat rule is from the zone of the interface to the untrust which will cover all hosts connected to that subnet behind the SRX.

 

But the SRX itself and all of its interfaces are in the junos-host zone.  So you need to add a rule from zone junos-host to zone untrust to apply nat to these interfaces.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: SRX - query

‎08-03-2018 06:04 PM

Hi,

Please refer the KB to NAT the SRX self generated traffic:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB26372&cat=SRX_SERIES&actp=LIST

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX - query

‎08-05-2018 03:12 AM

Thank You Nellika for your response , it works now

 

Regards

Shaan

Highlighted
SRX Services Gateway

Re: SRX - query

‎08-05-2018 03:15 AM

Thanks spuluka .

 

Regards

shaan

Highlighted
SRX Services Gateway

Re: SRX - query

‎08-05-2018 04:44 AM

Dear All ,

As updated earlier my query has been answered and i tested and it works fine but my doubt is i dont have a rule for junos host from trust to untrust but the rule i have configured earlier is for remote access to junos host from untrust so that i can access junos remotely so how come only nating made trust interface ip on the junos reach the internet .

 

Regards

shaan

Highlighted
SRX Services Gateway
Solution
Accepted by topic author shaan129
‎08-05-2018 05:08 AM

Re: SRX - query

‎08-05-2018 04:59 AM

By default access outbound from junos-host is always permitted so no configuration as needed to allow outbound ping from the SRX.

 

For inbound connections to the SRX permissions are granted based on the zone configuration under host inbound traffic.  If the service or protocol is permitted by the zone setting then it allows all inbound to the SRX by default.

 

You only need to configure security policy with the  junos-host zone if you want to override these settings to either restict outbound traffic from the default allow all.  Or restrict inbound traffic by ip address instead of just protocol or service.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: SRX - query

‎08-05-2018 05:08 AM

Thank You for Quick Reply .

 

Regards

shaan

Feedback