Hi Mohamed, thank you for your reply.
I didn't make any modification to the configuration but the SRX seems behave as a router, not as a firewall.
Here some show from EX Switch:
lab@SW-EX# run show route
inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.210.14.128/27 *[Direct/0] 1w3d 02:20:51
> via me0.0
10.210.14.141/32 *[Local/0] 1w3d 02:20:51
Local via me0.0
DMZ-Router.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:04
> to 10.7.0.254 via ge-0/0/7.0
10.7.0.0/24 *[Direct/0] 00:00:04
> via ge-0/0/7.0
10.7.0.1/32 *[Local/0] 00:00:04
Local via ge-0/0/7.0
INSIDE-Router.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:04
> to 10.6.0.254 via ge-0/0/6.0
10.6.0.0/24 *[Direct/0] 00:00:04
> via ge-0/0/6.0
10.6.0.1/32 *[Local/0] 00:00:04
Local via ge-0/0/6.0
OUTSIDE-Router.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:04
> to 10.8.0.254 via ge-0/0/8.0
10.8.0.0/24 *[Direct/0] 00:00:04
> via ge-0/0/8.0
10.8.0.1/32 *[Local/0] 00:00:04
Local via ge-0/0/8.0
{master:0}[edit]
lab@SW-EX#
lab@SW-EX# run traceroute 10.6.0.1 routing-instance OUTSIDE-Router
traceroute to 10.6.0.1 (10.6.0.1), 30 hops max, 40 byte packets
1 10.8.0.254 (10.8.0.254) 28.599 ms 9.334 ms 9.302 ms
2 10.6.0.1 (10.6.0.1) 188.147 ms 1.094 ms 1.026 ms
{master:0}[edit]
lab@SW-EX# run traceroute 10.6.0.1 routing-instance DMZ-Router
traceroute to 10.6.0.1 (10.6.0.1), 30 hops max, 40 byte packets
1 10.7.0.254 (10.7.0.254) 12.414 ms 11.119 ms 9.927 ms
2 10.6.0.1 (10.6.0.1) 4.133 ms 1.456 ms 0.899 ms
{master:0}[edit]
lab@SW-EX# run show lldp neighbors
Local Interface Parent Interface Chassis Id Port info System Name
ge-0/0/6.0 - 00:26:88:fb:b3:80 ge-0/0/6.0 srx240
ge-0/0/7.0 - 00:26:88:fb:b3:80 ge-0/0/7.0 srx240
ge-0/0/8.0 - 00:26:88:fb:b3:80 ge-0/0/8.0 srx240
{master:0}[edit]
lab@SW-EX#
As you can see from traceroute from the routing-instance OUTSIDE-Router, the .254 (SRX) route without block any traffic to the 10.6.0.1 network.
Here some shows from the SRX side of the default security policy and security zones assigned:
lab@srx240# run show security policies
Default policy: deny-all
[edit]
lab@srx240# run show security zones
Functional zone: management
Policy configurable: No
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
Security zone: dmz
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/7.0
Security zone: inside
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/6.0
Security zone: outside
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/8.0
Security zone: junos-host
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 0
Interfaces:
[edit]
lab@srx240#