SRX Services Gateway
SRX Services Gateway

[Security Zone] Hosts in Untrust zone cannot see clients in Trust zone

[ Edited ]
‎09-12-2019 01:07 AM

i have a diagram bellow:

Capture2.PNG

PCs in Server can ping to Internet zone and access internet. but PCs in Internet cannot ping to PCs in Server zone.

my config:

version 15.1X49-D45;
system {
    host-name SRX300;
    time-zone GMT;
    root-authentication {
        encrypted-password "$5$8kb6Dbns$HzBuge65ChSgNudUNDDmfhLQ/0Qr44i7NJcG6rf8Wa2"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    name-resolution {
        no-resolve-on-input;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface ge-0/0/1.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/1.0;
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
                router {
                    192.168.1.1;
                }
            }
            pool 192.168.2.0/24 {
                address-range low 192.168.2.2 high 192.168.2.254;
                router {
                    192.168.2.1;
                }
            }
            propagate-settings ge-0/0/0;
        }
    }                                   
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }                               
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set Server-nat {
                from zone Server;
                to zone Internet;
                rule Server-nat1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;             
                }
            }
        }
        from-zone Server to-zone Internet {
            policy Server-Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Server {
            policy Internet-Server {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }
            }
        }                               
        security-zone Internet {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            ping;
                        }
                    }
                }
            }
        }
        security-zone Server {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/2.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.2.1/24;
            }
        }                               
    }
}

how can i fix that problem? thank you!

 

12 REPLIES 12
SRX Services Gateway

Re: [Security Zone] Hosts in Untrust zone cannot see clients in Trust zone

‎09-12-2019 01:32 AM

I see your topology in the following way (based on the SRX's configuration)

 

 

          Internet        Server
---------(ge-0/0/0)-SRX-(ge-0/0/2)-----------192.168.2.0/24
                     |
		     |
                (ge-0/0/1) Internal
		     |
		     |
		     |
		 192.168.1.0/24

 

If you want to permit traffic from Internal zone to Server zone then you need a security-policy permitting this traffic:

 

set security policies from-zone Internal to-zone Server policy Internal-To-Server match source-address any destination-address any application any
set security policies from-zone Internal to-zone Server policy Internal-To-Server then permit

 

Likewise if you want to permit flows initiated in the oposite direction then configure a policy but with the zones in the reverse order:

 

set security policies from-zone Server to-zone Internal policy Server-To-Internal match source-address any destination-address any application any
set security policies from-zone Server to-zone Internal policy Server-To-Internal then permit

 

 

SRX Services Gateway

Re: [Security Zone] Hosts in Untrust zone cannot see clients in Trust zone

‎09-12-2019 01:47 AM

@Andres Madrigal 

I want to permit traffic from Internet to Server. PCs in Server zone can ping to PCs in Internet zone. but in reverse, PCs in Internet can not ping to PCs in Server

Highlighted
SRX Services Gateway

Re: [Security Zone] Hosts in Untrust zone cannot see clients in Trust zone

[ Edited ]
‎09-12-2019 01:58 AM

Ok then:

 

set security policies from-zone Internet to-zone Server policy Internet-To-Server match source-address any destination-address any application any
set security policies from-zone Internet to-zone Server policy Internet-To-Server then permit

 

One thing that does not match is that in your topology I can see that 192.168.1.0/24 is assocaited with Internet zone (ge-0/0/0), however in the SRX configuration 192.168.1.0/24 is linked to Internal zone (ge-0/0/1). Which one is correct?

SRX Services Gateway

Re: [Security Zone] Hosts in Untrust zone cannot see clients in Trust zone

‎09-12-2019 02:42 AM

@Andres Madrigal 

I deleted Internal zone, interface ge-0/0/1 but i still didn't work.

SRX Services Gateway

Re: [Security Zone] Hosts in Untrust zone cannot see clients in Trust zone

‎09-12-2019 04:35 AM

Looks like PCs in the Internet Zone do not have to route to reach PCs in the Server zone. What is the default gateway configured in the Internet Zone PCs.  Is it SRX or Cisco router?  If it is Cisco router, add a static route for the Server zone PCs in the Internet Zone PCs. Since source nat is configured Server to Internet Zone, that communication will work without any issue.

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: [Security Zone] Hosts in Untrust zone cannot see clients in Trust zone

‎09-15-2019 07:41 PM

@

SRX Services Gateway

Re: [Security Zone] Hosts in Untrust zone cannot see clients in Trust zone

‎09-15-2019 10:39 PM

Simple wokaround is to add route for the Server Zone network in Internet zone PC towards SRX

To add route in windows PC use "route add ... " command. More details: https://www.howtogeek.com/howto/windows/adding-a-tcpip-route-to-the-windows-routing-table/

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: [Security Zone] Hosts in Untrust zone cannot see clients in Trust zone

‎09-16-2019 12:27 AM

@

SRX Services Gateway

Re: [Security Zone] Hosts in Untrust zone cannot see clients in Trust zone

[ Edited ]
‎09-16-2019 07:30 AM

sanvinh,

 

You said you deleted ge-0/0/1 but that was the interface configured under subnet 192.168.1.0/24. Did you move that subnet to ge-0/0/0? Please share the following information in order to confirm that:

 

> show route [Internet_Zone_Subnet]
> show route [Server_Zone_Subnet]
> show interfaces terse ge-0/0/0
> show interfaces terse ge-0/0/1

 

What is the default gateway address configured on the Internet zone PCs?

 

SRX Services Gateway

Re: [Security Zone] Hosts in Untrust zone cannot see clients in Trust zone

‎09-16-2019 06:05 PM

@Andres Madrigal yes, I deleted ge-0/0/1. ge-0/0/0 i didn't set IP, it was configured dhcp client mode to get ip from Internet ISP.

SRX Services Gateway

Re: [Security Zone] Hosts in Untrust zone cannot see clients in Trust zone

a month ago

So, is ge-0/0/0 now configured with an address under subnet 192.168.1.0/24? If you could share the previously requested outputs it would help a lot to better understand the current topology.

 

SRX Services Gateway

Re: [Security Zone] Hosts in Untrust zone cannot see clients in Trust zone

a month ago

@Andres Madrigal I change my direction into other way. but thank you for support!