SRX Services Gateway
Highlighted
SRX Services Gateway

ZONE to VLAN routing instances not working

a week ago

Good morning!

 

I am currently working on a SRX1500, and I am trying to bridge the gap in communication from one interface to another on my device. 

 

ge-0/0/2 has been assigned to a zone called LR23 and i am trying to get it to communicate with a device on port ge0/0/12.99. From the SRX device i can send a icmp packet from ge-0/0/2.0 to my device on the other side of the ge-0/0/12.99. When i send a icmp packet from ge-0/0/12.99 to a client machine on the other side of ge-0/0/2 i get 100 percent replys. The users on the other side of ge-0/0/12.99 report that they cannot ping the 192.168.99.x address of the device they are trying to access. But they are able to hit the gateway address established on port ge-0/0/2.

 

If icmp can work its way from one end to the other within this boundary of the network why would their clients not be able to reach beyond the external interface ge-0/0/2 into ge-0/0/12.99?

 

here is a snippet fro mthe SRX1500 modified slightly to protect specific information. 

 

set security nat source rule-set vlan99-to-LR23 from routing-instance LR23

set security nat source rule-set vlan99-to-LR23 to interface ge-0/0/2.0

set security nat source rule-set vlan99-to-LR23 rule vlan99-NAT match source address 192.168.99.0/24

set security nat source rule-set vlan99-to-LR23 rule vlan99-NAT then source-nat interface

set security nat source rule-set LR23-to-vlan99 from routing-instance LR23

set security nat source rule-set LR23-to-vlan99 to interface ge-0/0/12.99

set security nat source rule-set LR23-to-vlan99 rule LR23-NAT match source address 10.45.45.0/24

set security nat source rule-set LR23-to-vlan99 rule LR23-NAT  then source-nat interface

set security policies from-zone vlan99 to-zone LR23 policy allow-outbound match source-address vlan99

set security policies from-zone vlan99 to-zone LR23 policy allow-outbound match destination-address any

set security policies from-zone vlan99 to-zone LR23 policy allow-outbound match application any

set security policies from-zone vlan99 to-zone LR23 policy allow-outbound then permit

set security policies from-zone LR23 to-zone vlan99 policy allow-inbound match source-address any

set security policies from-zone LR23 to-zone vlan99 policy allow-inbound match destination-address any

set security policies from-zone LR23 to-zone vlan99 policy allow-inbound match application any

set security policies from-zone LR23 to-zone vlan99 policy allow-inbound then permit

set security zones security-zone LR23 host-inbound-traffic system-services all

set security zones security-zone LR23 host-inbound-traffic protocols all

set security zones security-zone LR23 interfaces ge-0/0/2.0

set security zones security-zone vlan99 host-inbound-traffic system-services all

set security zones security-zone vlan99 host-inbound-traffic protocols all

set security zones security-zone vlan99 interfaces ge-0/0/12.99

set interfaces ge-0/0/2 description "  "

set interfaces ge-0/0/2 unit 0 description " "

set routing-options rib-groups RIB_LR23 import-rib LR23.inet.0

set routing-options rib-groups RIB_LR23 import-rib Repository.inet.0

set routing-options rib-groups RIB_LR23 import-rib Virtual.inet.0

set routing-options rib-groups RIB_Virtual import-rib LR23.inet.0

set routing-instances LR23 description " Words are here "

set routing-instances LR23 instance-type virtual router

set routing-instances LR23 interface ge-0/0/2.0

set routing-instances LR23 interface ge-0/0/12.99

set routing-instances LR23 routing-options interface-routes rib-group inet RIB_LR23

set routing-instances LR23 routing-options static route 0.0.0.0/0 next-hop 192.168.99.0

 

I look forward to any replys to this post Smiley Happy. I am eager to see what others might thing the issue might be. 

 

- David