SRX Services Gateway
SRX Services Gateway

srx 240: permit any to any inside traffic desn't work

03.01.17   |  
‎03-01-2017 06:30 AM

SRX 240B with JUNOS Software Release [12.1X46-D35.1].

All inside traffic pass through the same interface ge-0/0/1:

    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.246.0.1/16;
            }
        }

I added static route :

route 192.168.254.0/24 next-hop 10.246.1.1;

I added policy to permit all inside traffic:

        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }

after this, only ping works ... other protocols (web ftp ssh ...) do not work!

16 REPLIES
SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

03.01.17   |  
‎03-01-2017 06:42 AM

I assume you are not doing ftp/ssh to SRX. If you are trying to do SSH/FTP to the box you need to enable system-services and allow these under seczurity zones.

 

For trafic through the box please apply traceoptions as below and check the logs.

 

set security flow traceoptions file flow-traces
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter f1 protocol tcp
set security flow traceoptions packet-filter f1 destination-port 80
set security flow traceoptions packet-filter f2 protocol tcp
set security flow traceoptions packet-filter f2 source-port 80

commit

 

check the logs using below command

 

> show log flow-traces | match drop

> show log flow-traces

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

03.02.17   |  
‎03-02-2017 03:02 AM

I want to allow all traffic through the srx and not to srx. I added static route and I want allow all traffic from all computers with 10.246.1.x ip to all computers with ip 192.168.254.x, all computers are in trust zone and all inside traffic pass through

ge-0/0/1

I enabled system services under trust zone:

security-zone trust {
    interfaces {
        vlan.0 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
        ge-0/0/1.0 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
    }
}

but the computers can only ping between them.

SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

03.02.17   |  
‎03-02-2017 08:41 AM

SInce we dont flow traces, I dont know the exact problem, but I see a possibility of assymetric routing. Can you apply below NAT config and check the issue.

 

set security nat source rule-set trust-trust from zone trust
set security nat source rule-set trust-trust to zone trust
set security nat source rule-set trust-trust rule 1 match source-address 0.0.0.0/0
set security nat source rule-set trust-trust rule 1 then source-nat interface

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

03.03.17   |  
‎03-03-2017 01:43 AM

I applied the suggested nat, but doesn't work and even ping has stopped working.

Highlighted
SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

[ Edited ]
03.03.17   |  
‎03-03-2017 02:25 AM
from-zone trust to-zone trust {

This policy allows traffic to flow between the interfaces in the same zone, not through the device. So you need another policy. Of course add an interface to that zone connecting to wherever. Yoo also need and IP address on the vlan.0 interface and associate it with a specific vlan,

 from-zone trust to-zone untrust {<=external zone
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;

to allow traffic through the srx to another zone. 

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

03.03.17   |  
‎03-03-2017 02:30 PM

Unfortunately I cannot add another interface on srx. in the network figure you can see that network 10.246.1.0/16 and network 192.168.254.0/24 are connected to SRX on only one interface ge-0/0/0:network_problem_routing.png

SRX is a gateway for 10.246.1.0/16 network,

SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

03.04.17   |  
‎03-04-2017 08:01 AM

The interface on the SRX that goes to the Internet should be in an internet/external/untrust zone. You need a policy from zone trst to zone untrust to permit all traffic for now until you chose to make it more granular. From the SRX, can you ping 10.246.1.1? From that router can you ping 10.246.0.1? Part of the problem is that  10.246.1.0/16 network is the same network as 10.246.0/16, so traffic between those networks would not be routed but switched traffic. That is one problem. But start from one end. Lets say you are on the computer 192.168.254.6, ping the gateway for that computer then ping 10.246.1.1, then 10.246.1.9 then 10.246.1.8 then 10.246.0.1. Are those successful? Then get on both Linux servers and ping the computer, the computers gateway, etc etc and finally the SRX. If all those work, then concentrate on the SRX.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

[ Edited ]
03.05.17   |  
‎03-05-2017 09:59 AM

In this setup SRX does not forward traffic between 10.246.0.0/16 and 192.168.254.0/24 networks. When SRX receives first packet it checks it's routing table and sees that to reach the destination network it has to send the packet back to the same interface via another router in the same network segment. This is not optimal because host should send the traffic directly to 10.246.1.1 router. SRX sends back ICMP Redirect to the host pointing it to the router. From now on all the traffic should traverse directly between host and router with no SRX involvement.

 

Knowing that we can start to troubleshoot. After you initiate the traffic can you see an entry in the host routing table pointing to 192.168.254.0/24 network via 10.246.1.1 next-hop ? It should be installed by ICMP. Use netstat -nr to display hosts routing table.

Is 10.246.0.1 the only IP address configured on the ge-0/0/1.0 interface?

 

If you want to change this behaviour and force SRX to forward this traffic you can disable icmp redirects using:

set system no-redirects and commit

SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

03.05.17   |  
‎03-05-2017 01:06 PM

I have policy from trust to untrust and it works!  the problem is the traffic from linux 10.246.1.8 10.246.1.9 and compiuter 192.168.254.6, the srx do not permit this traffic. I have set static route to 192.168.254.0/24 network and policy to permit all protocols from trust to trust zones ... but only ping works!  all computer ping srx and router, srx ping router and router ping srx and linix servers. After static route and policy trust to trust linux server can ping 192.168.254.6 computer, but ftp,web and ssh do not work!

SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

03.06.17   |  
‎03-06-2017 12:59 AM

As I explained with this setup, by default SRX is not involved in passing the traffic. Please check how ICMP redirect mechanism works. You can find very good explanation in TCP/IP Illustrated vol 1.

 

Could you please answer to my previous questions?

SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

03.06.17   |  
‎03-06-2017 07:38 AM

If I put in the linux host routing table the route to 192.168.254.0/24 network via 10.246.1.1 next-hop, all it works, I knew it. I have to put this static route in all computers ,in a figure I draw only 2 servers, but I have more servers and computers in 10.246.0.0/16 network. In addition,  I have 3 qnap storage where is not possible to add static route ... it is possible to add only gateway.

The 10.246.0.1 is the only IP address configured on the ge-0/0/1.0 interface.

I set system no-redirects command and commit, but nothing has changed.

 

I don't understandig why ping works and other protocols no

SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

03.07.17   |  
‎03-07-2017 03:41 AM

You shouldn't have to install static routes on the host routing table. It should be installed by ICMP. If it's not then either SRX doesn't send ICMP redirect or host is filtering it.

 

Another problem with this setup is that returning traffic never hits the SRX. As destination IP is in routers local network segment it sends returning traffic directly to the host. Ping my works but TCP not. SRX sees traffic in only one direction so every TCP check fails.

 

You may try disabling tcp checks with

set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check

 

 

SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

03.07.17   |  
‎03-07-2017 07:56 AM

Based on your diagram, can you explain why the SRX is involved in any traffic except what is going to the internet? Is the switch managed or unmanaged? What default gateway is the Linux clients using?

10.246.0/16 is in the same subnet as  10.246.0/16. So all traffic destined to any of those address is handled locally by the switch. Traffic to Internet and 192.168.254/24 is sent to default gateway. If the SRX is the dGW for those clients then the SRX needs to know what interface to send traffic to the 192.168.254. network and what next-hop for internet. I am suspecting this is a lab environment. If yes, just set the default policy of the SRX to permit all traffic globally that will tell you if the SRX is the problem. I am looking for you methodology in isolating the problem.

BTW can you post the configuration for the security and routing-options heirarchy on the SRX?

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

[ Edited ]
03.09.17   |  
‎03-09-2017 03:36 PM

I have recreated this environment in the home lab.

1. SRX default config

As designed SRX sends ICMP redirect message to the host. Tested on Windows 10 and Kali Linux.
On Windows I had to allow ICMP redirect in the windows firewall. There is no way to confirm that the ICMP route was installed because windows doesn't display dynamicly learned routes in route print. HTTP and FTP worked fine.
On Linux it worked without any changes. You can verify route installation using ip route get 192.168.254.6

2. SRX no-redirects
Surprisingly http works. What is even weirder is that srx doesn't show this session in show security flow sessions. Traffic sniffer confirms that SRX is forwarding traffic (in one direction).
FTP doesn't work because of ALG. After disabling ftp alg using set security alg ftp disable I was able to connect. Same as with http there is no entry under show security flow session. Very strange.

As I see it you have several options:
- change the desing, connect 192.168.254/24 directly to the SRX or
- make sure every host in 10.246/16 network allow ICMP redirect or
- use source pat or nat

PAT

set security nat source rule-set src_trust from zone trust
set security nat source rule-set src_trust to zone trust
set security nat source rule-set src_trust rule 10_246_to_ge1 match source-address 10.246.0.0/16
set security nat source rule-set src_trust rule 10_246_to_ge1 match destination-address 192.168.254.0/24
set security nat source rule-set src_trust rule 10_246_to_ge1 then source-nat interface


NAT using 10.247/16 (you have to make sure that 192.168.254/24 hosts and router have a route to 10.247/16 with SRX as a nex-hop)

 

set security nat source pool 10_247 address 10.247.0.0/16
set security nat source pool 10_247 host-address-base 10.246.0.0/32
set security nat source rule-set src_trust from zone trust
set security nat source rule-set src_trust to zone trust
set security nat source rule-set src_trust rule 10_246_to_10_247 match source-address 10.246.0.0/16
set security nat source rule-set src_trust rule 10_246_to_10_247 match destination-address 192.168.254.0/24
set security nat source rule-set src_trust rule 10_246_to_10_247 then source-nat pool 10_247
set security nat proxy-arp interface ge-0/0/1.0 address 10.247.0.0/16
SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

03.10.17   |  
‎03-10-2017 06:40 AM

with commands

set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check

everything works!

 

thanks!!!

SRX Services Gateway

Re: srx 240: permit any to any inside traffic desn't work

03.19.17   |  
‎03-19-2017 05:17 AM

with commands

set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check

everything works!

 

---------

 

This means you have a design problem in the layout of your network.  For firewalls to work their best routing must be symmetrical.  That is the reply path of the packet is the same as the sending path of the packet.

 

Firewalls will drop traffic when the session is not symmetrical.  These commands turn off the feature that requires symmetrical flow.

 

This is a good temporary solution.  But you really should trace out what is happening with routing on your network and get the flows to work symmetrically so these features can be turned back on again. 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home