vSRX
vSRX

Can't ping other interface in security zone?

[ Edited ]
‎09-13-2019 01:14 PM

Hey all, 

 

Computer 192.168.250.2 can browse the internet and NAT out correctly, however I cannot ping 192.168.251.1, despite them being directly connected in the same routing-instance and security zone

 

Routing table shows it should work

 

Here's the routing table 

 

0.0.0.0/0          *[Static/5] 01:50:58

                    >  to x.x.x.x via ge-0/0/0.679

10.200.0.1/32      *[Local/0] 01:32:49

                       Reject

192.168.238.0/24   *[Direct/0] 02:55:27

                    >  via ge-0/0/0.238

192.168.250.0/24   *[Direct/0] 02:59:47

                    >  via ge-0/0/0.3000

192.168.250.1/32   *[Local/0] 02:59:47

                       Local via ge-0/0/0.3000

192.168.251.0/24   *[Direct/0] 02:59:47

                    >  via ge-0/0/1.3000

192.168.251.1/32   *[Local/0] 02:59:47

                       Local via ge-0/0/1.3000

Anyone see anything wrong with the configs below? 

 

 

 

Testing {
    instance-type virtual-router;
    interface ge-0/0/0.3000;
    interface ge-0/0/1.3000;
    routing-options {
        instance-import Default;

security-zone test {
    host-inbound-traffic {
        system-services {
            ping;
        }
        protocols {
            bgp;
        }
    }
    interfaces {
        ge-0/0/0.3000;
        ge-0/0/1.3000;
    }
}


ge-0/0/0.3000           up    up   inet     192.168.250.1/24

ge-0/0/1.3000           up    up   inet     192.168.251.1/24

 

2 REPLIES 2
Highlighted
vSRX

Re: Can't ping other interface in security zone?

‎09-13-2019 01:21 PM

Ok it works now.....

 

Computers are weird. 

vSRX

Re: Can't ping other interface in security zone?

‎09-13-2019 01:36 PM

Did you add an intra-zone policy?  Interfaces in the same zone cannot communicate with each other, unless there is a policy allowing the traffic, which I don't see in the config you added to the post. 

 

Regards,

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps