SRX

Expand all | Collapse all

SSH Access to SRX1500

Jump to Best Answer
  • 1.  SSH Access to SRX1500

     
    Posted 02-23-2018 05:13

    Hi,

     

    I have checked everything before posting this question (unlike my last one which I apologise for)....

     

    I am trying to enable SSH access to an SRX1500. I have no use for the trust zone as I have created 4 x routing-instances..... This may be a trust zone issue but am unsure....

     

    I am entering via an instance named "netopstest2". I have configured the following:

     

    set system services ssh

    set security address-book global address netopstest2-network 192.168.10.0/24

    set security address-book global address-set Cust-to-dmz-bidirectional address netopstest2-network

     

    set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 match source-address any
    set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 match destination-address any
    set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 match application any
    set security policies from-zone netopstest2 to-zone netopstest2 policy netopstest_1 then permit
    set security policies from-zone netopstest2 to-zone Customer-Network policy netopstest_1 match source-address any
    set security policies from-zone netopstest2 to-zone Customer-Network policy netopstest_1 match destination-address any
    set security policies from-zone netopstest2 to-zone Customer-Network policy netopstest_1 match application any
    set security policies from-zone netopstest2 to-zone Customer-Network policy netopstest_1 then permit

     

    set security zones security-zone netopstest2 host-inbound-traffic system-services all
    set security zones security-zone netopstest2 host-inbound-traffic protocols all
    set security zones security-zone netopstest2 interfaces ge-0/0/8.0 host-inbound-traffic system-services ssh
    set security zones security-zone netopstest2 interfaces lt-0/0/0.9

    set interfaces ge-0/0/8 unit 0 family inet address 192.168.10.210/24
    set interfaces ge-0/0/8 unit 0 family iso

     

    set routing-instances netopstest2 instance-type virtual-router
    set routing-instances netopstest2 interface lt-0/0/0.9
    set routing-instances netopstest2 interface ge-0/0/8.0
    set routing-instances netopstest2 interface lo0.50
    set routing-instances netopstest2 protocols isis export export_statics
    set routing-instances netopstest2 protocols isis level 1 authentication-key "$9$KZDvxd2gJDHmaZmTF/0OSrevX7dbs4JG"
    set routing-instances netopstest2 protocols isis level 1 authentication-type md5
    set routing-instances netopstest2 protocols isis level 2 authentication-key "$9$g54UHf5F/A0z30Ihr8Lbs24GDHqmTFn"
    set routing-instances netopstest2 protocols isis level 2 authentication-type md5
    set routing-instances netopstest2 protocols isis interface lt-0/0/0.9
    set routing-instances netopstest2 protocols isis interface ge-0/0/8.0
    set routing-instances netopstest2 protocols isis interface lo0.50

     

    Any ideas why I cannot get SSH access please?

     

    Thanks

     

     

     



  • 2.  RE: SSH Access to SRX1500
    Best Answer

     
    Posted 02-23-2018 06:01

    Hi,

     

    Problem resolved. Added SSH to a secondary routing-instance that does not appear to be required for incomming traffic and therefore should not have need the SSH command, and it started working.

     

    Thank you.



  • 3.  RE: SSH Access to SRX1500

     
    Posted 02-26-2018 05:45

    I know this issue shows as resolved, and it is on the directly connected SRX, but I cannot connect to the remote SRX at all via SSH. I get the "Server unexpectedly closed network connection" error.

     

    The connectivity is as follows:

     

    192.168.10.0/24 Network --> direct to port ge-0/0/8 on SRX1 --> netopstest2 Zone --> Customer zone (ae2 interface) --> core1 --> core2 --> SRX2 Customer-network zone --> ssh

     

    As far as I can see, the only incomming interface is ae2 for the customer-network on SRX2.... I have allowed through the 192.168.10.0/24 network via a "customer-network --> customer-network" policy of "any any any permit".

     

    I can ping the interface from the netopstest2 routing-instance on SRX1 and can also traceroute to it. I have enabled ssh and also the customer-networks zone has system-services all and applications all, associated with it.....

     

    I'm kind of stuck as the configurations look the same....