SRX

Expand all | Collapse all

SRX300 do not accept pings

Jump to Best Answer
  • 1.  SRX300 do not accept pings

    Posted 11-06-2017 04:49

    Hello,

     

    I have a SRX300 at my place and a SRX220 on other location, both makes a VPN connection to our headquarter.

     

    SRX220 is working normally and I can ping and receive ping from any other location.

    My SRX300 is working fine, I can ping anywhere but I cannot receive pings.

     

    If I ping my SRX300 I get a message of timeout.

    I can ping anywhere from SRX300.

     

    Its internal IP address is 10.196.23.1.

     

    Take a look at SRX300 configuration. Please tell me what to do.

        policies {
            from-zone Internal to-zone Internet {
                policy All_Internal_Internet {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        

    #srx300
    #ping


  • 2.  RE: SRX300 do not accept pings

    Posted 11-06-2017 08:07
    I do not see a policy for reverse traffic.
    You may add following config...

    set security zones security-zone Internet address-book address 10.0.0.0/8 10/8;
    set security zones security-zone Internet address-book address 10.196.23.0/24 10.196.23.0/24;
    ***** 
    policies {
    from-zone Internet to-zone Internal {
    policy VPN_Allow {
    match {
    source-address 10.0.0.0/8;
    destination-address 10.196.23.0/24;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }

    Also the traffic from other networks destined to 10.196.23.0/24 should be routed the IPsec vpn tunnel from remote ends to the SRX in question.


  • 3.  RE: SRX300 do not accept pings

    Posted 11-07-2017 02:35

    Hello,

    When I try to add this I receive the following error:

     

    Error(s):
    'policy VPN_Allow'
    1) Source address or address_set (10.0.0.0/8) not found.
    2) configuration check-out failed

     

    If I try to add it using the command line I receive syntax error.

     

    Please, if possible, replace my CLI with the new entries so I do a copy and paste to my SRX.

     

    Kind regards.



  • 4.  RE: SRX300 do not accept pings

    Posted 11-07-2017 02:49

    set security zones security-zone Internet address-book address 10.0.0.0/8 10.0.0.0/8
    set security zones security-zone Internet address-book address 10.196.23.0/24 10.196.23.0/24
    set security policies from-zone Internet to-zone Internal policy VPN_allowd match source-address 10.0.0.0/8
    set security policies from-zone Internet to-zone Internal policy VPN_allowd match destination-address 10.196.23.0/24
    set security policies from-zone Internet to-zone Internal policy VPN_allowd match application any
    set security policies from-zone Internet to-zone Internal policy VPN_allowd then permit



  • 5.  RE: SRX300 do not accept pings

    Posted 11-07-2017 03:19

    root@rotem_brazil_saopaulo# commit
    [edit security policies from-zone Internet to-zone Internal]
      'policy VPN_allowd'
        Destination address or address_set (10.196.23.0/24) not found.
    error: configuration check-out failed



  • 6.  RE: SRX300 do not accept pings

    Posted 11-07-2017 03:30

    again copy paste below command and it should solve the issue.

     

    set security zones security-zone Internet address-book address 10.196.23.0/24 10.196.23.0/24

     

     

    If you are still encouring commit errors again.

     

    Then pl try to put any to any allow from Internet to Internal zone for testing purpose.

    i.e.

    set security polices from-zone Internet to-zone Internal  policy Test source-address any destination-address any application any

    set security policies from-zone Internet to-zone Internal policy Test then permit



  • 7.  RE: SRX300 do not accept pings

    Posted 11-07-2017 04:21

    I changed and got the same error.

     

    When I tried to write for testing pruporses:

     

    set security polices from-zone Internet to-zone Internal  policy Test source-address any destination-address any application any

     

    I got a syntax error on polices word.



  • 8.  RE: SRX300 do not accept pings

    Posted 11-07-2017 04:41
    correcting the spellings.. set security policies from-zone Internet to-zone Internal policy Test match source-address any set security policies from-zone Internet to-zone Internal policy Test match destination-address any set security policies from-zone Internet to-zone Internal policy Test match application any set security policies from-zone Internet to-zone Internal policy Test then permit


  • 9.  RE: SRX300 do not accept pings

    Posted 11-07-2017 06:44



  • 10.  RE: SRX300 do not accept pings

    Posted 11-07-2017 07:24
    You have 3 options to use..you may choose whichever is suitable..

    1. set security zones security-zone Internet address-book address 10.196.23.0/24 10.196.23.0/24
    commit

    Or
    2. delete security policies from-zone Internet to-zone Internal policy VPN_allowd

    commit


    option 3

    rollback 0

    set security polices from-zone Internet to-zone Internal policy Test source-address any destination-address any application any
    set security polices from-zone Internet to-zone Internal policy Test then permit
    commit



  • 11.  RE: SRX300 do not accept pings

    Posted 11-07-2017 08:33

    2.PNG



  • 12.  RE: SRX300 do not accept pings

    Posted 11-07-2017 08:43
    retyping Option 3. as it was typed from handheld. option 3 rollback 0 set security polices from-zone Internet to-zone Internal policy Test match source-address any destination-address any application any set security polices from-zone Internet to-zone Internal policy Test then permit commit In case of issues, use ? to complete the command.


  • 13.  RE: SRX300 do not accept pings

    Posted 11-07-2017 11:36

    Ok perfect. I solved my problem, but it's not secure right?

    how can we fix it?

     

    thanks



  • 14.  RE: SRX300 do not accept pings
    Best Answer

    Posted 11-07-2017 22:58

    I assume that now you are able to ping SRX LAN IP from VPN peers.

     

    To harden the same following is the script.

     

    set security zones security-zone Internet address-book address 10.196.23.0/24 10.196.23.0/24

    set security zones security-zone Internet address-book address 10.0.0.0/8 10.0.0.0/8

    delete security polices from-zone Internet to-zone Internal policy Test match source-address any destination-address any application any

    set security polices from-zone Internet to-zone Internal policy Test match source-address 10.0.0.0/8 destination-address 10.196.23.0/24 application any
    set security polices from-zone Internet to-zone Internal policy Test then permit

    commit

     

    Pl copy it line by line and wherever you are stuck ; try using ? for findings possible completions..

     



  • 15.  RE: SRX300 do not accept pings

    Posted 11-08-2017 02:24

    ok done thanks!