SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

SRX300 do not accept pings

Jump to Best Answer
  • 1.  SRX300 do not accept pings

    Posted 11-06-2017 04:49

    Hello,

     

    I have a SRX300 at my place and a SRX220 on other location, both makes a VPN connection to our headquarter.

     

    SRX220 is working normally and I can ping and receive ping from any other location.

    My SRX300 is working fine, I can ping anywhere but I cannot receive pings.

     

    If I ping my SRX300 I get a message of timeout.

    I can ping anywhere from SRX300.

     

    Its internal IP address is 10.196.23.1.

     

    Take a look at SRX300 configuration. Please tell me what to do.

        policies {
            from-zone Internal to-zone Internet {
                policy All_Internal_Internet {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        

    #srx300
    #ping


  • 2.  RE: SRX300 do not accept pings

    Posted 11-06-2017 08:07
    I do not see a policy for reverse traffic.
    You may add following config...

    set security zones security-zone Internet address-book address 10.0.0.0/8 10/8;
    set security zones security-zone Internet address-book address 10.196.23.0/24 10.196.23.0/24;
    ***** 
    policies {
    from-zone Internet to-zone Internal {
    policy VPN_Allow {
    match {
    source-address 10.0.0.0/8;
    destination-address 10.196.23.0/24;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }

    Also the traffic from other networks destined to 10.196.23.0/24 should be routed the IPsec vpn tunnel from remote ends to the SRX in question.


  • 3.  RE: SRX300 do not accept pings

    Posted 11-07-2017 02:35

    Hello,

    When I try to add this I receive the following error:

     

    Error(s):
    'policy VPN_Allow'
    1) Source address or address_set (10.0.0.0/8) not found.
    2) configuration check-out failed

     

    If I try to add it using the command line I receive syntax error.

     

    Please, if possible, replace my CLI with the new entries so I do a copy and paste to my SRX.

     

    Kind regards.



  • 4.  RE: SRX300 do not accept pings

    Posted 11-07-2017 02:49

    set security zones security-zone Internet address-book address 10.0.0.0/8 10.0.0.0/8
    set security zones security-zone Internet address-book address 10.196.23.0/24 10.196.23.0/24
    set security policies from-zone Internet to-zone Internal policy VPN_allowd match source-address 10.0.0.0/8
    set security policies from-zone Internet to-zone Internal policy VPN_allowd match destination-address 10.196.23.0/24
    set security policies from-zone Internet to-zone Internal policy VPN_allowd match application any
    set security policies from-zone Internet to-zone Internal policy VPN_allowd then permit



  • 5.  RE: SRX300 do not accept pings

    Posted 11-07-2017 03:19

    root@rotem_brazil_saopaulo# commit
    [edit security policies from-zone Internet to-zone Internal]
      'policy VPN_allowd'
        Destination address or address_set (10.196.23.0/24) not found.
    error: configuration check-out failed



  • 6.  RE: SRX300 do not accept pings

    Posted 11-07-2017 03:30

    again copy paste below command and it should solve the issue.

     

    set security zones security-zone Internet address-book address 10.196.23.0/24 10.196.23.0/24

     

     

    If you are still encouring commit errors again.

     

    Then pl try to put any to any allow from Internet to Internal zone for testing purpose.

    i.e.

    set security polices from-zone Internet to-zone Internal  policy Test source-address any destination-address any application any

    set security policies from-zone Internet to-zone Internal policy Test then permit



  • 7.  RE: SRX300 do not accept pings

    Posted 11-07-2017 04:21

    I changed and got the same error.

     

    When I tried to write for testing pruporses:

     

    set security polices from-zone Internet to-zone Internal  policy Test source-address any destination-address any application any

     

    I got a syntax error on polices word.



  • 8.  RE: SRX300 do not accept pings

    Posted 11-07-2017 04:41
    correcting the spellings.. set security policies from-zone Internet to-zone Internal policy Test match source-address any set security policies from-zone Internet to-zone Internal policy Test match destination-address any set security policies from-zone Internet to-zone Internal policy Test match application any set security policies from-zone Internet to-zone Internal policy Test then permit


  • 9.  RE: SRX300 do not accept pings

    Posted 11-07-2017 06:44



  • 10.  RE: SRX300 do not accept pings

    Posted 11-07-2017 07:24
    You have 3 options to use..you may choose whichever is suitable..

    1. set security zones security-zone Internet address-book address 10.196.23.0/24 10.196.23.0/24
    commit

    Or
    2. delete security policies from-zone Internet to-zone Internal policy VPN_allowd

    commit


    option 3

    rollback 0

    set security polices from-zone Internet to-zone Internal policy Test source-address any destination-address any application any
    set security polices from-zone Internet to-zone Internal policy Test then permit
    commit



  • 11.  RE: SRX300 do not accept pings

    Posted 11-07-2017 08:33

    2.PNG



  • 12.  RE: SRX300 do not accept pings

    Posted 11-07-2017 08:43
    retyping Option 3. as it was typed from handheld. option 3 rollback 0 set security polices from-zone Internet to-zone Internal policy Test match source-address any destination-address any application any set security polices from-zone Internet to-zone Internal policy Test then permit commit In case of issues, use ? to complete the command.


  • 13.  RE: SRX300 do not accept pings

    Posted 11-07-2017 11:36

    Ok perfect. I solved my problem, but it's not secure right?

    how can we fix it?

     

    thanks



  • 14.  RE: SRX300 do not accept pings
    Best Answer

    Posted 11-07-2017 22:58

    I assume that now you are able to ping SRX LAN IP from VPN peers.

     

    To harden the same following is the script.

     

    set security zones security-zone Internet address-book address 10.196.23.0/24 10.196.23.0/24

    set security zones security-zone Internet address-book address 10.0.0.0/8 10.0.0.0/8

    delete security polices from-zone Internet to-zone Internal policy Test match source-address any destination-address any application any

    set security polices from-zone Internet to-zone Internal policy Test match source-address 10.0.0.0/8 destination-address 10.196.23.0/24 application any
    set security polices from-zone Internet to-zone Internal policy Test then permit

    commit

     

    Pl copy it line by line and wherever you are stuck ; try using ? for findings possible completions..

     



  • 15.  RE: SRX300 do not accept pings

    Posted 11-08-2017 02:24

    ok done thanks!