SRX

Expand all | Collapse all

Access between Security Zones

Jump to Best Answer
  • 1.  Access between Security Zones

    Posted 02-23-2018 05:43
      |   view attached

     

    Dear Forum

     

    I get nuts with my problem. Maybe you can give me some hints.
    We use a SRX 340 (15.1X49-D120.3)
    There are the Internal Security Zone (irb.10) and the Wlan Security Zone (irb.20).
    From Wlan Security Zone we want access just one Server in Internal Security Zone.

    I created a Policy to allow that traffic.
    I had in mind I must also allow Host-Inbound on Internal Zone (I set it to all) and not NAT the traffic.

    The problem is that I cant access that host (Even not ping the host).

    Config you'll find in the attachment.

     

    Many thanks for your help!

    Rocksteady

    Attachment(s)

    txt
    srx_conf.txt   10 K 1 version


  • 2.  RE: Access between Security Zones

    Posted 02-23-2018 23:47

    Hi,

     

    You may do it as following.

     

    1. Check from SRX - if you are able ping - 10.1.10.20

    2. Check from SRX - if you are able to ping - 10.1.20.x/24 (host ip)

    3. From host ip (10.1.20.x) - are you able to ping default gateway - 10.1.20.1?

    4. From 10.1.10.20 - are you able to ping default gateway - 10.1.10.1?

    5. If answer to all the above question is yes - then proceed with next step. Otherwise, you may want to check cabling and/or allowing ping in the host or servers. Also, hoping that Wireless hosts are residing in segment 10.1.20.x/24 only. 

    6. Try pinging from WLAN zone to Internal server - at the same time, check the flow session - run show security flow session source-prefix <10.1.20.x> destination-prefix 10.1.10.20

    7. check if you are able to view forward and reverse packets 

     (a). - if forward and reverse packets are increasing correctly - then flow is formed correct. Application should work in such scenario.

    (b). if forward packets are increasing and reverse packets are zero in the flow - try deactivating nat-ruleset wlan-src-nat

    (c). perform the ping or run the applicaiton again.

    9. if nothing works, then try putting up the permit policy from 10.1.10.0/24 to 10.1.20.0/24 segment and check.

     

    HTH...



  • 3.  RE: Access between Security Zones

     
    Posted 02-24-2018 22:16

    Hi,

     

    The config looks fine and it should work. Did you get a warning to reboot the node after the commit? 

    eg. L2 global mode is changed from non-l2 mode to switching mode

     

    An output of "show route" would be useful and also the "show security flow session destionation-prefix 10.1.10.20"

     

    Regards,

     

    Vikas



  • 4.  RE: Access between Security Zones
    Best Answer

    Posted 02-26-2018 01:41

    Thank you all for your hints!

    Finally it works! First I do the destination address to any and see if I can Ping other devices from 10.1.20.x to 10.1.10.x and this works.
    It seems like the NAS Device dont allow packets from other net, but that is a problem of the NAS and I'm sure which you can allow.

    The Juniper SRX did all the time good work.

    Sorry for my interruption and again thanks a lot!