I get nuts with my problem. Maybe you can give me some hints.We use a SRX 340 (15.1X49-D120.3)There are the Internal Security Zone (irb.10) and the Wlan Security Zone (irb.20).From Wlan Security Zone we want access just one Server in Internal Security Zone.
I created a Policy to allow that traffic.I had in mind I must also allow Host-Inbound on Internal Zone (I set it to all) and not NAT the traffic.
The problem is that I cant access that host (Even not ping the host).
Config you'll find in the attachment.
Many thanks for your help!
You may do it as following.
1. Check from SRX - if you are able ping - 10.1.10.20
2. Check from SRX - if you are able to ping - 10.1.20.x/24 (host ip)
3. From host ip (10.1.20.x) - are you able to ping default gateway - 10.1.20.1?
4. From 10.1.10.20 - are you able to ping default gateway - 10.1.10.1?
5. If answer to all the above question is yes - then proceed with next step. Otherwise, you may want to check cabling and/or allowing ping in the host or servers. Also, hoping that Wireless hosts are residing in segment 10.1.20.x/24 only.
6. Try pinging from WLAN zone to Internal server - at the same time, check the flow session - run show security flow session source-prefix <10.1.20.x> destination-prefix 10.1.10.20
7. check if you are able to view forward and reverse packets
(a). - if forward and reverse packets are increasing correctly - then flow is formed correct. Application should work in such scenario.
(b). if forward packets are increasing and reverse packets are zero in the flow - try deactivating nat-ruleset wlan-src-nat
(c). perform the ping or run the applicaiton again.
9. if nothing works, then try putting up the permit policy from 10.1.10.0/24 to 10.1.20.0/24 segment and check.
The config looks fine and it should work. Did you get a warning to reboot the node after the commit?
eg. L2 global mode is changed from non-l2 mode to switching mode
An output of "show route" would be useful and also the "show security flow session destionation-prefix 10.1.10.20"
Thank you all for your hints!
Finally it works! First I do the destination address to any and see if I can Ping other devices from 10.1.20.x to 10.1.10.x and this works.It seems like the NAS Device dont allow packets from other net, but that is a problem of the NAS and I'm sure which you can allow.
The Juniper SRX did all the time good work.
Sorry for my interruption and again thanks a lot!