SRX

Expand all | Collapse all

SRX 210 Intervlan Routing/Security Policy Issue

Jump to Best Answer
  • 1.  SRX 210 Intervlan Routing/Security Policy Issue

    Posted 06-29-2017 01:57

    Hi,

     

    I have an SRX 210 with 3 WAPS and a bridge to another Router which holds the primary internet connection. I want to connect one of the WAPs default IP address through VLAN 100 but cant seem to get it working. I can ping and SSH to WAP from the SRX but cant ping if i do 'ping 169.254.1.1 source 192.168.20.1'. Can someone take a look over config and see what im doing wrong? fe-0/0/4 is the port which i have the WAP in question on. WAP IP is 169.254.1.1/16

     

    set system services dhcp-local-server group LAN interface vlan.100
    set interfaces ge-0/0/0 mtu 2000
    set interfaces ge-0/0/0 unit 0 description WAN
    set interfaces ge-0/0/0 unit 0 family inet address 27.124.100.178/30
    set interfaces ge-0/0/1 unit 0 description UNIFI_AP
    set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members VLAN100
    set interfaces fe-0/0/2 unit 0 description NETCOMM
    set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
    set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members VLAN100
    set interfaces ge-0/0/2 mtu 2000
    set interfaces fe-0/0/3 unit 0 family inet address 10.1.1.1/30
    set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode access
    set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members EPMP
    set interfaces lo0 unit 1 family inet address 3.3.3.3/32
    set interfaces vlan unit 10 family inet address 169.254.1.10/16
    set interfaces vlan unit 100 description LAN
    set interfaces vlan unit 100 family inet policer input 20m
    set interfaces vlan unit 100 family inet address 192.168.20.1/24
    set snmp trap-group FAILOVER version all
    set snmp trap-group FAILOVER categories services
    set snmp trap-group FAILOVER targets 192.168.20.253
    set routing-options static route 0.0.0.0/0 next-hop 10.1.1.2
    set class-of-service host-outbound-traffic ieee-802.1
    set security nat source rule-set rs1 from zone trust
    set security nat source rule-set rs1 to zone untrust
    set security nat source rule-set rs1 rule r1 match source-address 192.168.20.0/24
    set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0
    set security nat source rule-set rs1 rule r1 then source-nat interface
    set security policies from-zone trust to-zone untrust policy internet-access match source-address any
    set security policies from-zone trust to-zone untrust policy internet-access match destination-address any
    set security policies from-zone trust to-zone untrust policy internet-access match application any
    set security policies from-zone trust to-zone untrust policy internet-access then permit
    set security policies from-zone trust to-zone untrust policy internet-access then log session-init
    set security policies from-zone trust to-zone untrust policy internet-access then log session-close
    set security policies from-zone trust to-zone untrust policy internet-access then count
    set security policies from-zone trust to-zone trust policy internet-access match source-address any
    set security policies from-zone trust to-zone trust policy internet-access match destination-address any
    set security policies from-zone trust to-zone trust policy internet-access match application any
    set security policies from-zone trust to-zone trust policy internet-access then permit
    set security zones security-zone untrust host-inbound-traffic system-services ssh
    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/0.0
    set security zones security-zone trust host-inbound-traffic system-services ping
    set security zones security-zone trust host-inbound-traffic system-services ftp
    set security zones security-zone trust interfaces vlan.100 host-inbound-traffic system-services all
    set security zones security-zone trust interfaces vlan.100 host-inbound-traffic system-services dhcp
    set security zones security-zone trust interfaces vlan.100 host-inbound-traffic system-services ssh
    set security zones security-zone trust interfaces vlan.100 host-inbound-traffic protocols all
    set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic system-services all
    set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic protocols all
    set security zones security-zone trust interfaces vlan.10 host-inbound-traffic system-services all
    set security zones security-zone trust interfaces vlan.10 host-inbound-traffic protocols all
    set firewall policer 20m if-exceeding bandwidth-limit 20m
    set firewall policer 20m if-exceeding burst-size-limit 2m
    set firewall policer 20m then discard
    set access address-assignment pool LAN family inet network 192.168.20.0/24
    set access address-assignment pool LAN family inet range inside low 192.168.20.10
    set access address-assignment pool LAN family inet range inside high 192.168.20.254
    set access address-assignment pool LAN family inet dhcp-attributes maximum-lease-time 86400
    set access address-assignment pool LAN family inet dhcp-attributes name-server 8.8.8.8
    set access address-assignment pool LAN family inet dhcp-attributes name-server 8.8.4.4
    set access address-assignment pool LAN family inet dhcp-attributes router 192.168.20.1
    set vlans EPMP vlan-id 10
    set vlans EPMP l3-interface vlan.10
    set vlans VLAN100 vlan-id 100
    set vlans VLAN100 l3-interface vlan.100

     

    Thanks.



  • 2.  RE: SRX 210 Intervlan Routing/Security Policy Issue
    Best Answer

     
    Posted 06-29-2017 02:18

    Did you check if destination (WAP IP is 169.254.1.1) has a return route for 192.168.20.1 pointing to SRX?

     

     

    Run "show security flow session destination-prefix 169.254.1.1 protocol icmp" after running a Ping and check if you see a valid session.

     

    If you see a session with packets going out and nothing in return then its a route issue on destination

     

    If you dont see a session itself, then run a flow traceoptions.



  • 3.  RE: SRX 210 Intervlan Routing/Security Policy Issue

    Posted 06-29-2017 02:40

    Think you might be on to it. WAP doesnt have a default gateway set back to router to send ICMP replies. DUHH.

     

    Thanks.