SRX

Hi,

 

I was trying to set up intra-zone (trust-to-trust) security policies and discovered my source-address that references a network prefix doesn't work but when redefined as a range-address does work.

 

Has anyone run into this before?

 

 

security {
   address-book {
      trusted-addresses {
         address A-prefix-subnet x.y.z.0/24;
         address A-range-subnet {
            range-address x.y.z.1 {
               to {
                     x.y.z.254;
               }
            }
         }
         address B-prefix-subnet a.b.c.0/24;
         address B-range-subnet {
            range-address a.b.c.1 {
               to {
                     a.b.c.254;
               }
            }
         }
         attach {
            zone trust;
         }
      }
   }
   policies {
        from-zone trust to-zone trust {
            policy Intra-trust-allow {
                match {
                    # client in x.y.z.107 cannot ping B's q.r.s.t
                    source-address A-prefix-subnet;
                    # client in x.y.z.107 can ping B's q.r.s.t
                    source-address A-range-subnet;
                    destination-address any;
                    application any;
                    source-identity any;
                }
                then {
                    permit;
                }
            }
        }
   }
}

 

 

Within the SRX's (12.1X46-D71) CLI, I can ping all IPs.

 

Thanks

Hello ,

 

I do not see any issue in mentioning a prefix as subnet in security policy . It should work with either prefix or range . Maybe try removing the "source-identity any" configuration and try again with prefix .

 

I just tried it by modifying the address and policy but didn't make any difference. Guess it could be the way I've created my policies although I only have one trust-to-trust.

Hope there is no type in address book ip address. Please use below mentioned command in both cases and check the status:

 

show security match-policies from-zone trust to-zone trust source-ip a.b.c.d destination-ip e.f.g.h source-port 1025 destination-port 1025 protocol icmp

 

 

 

---

@Nellikka wrote:

Hope there is no type in address book ip address. Please use below mentioned command in both cases and check the status:

 

show security match-policies from-zone trust to-zone trust source-ip a.b.c.d destination-ip e.f.g.h source-port 1025 destination-port 1025 protocol icmp

---

Thanks for your reply. If I have a typo wouldn't JunOS notice and issue an error? I used the webUI for these changes so I hope they're fine syntax-wise. Anyway I changed my config as follows:

1. Changed destination to subnet - OK!
2. Changed source to subnet - Error.

Here's the error output

Policy: Default-Policy, action-type: deny-all, State: enabled, Index: 2
Sequence number: 2

The problem is I can't find this Default-Policy when I issue show security policies.

When everything was working after changing step 1, here's the output

Policy: Intra-trust-allow, action-type: permit, State: enabled, Index: 12
0
  Policy Type: Configured
  Sequence number: 1
  From zone: trust, To zone: trust
  Source addresses:
    Management-subnet(Trusted-Addresses): x.y.z.1 ~ x.y.z.254
  Destination addresses:
    any-ipv4(Trusted-Addresses): 0.0.0.0/0
    any-ipv6(Trusted-Addresses): ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Source identities:
    any
  Per policy TCP Options: SYN check: No, SEQ check: No

Hello ,

 

SRX by default in flow mode , blocks in intra zonal traffic also . So indeed you need trust-to-trust policy if the traffic is traversing from  x.y.z.0/24  to  x.y.z.0/24or a.b.c.0/24 as they both are binded to the trust zone .

 

Can you also try configuring the following way :

 

set security zones security-zone trust address-book address A-prefix-subnet x.y.z.0/24
set security zones security-zone trust address-book address B-prefix-subnet a.b.c.0/24

 

set security policies from-zone trust to-zone trust policy Intra-trust-allow match source-address A-prefix-subnet
set security policies from-zone trust to-zone trust policy Intra-trust-allow match destination-address B-prefix-subnet
set security policies from-zone trust to-zone trust policy Intra-trust-allow match application any
set security policies from-zone trust to-zone trust policy Intra-trust-allow then permit

 

 

---

@joses wrote:

Hello ,

 

SRX by default in flow mode , blocks in intra zonal traffic also . So indeed you need trust-to-trust policy if the traffic is traversing from  x.y.z.0/24  to  x.y.z.0/24or a.b.c.0/24 as they both are binded to the trust zone .

 

Can you also try configuring the following way :

 

set security zones security-zone trust address-book address A-prefix-subnet x.y.z.0/24
set security zones security-zone trust address-book address B-prefix-subnet a.b.c.0/24

 

set security policies from-zone trust to-zone trust policy Intra-trust-allow match source-address A-prefix-subnet
set security policies from-zone trust to-zone trust policy Intra-trust-allow match destination-address B-prefix-subnet
set security policies from-zone trust to-zone trust policy Intra-trust-allow match application any
set security policies from-zone trust to-zone trust policy Intra-trust-allow then permit

---

Thanks for your reply. I tried it but because I'm using global address book entries, I can't enter any addresses in my zones.

Hello,

 

Indeed sounds strange. Assuming no typo in the /24 subnet definition I would try the following

 

> Remove the /24 entry

> commit the config

> Add the /24 address book entry

> Add the /24 address-book entry to the policy while removing the range entry

> commit full (note that dynamic routing and vpns may encounter a blip with this)

 

> Can you check if the policy detial shows the correct subnet?

root@srx> show security policies from-zone trust to-zone trust detail
Policy: Subnet1-to-Subnet2, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: trust
Source addresses:
Subnet1(global): 192.168.10.0/24
Destination addresses:
Subnet2(global): 192.168.20.0/24
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No 

> Which platform is this? We can check if the policy is programmed properly in the pfe is the above steps dont help

 

I hope this helps.

 

Regards,

 

Vikas

---

@Nelumbo wrote:

Hello,

 

Indeed sounds strange. Assuming no typo in the /24 subnet definition I would try the following

 

> Remove the /24 entry

> commit the config

> Add the /24 address book entry

> Add the /24 address-book entry to the policy while removing the range entry

> commit full (note that dynamic routing and vpns may encounter a blip with this)

 

> Can you check if the policy detial shows the correct subnet?

root@srx> show security policies from-zone trust to-zone trust detail
Policy: Subnet1-to-Subnet2, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: trust
Source addresses:
Subnet1(global): 192.168.10.0/24
Destination addresses:
Subnet2(global): 192.168.20.0/24
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No 

> Which platform is this? We can check if the policy is programmed properly in the pfe is the above steps dont help

 

I hope this helps.

 

Regards,

 

Vikas

---

Interesting!

I replaced the entry in my reply to Nellikka, and here's the detail:

root@srx240poe> show security policies from-zone trust to-zone trust detail
Policy: Intra-trust-allow, action-type: permit, State: enabled, Index: 12, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: trust, To zone: trust
  Source addresses:
    Management-subnet(Trusted-Addresses): x.y.z.0/0.0.0.24
  Destination addresses:
    any-ipv4(Trusted-Addresses): 0.0.0.0/0
    any-ipv6(Trusted-Addresses): ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Source identities:
    any
  Per policy TCP Options: SYN check: No, SEQ check: No

The problem was I was using CIDR and not reading the description in the CLI nor the webUI's drop down "IP Address/Netmask"!

Duh.

Replacing x.y.z.0/24 with x.y.z.0/255.255.255.0 fixed it!

 

EDIT: You guys are real sharp. I think the reason why you wrote if there was a typo was the CLI config doesn't use CIDR but they are defined as

            address Management-subnet {
                wildcard-address x.y.z.0/255.255.255.0;
            }

Thank you everyone.