SRX

I dont have a basic layer three connectivity between my two juniper srx210. I have two interfaces directly connected to each other, yet they cant ping each other. I will attach the config please let me know what I am doing wrong.

aabdulr2# run show configuration
## Last commit: 2018-05-12 21:39:31 UTC by aabdulr2
version 12.1X44-D35.5;
system {
root-authentication {
encrypted-password "$1$rdyA1q4X$qgkB.rb9I252lF9kT3H4q/"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user aabdulr2 {
uid 2003;
class super-user;
authentication {
encrypted-password "$1$GyQmW9Kw$/zy7vBUhKqZQs7jJPLUaq1"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
inactive: dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.0.0.2/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.1.2/24;
}
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
security-zone untrust {
screen untrust-screen;
}
}
}

and for R2

aabdulr2> show configuration
## Last commit: 2018-05-12 21:22:18 UTC by aabdulr2
version 11.2R4.3;
system {
root-authentication {
encrypted-password "$1$mqFiB.CD$K2.1ChYJMPmk0Az/MKlN8/"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user aabdulr2 {
uid 2003;
class super-user;
authentication {
encrypted-password "$1$4Tfka88U$tMLnvxLATCtomUOeh40T7/"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
inactive: dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.0.0.1/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
security-zone untrust {
screen untrust-screen;
}
}
}

Hello,

Looks like You connected R1 ge-0/0/0 to R2 ge-0/0/0. Then You have 2 issues:

1/ ge-0/0/0.0 netmask on R1 is /24 but on ge-0/0/0.0 netmask on R2 is /30

2/ ge-0/0/0.0 on R1 is not assigned to any zone, likewise ge-0/0/0.0 on R2 is not assigned to any zone.

BTW, by default any SRX interface not explicitly assigned elsewhere is in Null zone and any traffic is not allowed in Null zone.

HTH

Thx
Alex

okay thanks for the that. So does this mean that every time i am working with an interface on Layer3 I need to assign it to a zone ? If yes, what are zones and what can be configured in a zone?

also i have applied the corections you suggested nd that still did not solve the porblem

Thanks for all the help 

Hello,

If You are not familiar with firewall "zone" concept, I strongly suggest You first read the book "JUNOS Security" 

https://www.amazon.co.uk/gp/product/1449381715

Or at least chapter 4 that discusses the JUNOS security-related concepts.

On the topic "applied corrections, still does not work" - please share Your latest configs.

HTH

Thx

Alex

so I ended up solving the issue by adding the interface ge-0/0/0.0 to a trusted zone. Thank for all the help!!