SRX

Expand all | Collapse all

Help with SRX 210 Security rules

Jump to Best Answer
  • 1.  Help with SRX 210 Security rules

    Posted 01-23-2020 11:03
      |   view attached

    Hey All

    I'm learning my self JunoOS, and I'm setting up an SRX210

    I have my laptop connected in fe-0/0/5 and uplink (another router) on ge-0/0/1

    From my laptop, I can ping/ssh the SRX but I cannot get any further, when I ping 8.8.8.8 I get "Request timed out"

    From the uplink side, I can access the SRX via ping or SSH, and from the SRX itself I can access 8.8.8.8, so I assume the routing is fine...

     

    Can someone show me what I am missing? or show me how to enable the correct logging?

    Attachment(s)

    txt
    srx210.txt   6 K 1 version


  • 2.  RE: Help with SRX 210 Security rules

    Posted 01-23-2020 16:40

    Hi,

    Do you have static routes configured on you srx I do not see any routing specified in your config. You need a default router pointing to the upstream router.

     

    Thanks

    John



  • 3.  RE: Help with SRX 210 Security rules
    Best Answer

    Posted 01-24-2020 05:48

    Looking at your config I am suspecting your upstream router ( the one between the SRX and 8.8.8.8 ) does not have a rule to NAT your trust subnet ( 192.168.1.0/24 ).  When you are pinging from the ge-0/0/1 interface, the traffic is sourced from 192.168.11.107/24.  

     

    I do see you have a NAT rule, but that is from the trust to untrust zone, and ge-0/0/1 and ge-0/0/5 are both in the trust zone.

     

    You can check to see if the traffic is passing from your srx to your upstream device by looking at the security flows when you ping.

     

    show security flow session source-prefix 192.168.1.0/24 destination-prefix 8.8.8.8/32

     

     

     



  • 4.  RE: Help with SRX 210 Security rules

    Posted 01-24-2020 08:37

    Thanks, Jeff, looks like you got it right

     

    First, I removed fe-0/0/1 from the zone, as this family ethernet switch, then I removed ge-0/0/1 from trusted and added to untrusted zone to fix the NAT rule.

    Now I can ping my upstream network, and after I added a static route to the upstream router I can ping 8.8.8.8

     

    Thanks!