SRX

Expand all | Collapse all

SRX 220 Two interfaces in untrusted zone

  • 1.  SRX 220 Two interfaces in untrusted zone

    Posted 30 days ago

    Hello,

    I have a SRX 220H2-POE
    JUNOS Software Release [12.1X46-D65.4]

    My issue is in troubleshooting ICMP packets inbound from external pings on a NEW Interface.

    I have two interfaces (now) in my untrusted zone, both have their own distinct /30 PUBLIC subnets. The first one on ge/0/0/0 default route (working  fine)  and the new 2nd one on Ge-0/0/1 does not reply to ICMP pings to the interface from external remote testing. From the Juniper extended ping from this new interface, pinging out works just fine.  To bring UP this new interface I am using a cisco switch as a demark (only connected to the port)

    I have ping enable.

    interfaces {

                    ge-0/0/0.0;

                    ge-0/0/1.0 {

                        host-inbound-traffic {

                            system-services {

                                ping;

    Why can I not see the ICMP reply's from my remote work station testing inbound?

    My session Monitors show the following:

    Remote Ping to New Interface:

    Session ID: 96279, Policy name: self-traffic-policy/1, Timeout: 1800, Valid

      In: 108.31.33.120/36518 --> 128.177.117.134/22;tcp, If: ge-0/0/0.0, Pkts: 2852, Bytes: 171283

      Out: 128.177.117.134/22 --> 108.31.33.120/36518;tcp, If: .local..0, Pkts: 3052, Bytes: 470709

    Remote Ping to Router Default Interface (works)

    Session ID: 20354, Policy name: self-traffic-policy/1, Timeout: 4, Valid

      In: 108.31.33.120/3636 --> 128.177.117.134/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60

      Out: 128.177.117.134/1 --> 108.31.33.120/3636;icmp, If: .local..0, Pkts: 1, Bytes: 60



    ------------------------------
    Scott Lucas
    ------------------------------


  • 2.  RE: SRX 220 Two interfaces in untrusted zone

     
    Posted 29 days ago
    I'm guessing that the reply is going out your other interface due to the default route show that first internet as the valid reply path.

    Depending on your application for the dual internet you might use ecmp to keep both shared in the same routing table.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX 220 Two interfaces in untrusted zone

    Posted 28 days ago
    Thank you for the reply Steve. This was working as a test several years ago, I'm not sure how that was set up, but I haven't figured out how to emulate that setup.  I don't think ECMP was used though and unfortunately that OLD config is long gone. Thanks again.
    Scott

    ------------------------------
    Scott Lucas
    ------------------------------