Junos OS

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX300 InterZone traffic

    Posted 01-26-2022 09:30

    Hi All

    I have an SRX300 the we will use as a firewall/switch

    I have it configured and am testing all is working besides.
    I have two ports in a Vlan

    I would like the devices plugged into those two ports (2 servers) to be able to talk to each other

    Can someone please advise why it doesn't work currently

    I have posted the config below

    services {
            ssh {
                root-login deny;
            }
            netconf {
                ssh;
            }
            dhcp-local-server {
                group jdhcp-group {
                    interface irb.0;
                }
            }
            web-management {
                https {
                    system-generated-certificate;
                    interface [ ge-0/0/0.0 irb.30 ];
                }
            }
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        phone-home {
            server https://redirect.juniper.net;
            rfc-compliant;
        }
    }
    security {
        address-book {
            global {
                
                }
                address-set RDP {
                    address rdp1;
                    address rdp2;
                    address rdp4;
                    address rdp5;
                }
                address-set ftp {
                    address rdp4;
                    address rdp5;
                }
            }
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
            static {
                rule-set 194 {
                    from zone untrust;
                    rule 194 {
                        match {
                            destination-address Internet IP.194/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.30.194/32;
                                }
                            }
                        }
                    }
                    rule 191 {
                        match {
                            destination-address Internet IP.191/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.30.191/32;
                                }
                            }
                        }
                    }
                    rule 192 {
                        match {
                            destination-address Internet IP.192/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.30.192/32;
                                }
                            }
                        }
                    }
                    rule 196 {
                        match {
                            destination-address Internet IP.196/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.30.196/32;
                                }
                            }
                        }
                    }
                    rule 23 {
                        match {
                            destination-address Internet IP.23/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.30.23/32;
                                }
                            }
                        }
                    }
                    rule 195 {
                        match {
                            destination-address Internet IP.195/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.30.195/32;
                                }
                            }
                        }
                    }
                }
            }
            proxy-arp {
                interface ge-0/0/0.0 {
                    address {
                        Internet IP.23/32 to Internet IP.23/32;
                        Internet IP.191/32 to Internet IP.191/32;
                        Internet IP.192/32 to Internet IP.192/32;
                        Internet IP.194/32 to Internet IP.194/32;
                        Internet IP.195/32 to Internet IP.195/32;
                        Internet IP.196/32 to Internet IP.196/32;
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy rdp {
                    match {
                        source-address support;
                        destination-address RDP;
                        application junos-rdp;
                        dynamic-application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
                policy filezilla {
                    match {
                        source-address any;
                        destination-address ftp;
                        application [ junos-ftp junos-ftp-data ];
                        dynamic-application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
                policy webserver {
                    match {
                        source-address any;
                        destination-address webserver;
                        application [ junos-http junos-https ];
                        dynamic-application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
                policy openvpn {
                    match {
                        source-address any;
                        destination-address openvpn;
                        application OpenVPN;
                        dynamic-application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            default-policy {
                deny-all;
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.0;
                    irb.30;
                    ge-0/0/5.0;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                                https;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address Internet IP.190/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan30;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan30;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family inet {
                    address 192.168.200.28/24;
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
            unit 30 {
                family inet {
                    address 192.168.30.222/24;
                }
            }
        }
    }
    access {
        address-assignment {
            pool junosDHCPPool {
                family inet {
                    network 192.168.1.0/24;
                    range junosRange {
                        low 192.168.1.2;
                        high 192.168.1.254;
                    }
                    dhcp-attributes {
                        router {
                            192.168.1.1;
                        }
                        propagate-settings ge-0/0/0.0;
                    }
                }
            }
        }
    }
    applications {
        application OpenVPN {
            term port1194 protocol udp source-port 0-65353 destination-port 1194-1194 inactivity-timeout 30;
            term port943 protocol tcp source-port 0-65353 destination-port 943-943 inactivity-timeout 30;
            term port443 protocol tcp source-port 0-65353 destination-port 443-443 inactivity-timeout 30;
            term port80 protocol tcp source-port 0-65353 destination-port 80-80 inactivity-timeout 30;
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface irb.0;
        }
        vlan30 {
            vlan-id 30;
            l3-interface irb.30;
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop Internet IP.1;
        }
    }



    ------------------------------
    CHAYNE CHILES
    ------------------------------



  • 2.  RE: SRX300 InterZone traffic

    Posted 01-28-2022 09:31
    bump

    ------------------------------
    CHAYNE CHILES
    ------------------------------



  • 3.  RE: SRX300 InterZone traffic

    Posted 01-28-2022 09:34
    On first look, your config is fine.  But seen it many times where the servers have a their Windows firewalls enabled and it blocks the traffic.  So check you have disabled the firewalls or configured the rules on them correctly to allow the services you need through.

    ------------------------------
    KRISTIAN DURVIN
    ------------------------------



  • 4.  RE: SRX300 InterZone traffic

    Posted 01-28-2022 12:22

    I feel Like such and idiot 

    I disabled windows firewall but didn't disable the avast that was installed on the laptop 

    It does connect successfully after i disable that 

    thank you for you help



    ------------------------------
    CHAYNE CHILES
    ------------------------------