SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX340

    Posted 06-15-2022 18:32

    Unable to pass traffic.  These are the steps I have taken:

     

    1. Upgrade SRX 340 to 18.4R3.3
    2. Reboot
    3. Upgrade SRX 340 to 22.1R1.10
    4. Reboot
    5. Factory reset
    6. Apply Basic config option from the JunOS Wizard
    7. Reboot

     

    I am unable to traverse from the Trusted side of the firewall to the untrusted.  I can ping, tracert, etc from the untrusted via the J-WEB Tools. There is no deny all rule configured from the Basic Config option.  So, traffic should be follow across, but it is not. 

    Running Config

    ## Last changed: 2022-06-15 08:59:27 MST
    version 22.1R1.10;
    system {
        host-name LC02;
        root-authentication {
            encrypted-password ""; ## SECRET-DATA
        }
        services {
            ssh {
                root-login allow;
            }
            netconf {
                ssh;
            }
            dhcp-local-server {
                group jdhcp-group {
                    interface fxp0.0;
                    interface irb.0;
                }
            }
            web-management {
                https {
                    system-generated-certificate;
                }
            }
        }
        time-zone MST;
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        name-resolution {
            no-resolve-on-input;
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file interactive-commands {
                interactive-commands any;
            }
            file messages {
                any notice;
                authorization info;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        ntp {
            server north-america.pool.ntp.org version 4 prefer;
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            pre-id-default-policy {
                then {
                    log {
                        session-close;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.0;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                                https;
                            }
                        }
                    }
                    ge-0/0/15.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                            }
                        }
                    }
                    dl0.0 {
                        host-inbound-traffic {
                            system-services {
                                tftp;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    dhcp {
                        update-server;
                    }
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/8 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/9 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/10 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/11 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/12 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/13 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/14 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/15 {
            unit 0 {
                family inet {
                    dhcp {
                        update-server;
                    }
                }
            }
        }
        cl-1/0/0 {
            dialer-options {
                pool 1 priority 100;
            }
        }
        dl0 {
            unit 0 {
                family inet {
                    negotiate-address;
                }
                family inet6 {
                    negotiate-address;
                }
                dialer-options {
                    pool 1;
                    dial-string 1234;
                    always-on;
                }
            }
        }
        fxp0 {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    address 192.168.2.1/24;
                }
            }
        }
    }
    access {
        address-assignment {
            pool junosDHCPPool1 {
                family inet {
                    network 192.168.1.0/24;
                    range junosRange {
                        low 192.168.1.2;
                        high 192.168.1.254;
                    }
                    dhcp-attributes {
                        router {
                            192.168.1.1;
                        }
                        propagate-settings ge-0/0/0.0;
                    }
                }
            }
            pool junosDHCPPool2 {
                family inet {
                    network 192.168.2.0/24;
                    range junosRange {
                        low 192.168.2.2;
                        high 192.168.2.254;
                    }
                    dhcp-attributes {
                        router {
                            192.168.2.1;
                        }
                        propagate-settings ge-0/0/0.0;
                    }
                }
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface irb.0;
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }


    Any help is appreciated 





    ------------------------------
    PETE CASTILLO
    ------------------------------


  • 2.  RE: SRX340

     
    Posted 06-16-2022 10:01
    Is your traffic source from a host connected to irb.0 or from the firewall? Because if you have no hosts connected to vlan 3 then irb.0 will be down. Another possibility is that traffic is being sourced from your management interface, which is not in any zone. Show interfaces terse and show security flow session would help.