Hello Juniper Guru's
I am still new to Juniper so I am most likely missing something here.
I have 2 Juniper devices.
SRX 300 - version 21.3R1.9
SRX 210 - version 10.4R5.5
I have connected them together SRX300 - Ge-0/0/5 & SRX210 Ge-0/0/0 using the range 192.168.5.0/30.
I have added them to the trust security zone's and enabled ping.
Full config of SRX300
## Last commit: 2021-10-20 21:53:46 GMT by root
version 21.3R1.9;
system {
host-name SRX300;
root-authentication {
encrypted-password "$6$IIs8GDt8$/Mp/KZj9zEMLe.FBwe0.5lD0plFe.Hn9OCET4GppLZh8F68/27hvfs8QDm48tMUQk7g82EO58Sq28aMSrOfqC/"; ## SECRET-DATA
}
login {
user Will {
full-name "William Roullier";
uid 100;
class super-user;
authentication {
encrypted-password "$6$TzFF2Am2$K/k0hHgckVMa4hu111ahVzsMuzWioZVyyUQi3nqD24vqX6.Ges3HcVcyZLOIq.LKtFFWSvoYvFgpzGWDqxC7n1"; ## SECRET-DATA
}
}
message "PLEASE NOTE: This device is moniotred, any unauthorised access will be logged!";
}
services {
ftp;
ssh;
netconf {
ssh;
}
dns;
dhcp-local-server {
group jdhcp-group {
interface irb.0;
}
}
web-management {
https {
system-generated-certificate;
}
}
}
domain-name junos.local;
time-zone GMT;
authentication-order [ password radius tacplus ];
name-server {
8.8.8.8;
8.8.4.4;
208.67.220.220;
208.67.222.222;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file interactive-commands {
interactive-commands any;
}
file messages {
any notice;
authorization info;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
phone-home {
server https://redirect.juniper.net;
rfc-compliant;
}
}
chassis {
inactive: auto-image-upgrade;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
pre-id-default-policy {
then {
log {
session-close;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0 {
host-inbound-traffic {
system-services {
all;
ping;
}
}
}
ge-0/0/5.0 {
host-inbound-traffic {
system-services {
all;
ping;
}
}
}
lo0.0 {
host-inbound-traffic {
system-services {
all;
ping;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
https;
ping;
traceroute;
dns;
}
}
}
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
description WAN-UPLINK_FTTC_VM;
unit 0 {
description WAN-UPLINK_FTTC_VM;
family inet {
dhcp {
retransmission-attempt 50000;
retransmission-interval 4;
vendor-id Juniper-srx300;
}
}
}
}
ge-0/0/1 {
description WJR_LAN;
unit 0 {
description WJR_HOME_LAN;
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
description UPLINK-SRX210-GE-0/0/0;
unit 0 {
description UPLINK-SRX210-GE-0/0/0.0;
family inet {
address 192.168.5.1/30;
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family inet {
dhcp {
vendor-id Juniper-srx300;
}
}
}
}
irb {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.255.253/30;
}
}
}
}
firewall {
filter XBOX {
term XBOX-ALLOW {
from {
protocol [ udp tcp ];
source-port [ 88 3074 53 80 500 3544 4500 ];
}
then accept;
}
}
}
access {
address-assignment {
pool junosDHCPPool {
family inet {
network 192.168.1.0/24;
range junosRange {
low 192.168.1.2;
high 192.168.1.254;
}
dhcp-attributes {
router {
192.168.1.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/1.0;
interface ge-0/0/5.0;
}
}
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
Full config of SRX210
## Last commit: 2021-10-20 21:39:10 BST by root
version 10.4R5.5;
system {
host-name SRX210;
domain-name junos.local;
time-zone Europe/London;
authentication-order [ radius tacplus password ];
root-authentication {
encrypted-password "$1$8JPWxIHI$CBacPrR29xlC90Grm6XtZ."; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
8.8.8.8;
1.1.1.1;
}
login {
message "WARNING!!! This device is monitored. Any unauthrised logins used will be captured.";
class ping-trace {
allow-commands traceroute;
}
user Test {
uid 2001;
class ping-trace;
authentication {
encrypted-password "$1$PbvjPudE$9EgG868tIn.trlCXszMwK1"; ## SECRET-DATA
}
}
user Will {
full-name "William Roullier";
uid 101;
class super-user;
authentication {
encrypted-password "$1$hoga1.rx$KAOsik8V0VZKaZ1TPJ6Dx/"; ## SECRET-DATA
}
}
}
services {
ssh {
protocol-version v2;
}
telnet;
xnm-clear-text;
dns;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
}
session {
idle-timeout 5;
}
}
dhcp {
router {
192.168.200.1;
}
traceoptions {
file dhcp-fail size 2m files 3;
flag all;
}
pool 192.168.200.0/24 {
address-range low 192.168.200.2 high 192.168.200.254;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
description UPLINK-SRX300-GE-0/0/5;
speed 1g;
link-mode full-duplex;
mac 84:18:88:75:28:80;
gigether-options {
loopback;
auto-negotiation;
}
unit 0 {
description UPLINK-SRX300-GE-0/0/5;
family inet {
rpf-check;
filter {
input XBOX;
}
address 192.168.5.2/30;
}
}
}
ge-0/0/1 {
description LAB_LAN;
speed 1g;
link-mode full-duplex;
unit 0 {
description LAB_LAN;
family ethernet-switching {
port-mode access;
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
disable;
unit 0 {
family ethernet-switching;
}
}
fe-0/0/3 {
disable;
unit 0 {
family ethernet-switching;
}
}
fe-0/0/4 {
disable;
unit 0 {
family ethernet-switching;
}
}
fe-0/0/5 {
disable;
unit 0 {
family ethernet-switching;
}
}
fe-0/0/6 {
disable;
unit 0 {
family ethernet-switching;
}
}
fe-0/0/7 {
disable;
unit 0 {
family ethernet-switching;
}
}
lo0 {
description Loopback;
unit 0 {
family inet {
address 192.168.255.254/30;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.200.1/24;
}
}
}
}
routing-options {
static {
defaults {
readvertise;
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/1.0;
interface ge-0/0/0.0;
}
}
stp;
}
security {
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
ge-0/0/1.0;
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
lo0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
firewall {
filter XBOX {
term XBOX-ALLOW {
from {
protocol [ udp tcp ];
source-port [ 88 3074 53 80 500 3544 4500 ];
}
then accept;
}
}
}
vlans {
vlan-trust {
description LAB_LAN;
vlan-id 3;
l3-interface vlan.0;
}
}
ping tests from 192.168.5.1
root@SRX300> ping 192.168.5.2 interface ge-0/0/5.0
PING 192.168.5.2 (192.168.5.2): 56 data bytes
^C
--- 192.168.5.2 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss
root@SRX300>
ping tests from 192.168.5.2
root@SRX210> ping 192.168.5.1 interface ge-0/0/0.0
PING 192.168.5.1 (192.168.5.1): 56 data bytes
^C
--- 192.168.5.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@SRX210>
Pining from SRX210 192.168.5.2 to 192.168.5.1 monitor tab.
21:14:27.351298 Out arp who-has 192.168.5.1 tell 192.168.5.2
21:14:27.358090 In arp who-has 192.168.5.1 tell 192.168.5.2
21:14:28.166988 Out arp who-has 192.168.5.1 tell 192.168.5.2
21:14:28.168738 In arp who-has 192.168.5.1 tell 192.168.5.2
21:14:28.880548 Out arp who-has 192.168.5.1 tell 192.168.5.2
21:14:28.882031 In arp who-has 192.168.5.1 tell 192.168.5.2
21:14:29.492103 Out arp who-has 192.168.5.1 tell 192.168.5.2
21:14:29.499571 In arp who-has 192.168.5.1 tell 192.168.5.2
21:14:30.624273 Out arp who-has 192.168.5.1 tell 192.168.5.2
21:14:30.627929 In arp who-has 192.168.5.1 tell 192.168.5.2
21:14:31.337092 Out arp who-has 192.168.5.1 tell 192.168.5.2
21:14:31.344546 In arp who-has 192.168.5.1 tell 192.168.5.2
21:14:31.948446 Out arp who-has 192.168.5.1 tell 192.168.5.2
21:14:31.950240 In arp who-has 192.168.5.1 tell 192.168.5.2
21:14:32.560322 Out arp who-has 192.168.5.1 tell 192.168.5.2
21:14:32.562181 In arp who-has 192.168.5.1 tell 192.168.5.2
21:14:33.477602 Out arp who-has 192.168.5.1 tell 192.168.5.2
21:14:33.479088 In arp who-has 192.168.5.1 tell 192.168.5.2
21:14:34.709502 Out arp who-has 192.168.5.1 tell 192.168.5.2
21:14:34.713490 In arp who-has 192.168.5.1 tell 192.168.5.2
21:14:35.320387 Out arp who-has 192.168.5.1 tell 192.168.5.2
21:14:35.322174 In arp who-has 192.168.5.1 tell 192.168.5.2
21:14:36.237998 Out arp who-has 192.168.5.1 tell 192.168.5.2
21:14:36.246818 In arp who-has 192.168.5.1 tell 192.168.5.2
From my understanding, if both interfaces are up and they are on the same range connected physically together then there must be a routing bit I am missing or I have not fully done something with the zone's however all services are enabled and ping itself is enabled for each interface and for the zone itself.
Any help is much appreciated
------------------------------
William Roullier
------------------------------