SRX

Hi Guys,

I'm new to the SRX platform and just brought up a new SRX240H.  I set an IP on the default untrust interface Gig0/0/0 and set a default route pointing to our internet router. 

Issue I'm having is I can't ping the firewall from the internet.  I confirmed internet access by going to the Troubleshooting section in the GUI and successfully pinging 4.2.2.2 and tracing to other internet destinations.

However, when I try pinging the public interface on the firewall from a machine on the internet, I am getting no response. 

Can someone with some expertise please guide me through?  I am configuring on the GUI.

Thanks in advance for your assistance.

Hi ,

Please ensure you have system services ping enabled for that interface on the security zone.

set security zones security-zone trust interfaces ge-0/0/1 host-inbound-traffic system-services ping

(Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

Regards,
rparthi

Thanks for your response.  Just one question:

I'm actually trying to enable ping for the untrust interface so that the public side can be pinged on the internet.  I'd preferably like to have an access list to only allow my monitoring application to receive ping replies from the firewall.

So for example public address x.x.x.x can be pinged from monitoring device y.y.y.y - but a random IP address on the internet, should receive no ping reply.

I hope I'm explaining it clearly, but let me know if you need any further clarification.

Thanks.

set security zones security-zone untrust interface <ge-0/0/0 > host-inbound-traffic system-services ping 

Make sure you dont need any other services from outside...

You'd want to use firewall filters to enforce this. This should do it (1.1.1.1 is source of Monitoring Server - 2.2.2.2 is external IP of SRX)

set firewall family inet filter ICMP_Whitelist term term_1 from source-address 1.1.1.1/32
set firewall family inet filter ICMP_Whitelist term term_1 from destination-address 2.2.2.2/32
set firewall family inet filter ICMP_Whitelist term term_1 from protocol icmp
set firewall family inet filter ICMP_Whitelist term term_1 then accept
set firewall family inet filter ICMP_Whitelist term term_2 from destination-address 2.2.2.2/32
set firewall family inet filter ICMP_Whitelist term term_2 from protocol icmp
set firewall family inet filter ICMP_Whitelist term term_2 then discard
set firewall family inet filter ICMP_Whitelist term term_3 then accept

Edit: Then you'd obviously have to apply it inbound on your external interface a la (replace reth2.0 with your external interface):

set interfaces reth2.0 family inet filter input ICMP_Whitelist

Thanks everyone!

So if I implement the access-list allowing ping, is there an implicity deny all at the end or will I be fine for all other traffic?  I currently have an ipsec site to site vpn tunnel terminating on the outside so I wouldn't want to disrupt that.  Just want to be sure.

Thanks again.

The filter has a third term that will allow all other traffic to be accepted and processed. There is always that default term to discard all at the end, hence the third term to allow all other traffic.

However you want to use the "commit confirm 5" (use whatever time value you think is long enough to test; this is five minutes) when applying firewall filters and even more so especially when it is your external interfaces.

set firewall family inet filter ICMP_Whitelist term term_3 then accept

Commit confirm 5 is a life saver!  Thanks for that pointer, especially since I am working on a remote location.

I've decided not to implement this for the moment as it's low priority but will definitely revisit in the future.