Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
these command need information about source-port and destination port but ping is direct encapsulation in L3 ip packet
You could refer below documentation to have all possible switches for "show security match policies"
You could use protocol as icmp.
I want to know if I want to match source A to dest B with ping
why do I need to specify source-port and destination-port ?
show security match-policies from-zoneTrust to-zone Untrust source-ip 172.17.16.xx destination-ip 172.18.xx.xx protocol icmp source-port 1 destination-port 1
Since ICMP is layer 3 protocol , there is no source port and destination port.But for a Firewall to install session it needs source port an ddestination port.
The ICMp hearder has identifier and sequence number.
The SRX uses identifier as destination and sequence number as source port.
Hence you may use any random number for source and destination ports usually 1 and 1 would suffice when you use show seurity match policies and protocol as icmp.
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
I stumbled on the fix for this while doing a traceoptions on icmp on SRX 550 and via GNS3 SRX image.set your source-port 2048
show security match-policies protocol icmp destination-port 12345 destination-ip <dst-IP> source-port 2048 source-ip <src-IP> from-zone <From-Zone> to-zone <To-Zone>
2048 only, nothing else will work. Least for the versions of IOS was using. 12.3.xxx and 12.1xxx respectively.