SRX

Hi Everyone. my question is around address spoofing.

On my SRX 300 I have a ids screen setup that checks for address spoofing on a trusted security zone. 

One might ask why I have this on a trusted zone to begin with but I am connecting to a assumed trusted zone that I have no control of.

The interface associated with this zone and routing-instance has multiple units.

flexible-vlan-tagging;
unit 0 {
    vlan-id 730;
    family inet {
        rpf-check {
            mode loose;
        }
        address 10.163.64.254/24;
    }
}
unit 1 {
    vlan-id 720;
    family inet {
        address 10.163.32.253/24;
    }
}
unit 2 {
    vlan-id 172;
    family inet {
        address 172.25.97.245/22;
    }
}

The customer has a DNS entry for 10.164.64.xx internal and as expected a DNS forwarder sending the traffic to the SRX on interface ge-0/0/4.0

Because the source is 10.163.32.x it will spoof the traffic because unit 1 is on the same interface.

When I disable the spoofing knob the URL resolves without an issue as expected.

My question is can I somehow keep spoofing enabled and configure a filter to allow for the other trusted subnets to get to the 10.163.64.x subnet.

This was migrated from a Juniper SSG5 so I am trying to not reinvent this. 

Paul

Could you please clarify what's where? Sounds like a DNS query is failing. Who's the sender of the DNS query and who's the recipient? What's the "it" that will spoof traffic?

Hi Everyone. my question is around address spoofing.

On my SRX 300 I have a ids screen setup that checks for address spoofing on a trusted security zone. 

One might ask why I have this on a trusted zone to begin with but I am connecting to a assumed trusted zone that I have no control of.

The interface associated with this zone and routing-instance has multiple units.

flexible-vlan-tagging;
unit 0 {
    vlan-id 730;
    family inet {
        rpf-check {
            mode loose;
        }
        address 10.163.64.254/24;
    }
}
unit 1 {
    vlan-id 720;
    family inet {
        address 10.163.32.253/24;
    }
}
unit 2 {
    vlan-id 172;
    family inet {
        address 172.25.97.245/22;
    }
}

The customer has a DNS entry for 10.164.64.xx internal and as expected a DNS forwarder sending the traffic to the SRX on interface ge-0/0/4.0

Because the source is 10.163.32.x it will spoof the traffic because unit 1 is on the same interface.

When I disable the spoofing knob the URL resolves without an issue as expected.

My question is can I somehow keep spoofing enabled and configure a filter to allow for the other trusted subnets to get to the 10.163.64.x subnet.

This was migrated from a Juniper SSG5 so I am trying to not reinvent this. 

Paul