Hi Everyone. my question is around address spoofing.
On my SRX 300 I have a ids screen setup that checks for address spoofing on a trusted security zone.
One might ask why I have this on a trusted zone to begin with but I am connecting to a assumed trusted zone that I have no control of.
The interface associated with this zone and routing-instance has multiple units.
flexible-vlan-tagging;
unit 0 {
vlan-id 730;
family inet {
rpf-check {
mode loose;
}
address 10.163.64.254/24;
}
}
unit 1 {
vlan-id 720;
family inet {
address 10.163.32.253/24;
}
}
unit 2 {
vlan-id 172;
family inet {
address 172.25.97.245/22;
}
}
The customer has a DNS entry for 10.164.64.xx internal and as expected a DNS forwarder sending the traffic to the SRX on interface ge-0/0/4.0
Because the source is 10.163.32.x it will spoof the traffic because unit 1 is on the same interface.
When I disable the spoofing knob the URL resolves without an issue as expected.
My question is can I somehow keep spoofing enabled and configure a filter to allow for the other trusted subnets to get to the 10.163.64.x subnet.
This was migrated from a Juniper SSG5 so I am trying to not reinvent this.
Paul
------------------------------
Paul Andreozzi
------------------------------