SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Allow traffic coming from ip-vpn to same zone

    Posted 08-09-2013 06:00

    Hi,

     

    How would one allow traffic from another subnet which is behind a router in same zone to enter this same zone.

     

    ranges are diffent on both sides.

     

    physical.

    subnet1-(router1-3rd party ipvpn)-(trust zone-subnet2)

     

    subnet1 and subnet2 have to be able to communicate.

     

    can I apply a security policy from trust to trust, any, any, any?



  • 2.  RE: Allow traffic coming from ip-vpn to same zone
    Best Answer

    Posted 08-09-2013 06:03

    Hi,

     

    Yes, intrazone policies are supported and are sometimes needed.

     

    policy t2t {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }



  • 3.  RE: Allow traffic coming from ip-vpn to same zone

    Posted 08-09-2013 06:14

    Hi and thanks for the super fast reply.

     

    I wont be able to test this right away but I will come back and post the progress. Thanks again.



  • 4.  RE: Allow traffic coming from ip-vpn to same zone

    Posted 08-13-2013 01:47
      |   view attached

    Hi again,

     

    I'm back with the progress, this is strange as the suggestion helped but NOT completely!

     

    Some things got fixed but not all...

     

    We're being able to ping from subnet1 to subnet2, and addresses on internet from subnet1 but we're not able to browse resources(smb...) on subnet2 nor the web-sites.

     

    subnet2 is able to communicate to internet and with subnet1 as we're able to browse/ping printer/web-interface.

     

    the srx is setup with default lan-configuration and static-ip on wan.

    there are 2 defautl zones trust/untrust

     

    i've set up dnat-rules and snat-rules and created some security policies.

     

    This firewall is supposed to exchange the old one which we dont have access to and the config is build by trial/error.

     

    Thanks in advance guys, any help is appreciated.

     

    Edit: config-attachment

     

    -db

    Attachment(s)

    zip
    forum-config.zip   2 KB 1 version


  • 5.  RE: Allow traffic coming from ip-vpn to same zone

    Posted 08-15-2013 21:13

    Setting the policy to allow trust to talk to trust should work. Seeing that you are getting traffic between the two subnets would let me believe that the policy is working as expected. NAT isn't needed in the scenario because they're two inside networks that need direct access to each other. Unless both subnets have the same IP scheme. That would get a bit more tricky to solve.

     

    But, not able to get to specific services would have me looking at the router that is between the firewall and the devices in the subnet. If you don't find any access list blocking traffic there then setup a packet capture on the SRX to see if theres any port traffic. Or even looking at the sessions flowing thorugh the firewall may help you understand where the failure is happening.

     

    show security flow session | match <IP>



  • 6.  RE: Allow traffic coming from ip-vpn to same zone

    Posted 09-07-2013 02:17

    Hi and thanks for the answer.

     

    We were able to solve the issue.

     

    There were nothing wrong with the config. Additional routes needed to be activated on the hosts on the SRX-subnet.

     

    This wasn't necessary with sonicwall-applience used before...

     

    Thanks for the participation.