Hello,
My topology is:
ISP link (one physical cable) ----- EX2300 ge-0/0/0 (VLAN 11) -- EX2300 ge-0/0/1 & ge-0/0/2 members of VLAN11 (access ports) --- SRX345 HA node0 & node1 reth1 (ge-0/0/3 & ge-5/0/3) (ISP link)
Vlans are configured on EX2300 ports, not on SRX345 ports.
Reason for this is because currently I have one cable in server rack from ISP towards my equipment, and I need to connect SRX345 HA that requires 2 cables physically.
reth1 interface on SRX is placed in Untrust zone.
host-inbound-traffic for Untrust zone is allowed: ping, ike.
Only reth1 is in Untrust zone.
set security zones security-zone Untrust host-inbound-traffic system-services ike
set security zones security-zone Untrust host-inbound-traffic system-services ping
set security zones security-zone Untrust interfaces reth1.0 host-inbound-traffic system-services ike
set security zones security-zone Untrust interfaces reth1.0 host-inbound-traffic system-services ping
set security zones security-zone Untrust interfaces reth1.0 host-inbound-traffic protocols all
lo0 interface is not defined nor is in any security zone.
However, I cannot ping my static public IP assigned to reth1 from internet.
Everything inbound and outbound works, ipsec tunnels get established, outbound traffic from LAN towards internet via reth1 works, reth1 interface can ping anything on the internet.
All of it seems okay, but cannot ping reth1 IP address from internet.
Interesting thing is when, for testing purposes, I unplug SRX345 from ex2300 ports, and in the same ports on ex2300 I plug in old SSG140 with same static public IP address and in the same Untrust zone, ping from internet to that IP works just fine, which can probably help me rule out EX2300 from the equation.
Any advice is welcomed.
Thank you.
------------------------------
Vedran Milicevic
------------------------------