I understand that for transit traffic to pass from a zone to another zone , the incoming zone must have the host-inbount-traffic enabled for that specific traffic.
I have an SRX 650 with the following config on the untrust zone :
root@UTM# run show version
Hostname: UTM
Model: srx650
JUNOS Software Release [11.2R4.3]
[edit]
root@UTM# show security zones security-zone untrust
address-book {
address remote_vpn 172.24.1.24/32;
}
screen untrust-screen;
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ike;
ssh;
}
}
}
}
[edit]
root@UTM# run show interfaces ge-0/0/1.0
Logical interface ge-0/0/1.0 (Index 70) (SNMP ifIndex 514)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 5249268652
Output packets: 4559739467
Security: Zone: untrust
Allowed host-inbound traffic : ike ssh
Protocol inet, MTU: 1500
Although i have only ssh and ike enabled on the interface , users can still http to the Trust zone as per the policy configured.
I just need to understand the behaviour of Junos in such case. I thought that even if policy permits it , the service must still be enabled on the zone ?
Thanks alot in advance.