SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX240H Ping Untrust interface from Internet

    Posted 12-03-2013 12:22

    Hi Guys,

     

    I'm new to the SRX platform and just brought up a new SRX240H.  I set an IP on the default untrust interface Gig0/0/0 and set a default route pointing to our internet router. 

     

    Issue I'm having is I can't ping the firewall from the internet.  I confirmed internet access by going to the Troubleshooting section in the GUI and successfully pinging 4.2.2.2 and tracing to other internet destinations.

     

    However, when I try pinging the public interface on the firewall from a machine on the internet, I am getting no response. 

     

    Can someone with some expertise please guide me through?  I am configuring on the GUI.

     

    Thanks in advance for your assistance.


    #PolicyConfiguration
    #SRXconfiguration
    #SRX240H


  • 2.  RE: SRX240H Ping Untrust interface from Internet

    Posted 12-03-2013 22:21

    Hi ,

     

    Please ensure you have system services ping enabled for that interface on the security zone.

     

    set security zones security-zone trust interfaces ge-0/0/1 host-inbound-traffic system-services ping

     

    (Click the "Star" for Kudos if you think I earned it!
    If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

    Regards,
    rparthi



  • 3.  RE: SRX240H Ping Untrust interface from Internet

    Posted 12-04-2013 08:43

    Thanks for your response.  Just one question:

     

    I'm actually trying to enable ping for the untrust interface so that the public side can be pinged on the internet.  I'd preferably like to have an access list to only allow my monitoring application to receive ping replies from the firewall.

     

    So for example public address x.x.x.x can be pinged from monitoring device y.y.y.y - but a random IP address on the internet, should receive no ping reply.

     

    I hope I'm explaining it clearly, but let me know if you need any further clarification.

     

    Thanks.

     

     



  • 4.  RE: SRX240H Ping Untrust interface from Internet

    Posted 12-04-2013 10:04

    set security zones security-zone untrust interface <ge-0/0/0 > host-inbound-traffic system-services ping 

     

     

    Make sure you dont need any other services from outside...

     

     

     



  • 5.  RE: SRX240H Ping Untrust interface from Internet

    Posted 12-04-2013 10:21

    You'd want to use firewall filters to enforce this. This should do it (1.1.1.1 is source of Monitoring Server - 2.2.2.2 is external IP of SRX)

     

    set firewall family inet filter ICMP_Whitelist term term_1 from source-address 1.1.1.1/32
    set firewall family inet filter ICMP_Whitelist term term_1 from destination-address 2.2.2.2/32
    set firewall family inet filter ICMP_Whitelist term term_1 from protocol icmp
    set firewall family inet filter ICMP_Whitelist term term_1 then accept
    set firewall family inet filter ICMP_Whitelist term term_2 from destination-address 2.2.2.2/32
    set firewall family inet filter ICMP_Whitelist term term_2 from protocol icmp
    set firewall family inet filter ICMP_Whitelist term term_2 then discard
    set firewall family inet filter ICMP_Whitelist term term_3 then accept
    

     

    Edit: Then you'd obviously have to apply it inbound on your external interface a la (replace reth2.0 with your external interface):

    set interfaces reth2.0 family inet filter input ICMP_Whitelist

     



  • 6.  RE: SRX240H Ping Untrust interface from Internet

    Posted 12-04-2013 11:56

    Thanks everyone!

     

    So if I implement the access-list allowing ping, is there an implicity deny all at the end or will I be fine for all other traffic?  I currently have an ipsec site to site vpn tunnel terminating on the outside so I wouldn't want to disrupt that.  Just want to be sure.

     

    Thanks again.



  • 7.  RE: SRX240H Ping Untrust interface from Internet
    Best Answer

    Posted 12-04-2013 12:11

    The filter has a third term that will allow all other traffic to be accepted and processed. There is always that default term to discard all at the end, hence the third term to allow all other traffic.

    However you want to use the "commit confirm 5" (use whatever time value you think is long enough to test; this is five minutes) when applying firewall filters and even more so especially when it is your external interfaces.

     

    set firewall family inet filter ICMP_Whitelist term term_3 then accept


  • 8.  RE: SRX240H Ping Untrust interface from Internet

    Posted 12-07-2013 05:36

    Commit confirm 5 is a life saver!  Thanks for that pointer, especially since I am working on a remote location.

     

    I've decided not to implement this for the moment as it's low priority but will definitely revisit in the future.