Junos OS

I'm a Cisco engineer dipping my toes into the Junos world.

I have an ASA directly connected to a SRX300 which I will eventually use as my home router/firewall.
I have configured the SRX to get an  IP from the ASA. which its doing.
I have configured security zones security-services to allow ping and when that didn't work i added to allow all, but still unable to ping the directly connected ASA.
To test my ASA configuration I connect my laptop to the ASA and I can ping the ASA, so I've eliminated that the ASA is the issue.

Please see my config below and any help would be appreciated.

set version 22.1R1.10 
set security zones security-zone Inside interfaces ge-0/0/1.0
set security zones security-zone Outside interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone Outside interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone Outside interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone DMZ
set interfaces ge-0/0/0 unit 0 family inet dhcp update-server
set interfaces ge-0/0/0 unit 0 family inet dhcp force-discover
set interfaces ge-0/0/0 unit 0 family inet filter input DHCP
set interfaces ge-0/0/1 unit 0


srx300# run show interfaces ge-0/0/0.0
Logical interface ge-0/0/0.0 (Index 75) (SNMP ifIndex 514)
Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 10556
Output packets: 138
Security: Zone: Outside
Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping lsselfping ntp sip r2cp webapi-clear-text webapi-ssl tcp-encap sdwan-appqoe high-availability
Protocol inet, MTU: 1500
Max nh cache: 100000, New hold nh limit: 100000, Curr nh cnt: 1, Curr new hold cnt: 0, NH drop cnt: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 172.16.0.0/29, Local: 172.16.0.3, Broadcast: 172.16.0.7


srx300# run show route
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Access-internal/12] 00:02:59, metric 0
> to 172.16.0.1 via ge-0/0/0.0
172.16.0.0/29 *[Direct/0] 00:02:59
> via ge-0/0/0.0
172.16.0.3/32 *[Local/0] 00:02:59
Local via ge-0/0/0.0

------------------------------
Leon Park
------------------------------

Hello Leon,

You are using a filter on the ge-0/0/0 interface.

set interfaces ge-0/0/0 unit 0 family inet filter input DHCP

Can you please check if this filter is allowing your ICMP or not? 

Try removing it and see if the issue persists.

Thanks!
Original Message:
Sent: 06-12-2022 23:00
From: Leon Park
Subject: SRX300 can't ping directly connected

I'm a Cisco engineer dipping my toes into the Junos world.

I have an ASA directly connected to a SRX300 which I will eventually use as my home router/firewall.
I have configured the SRX to get an  IP from the ASA. which its doing.
I have configured security zones security-services to allow ping and when that didn't work i added to allow all, but still unable to ping the directly connected ASA.
To test my ASA configuration I connect my laptop to the ASA and I can ping the ASA, so I've eliminated that the ASA is the issue.

Please see my config below and any help would be appreciated.

set version 22.1R1.10 
set security zones security-zone Inside interfaces ge-0/0/1.0
set security zones security-zone Outside interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone Outside interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone Outside interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone DMZ
set interfaces ge-0/0/0 unit 0 family inet dhcp update-server
set interfaces ge-0/0/0 unit 0 family inet dhcp force-discover
set interfaces ge-0/0/0 unit 0 family inet filter input DHCP
set interfaces ge-0/0/1 unit 0


srx300# run show interfaces ge-0/0/0.0
Logical interface ge-0/0/0.0 (Index 75) (SNMP ifIndex 514)
Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 10556
Output packets: 138
Security: Zone: Outside
Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping lsselfping ntp sip r2cp webapi-clear-text webapi-ssl tcp-encap sdwan-appqoe high-availability
Protocol inet, MTU: 1500
Max nh cache: 100000, New hold nh limit: 100000, Curr nh cnt: 1, Curr new hold cnt: 0, NH drop cnt: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 172.16.0.0/29, Local: 172.16.0.3, Broadcast: 172.16.0.7


srx300# run show route
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Access-internal/12] 00:02:59, metric 0
> to 172.16.0.1 via ge-0/0/0.0
172.16.0.0/29 *[Direct/0] 00:02:59
> via ge-0/0/0.0
172.16.0.3/32 *[Local/0] 00:02:59
Local via ge-0/0/0.0

------------------------------
Leon Park
------------------------------