SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Unable to SSH into SRX-A's Internal Gateway IP (10.88.88.253) via Remote Access VPN, while other connectivity (ping to SRX-A and SSH to SRX-B) works as expected

  • 1.  Unable to SSH into SRX-A's Internal Gateway IP (10.88.88.253) via Remote Access VPN, while other connectivity (ping to SRX-A and SSH to SRX-B) works as expected

    This message was posted by a user wishing to remain anonymous
    Posted 8 days ago
    This message was posted by a user wishing to remain anonymous

    I have two SRX firewalls:

    • SRX-A: Acts as the perimeter internet gateway firewall. Remote Access VPN is terminated here.
    • SRX-B: Functions as the internal firewall.

    When connected to the VPN, you can ping the SRX-A's internal gateway IP (10.88.88.253), but SSH access to this IP fails. However, you are able to both ping and SSH into SRX-B's internal gateway IP (10.88.88.254). 

    PS: I can SSH to SRX-A from SRX-B, but I can't SSH into SRX-A directly when connected to the RA-VPN

    Zone Configurations

    Remote Access Zone (VPN):

    set security zones security-zone VPN host-inbound-traffic system-services ike set security zones security-zone VPN host-inbound-traffic system-services https set security zones security-zone VPN host-inbound-traffic protocols all set security zones security-zone VPN interfaces st0.0

    Internal Connection between SRX-A and SRX-B (10.88.88.0/24):

    set security zones security-zone INTERNAL_FIREWALL_ZONE interfaces reth0.300 host-inbound-traffic system-services all
    set security zones security-zone INTERNAL_FIREWALL_ZONE interfaces reth0.300 host-inbound-traffic protocols all

    Security Policies

    From Internal Firewall Zone to VPN:

    set security policies from-zone INTERNAL_FIREWALL_ZONE to-zone VPN policy VPN_INT match source-address any
    set security policies from-zone INTERNAL_FIREWALL_ZONE to-zone VPN policy VPN_INT match destination-address any
    set security policies from-zone INTERNAL_FIREWALL_ZONE to-zone VPN policy VPN_INT match application any
    set security policies from-zone INTERNAL_FIREWALL_ZONE to-zone VPN policy VPN_INT then permit

    From VPN to Internal Firewall Zone:

    set security policies from-zone VPN to-zone INTERNAL_FIREWALL_ZONE policy VPN_INT match source-address any
    set security policies from-zone VPN to-zone INTERNAL_FIREWALL_ZONE policy VPN_INT match destination-address any
    set security policies from-zone VPN to-zone INTERNAL_FIREWALL_ZONE policy VPN_INT match application any
    set security policies from-zone VPN to-zone INTERNAL_FIREWALL_ZONE policy VPN_INT then permit


  • 2.  RE: Unable to SSH into SRX-A's Internal Gateway IP (10.88.88.253) via Remote Access VPN, while other connectivity (ping to SRX-A and SSH to SRX-B) works as expected

    Posted 6 days ago

    Add zone VPN host-inbound-traffic system-services ssh.

    Also, in general, you can use show security packet-drop records to see why traffic is being dropped. For more details, you can use monitor security flow (with a filter!!!) which will show you how packets are being processed, what's being selected, etc., it's pretty interesting, if a little busy.



    ------------------------------
    Nikolay Semov
    ------------------------------