First make sure the dmz server itself has the host firewall set to all icmp from the outside or turned off.
Another note is that policy statements from zone to zone are for transit traffic only.
Self traffic (traffic that stops or initiates from the SRX itself like interface gateway ip addresses) is controlled by the security zone settings on what protocols are permitted as a whole. More specific polices are optional and can be created using a from or to zone of junos-host.
So looking at your config the gateway addresses all seem to have icmp permitted by security zone settings.
Your to-zone DMZ policies appear to be in place from both untrust and trust assuming you are sourcing the ping from the server called out in the policy.
Since this is not working (assuming host firewall is off) you can confirm that the SRX is correctly classifying the traffic by initiating the ping and looking at the resulting session table.
show security flow session source-prefix x.x.x.x/32 destination-prefix y.y.y.y/32
This will display the sessions and byte counts between those two devices so you can confirm which policy is being used. Policy order is the same as in ScreenOS, first match and out.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home------------------------------
Original Message:
Sent: 02-26-2021 07:08
From: Ivan Roots
Subject: SRX320 can't ping DMZ zone
Hello everybody,
I'm pretty new in Juniper and having trouble with SRX320 firewall routing.
I am migrating from SSG5 to SRX320 in our network and can't get the ping to the zones. I have simulated our production network in test environment.
I have now 3 different zones (untrust-zone binded to ge-0/0/0 with IP 192.168.8.189 (connects to another srx320 (.8.190) by network 192.168.8.0/24 with host 192.168.8.187 behind it), trust-zone binded to irb.0 with IP 192.168.20.1 (host connected via ge-0/0/4 with IP 192.168.20.2) and DMZ binded to ge-0/0/1 with IP 10.0.0.1 and host with ip 10.0.0.3 as well).
So now I get ping from DMZ zone to all IPs in this environment. However I can't ping DMZ host or interface from anywhere and can't ping trust zone from untrust zone. Policies must be okay, but not sure about routing-options.
Here is some entries from config (deleted unused entries):version 15.1X49-D170.4;system { root-authentication { encrypted-password "$5$vfvJZ1R9$ZTaCeMwIl1U7pkwI22msSLKNu7Ns2V5ALPOkuj4u/89"; ## SECRET-DATA } name-server { 8.8.8.8; 8.8.4.4; } services { ssh; netconf { ssh; } dns { dns-proxy { cache { FWB-SRX inet 192.168.8.189; } } } web-management { http; https { system-generated-certificate; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } max-configurations-on-flash 5; max-configuration-rollbacks 15; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } }}security { log { mode stream; report; } screen { ids-option DMZ-screen { tcp { syn-flood { alarm-threshold 512; attack-threshold 200; source-threshold 512; destination-threshold 512; timeout 20; } land; } } ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone [ DMZ trust untrust ]; to zone [ DMZ trust untrust ]; rule source-nat-rule { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } rule DMZNAT { match { source-address 10.0.0.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone untrust { policy dbs-to-upd { match { source-address DBGroup; destination-address UdpSRV; application [ ESET junos-smtp WSUS junos-http junos-https ]; } then { permit; log { session-init; } } } policy dbs-to-pci_ext { match { source-address DBGroup; destination-address PCI-Ext-NET; application junos-ping; } then { permit; log { session-init; } } } } from-zone DMZ to-zone trust { policy LEM-to-pci_int { match { source-address LOGLEM; destination-address DB-Servers; application [ Traffic_to_LEM junos-ping ]; } then { permit; log { session-init; } } } } from-zone DMZ to-zone untrust { policy LEM-to-pci_ext { match { source-address LOGLEM; destination-address PCI-Ext-NET; application [ Traffic_to_LEM junos-ping ]; } then { permit; log { session-init; } } } policy LEM-to-Upd { match { source-address LOGLEM; destination-address UdpSRV; application [ junos-ping junos-smb junos-smtp ]; } then { permit; log { session-init; } } } } from-zone untrust to-zone DMZ { policy FWA-to-LEM { match { source-address FWA; destination-address LOGLEM; application [ junos-rsh junos-syslog ]; } then { permit; log { session-init; } } } policy Access-to-LEM { match { source-address AccessSRV; destination-address LOGLEM; application [ LEM_Console LEM_Reports ]; } then { permit; log { session-init; } } } policy Ext_SRVs-to-LEM { match { source-address Ext_SRVs; destination-address LOGLEM; application Traffic_from_LEM; } then { permit; log { session-init; } } } policy Upd-to-LEM { match { source-address UdpSRV; destination-address LOGLEM; application [ LEM_Console LEM_Reports junos-echo LEM_SSH junos-ping ]; } then { permit; log { session-init; } } } policy Upd-to-LOGSRV { match { source-address UdpSRV; destination-address LOGSRV; application any; } then { permit; log { session-init; } } } } from-zone trust to-zone DMZ { policy DBs-to-LEM { match { source-address DBGroup; destination-address LOGLEM; application Traffic_from_LEM; } then { permit; log { session-init; } } } policy FWB-to-LEM { match { source-address FWB_private; destination-address LOGLEM; application [ junos-rsh junos-syslog ]; } then { permit; log { session-init; } } } } from-zone untrust to-zone trust { policy Upd-to-DBs { match { source-address UdpSRV; destination-address DBGroup; application [ junos-ms-sql junos-ping junos-vnc ]; } then { permit; log { session-init; } } } policy Access-to-DBs { match { source-address UdpSRV; destination-address DBGroup; application junos-vnc; } then { permit; log { session-init; } } } policy PCI_ext-to-PCI_int { match { source-address PCI-Ext-NET; destination-address DB-Servers; application junos-ping; } then { permit; log { session-init; } } } policy AppSRVs-to-DBSRVs { match { source-address [ APPSRV APPSRVRES ]; destination-address DBGroup; application junos-ms-sql; } then { permit; log { session-init; } } } } } zones { security-zone trust { address-book { address DB-Servers 192.168.20.0/24; address DBSRV 192.168.20.2/32; address DBSRVRES 192.168.20.3/32; address FWB_private 192.168.20.1/32; address-set DBGroup { address DBSRV; address DBSRVRES; } } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { irb.0; } } security-zone untrust { address-book { address AccessSRV 192.168.8.186/32; address APPSRV 192.168.8.188/32; address APPSRVRES 192.168.8.185/32; address FWA 192.168.8.190/32; address FWB-EXT 192.168.8.189/32; address PCI-Ext-NET 192.168.8.0/24; address UdpSRV 192.168.8.187/32; address-set Ext_SRVs { address AccessSRV; address APPSRV; address APPSRVRES; address UdpSRV; } } screen untrust-screen; host-inbound-traffic { system-services { http; https; ping; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { tftp; https; http; ping; } } } ge-0/0/7.0 { host-inbound-traffic { system-services { tftp; } } } } security-zone DMZ { address-book { address LOGNET 10.0.0.0/24; address LOGSRV 10.0.0.2/32; address LOGLEM 10.0.0.3/32; address LOGGW 10.0.0.1/32; address-set LOG { address LOGNET; address LOGSRV; address LOGLEM; address LOGGW; } } screen DMZ-screen; host-inbound-traffic { system-services { dns; ntp; ping; } } interfaces { ge-0/0/1.0; } } }}interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.8.189/24; } } } ge-0/0/1 { unit 0 { family inet { address 10.0.0.1/24; } } } ge-0/0/2 { unit 0 { family ethernet-switching { interface-mode access; vlan { members vlan-trust; } } } } ge-0/0/4 { unit 0 { family ethernet-switching { interface-mode access; vlan { members vlan-trust; } } } } irb { unit 0 { family inet { address 192.168.20.1/24; } } }}routing-options { static { route 0.0.0.0/0 next-hop 192.168.8.189; }}protocols { l2-learning { global-mode switching; } rstp { interface all; }}firewall { filter strict-ssh { term 1 { from { source-address { 0.0.0.0/0; 192.168.8.186/32 except; 192.168.8.187/32 except; } destination-port ssh; } then { log; discard; } } term 2 { then accept; } }}vlans { vlan-trust { vlan-id 3; l3-interface irb.0; } vlan-untrust { vlan-id 33; l3-interface irb.1; }}
any help will be highly appreciated!
P.S sorry if in wrong thread :)
------------------------------
Ivan Roots
------------------------------