vSRX

  • 1.  What do I have wrong? Return traffic not being allowed

    Posted 07-09-2020 11:53

    Hey all, 

     

    I'm migrating a configuration from another firewall.

     

    I have no nat destination rules and all of this should just be allowed via "returning traffic" from a nat session. 

     

    In short, 

     

    I've configureed a WAN zone and a "trust" zone and just for poc that it has nothing to do with the config I have WAN to TRUST allow any source any destination and any app, and the same policy applied for TRUST to WAN.

     

    I have both security zones allowing any protocol and any system services.

     

    I can ping the public IP of the failing internal application at the destination, but I cannot browse to it. 

     

    It says site can't be reached. 

     

    I've checked the logs of the receiving firewalls and I do see some blocks, but I see a lot more allows for http/tcp. 

     

    anyway I can log the traffic that is being blocked from my subinterface heading to said IP address?

     

    The only odditiy is that the srx and the firewall that is NAT'g to the hosted application are behind the same /24 (I don't think that really matters but hey, worth a shot) 



  • 2.  RE: What do I have wrong? Return traffic not being allowed
    Best Answer

    Posted 07-09-2020 20:36

    Hello Routingframes,

     

    I really can't understand your issue here. Everything seems rhetoric to me Smiley Very Happy

     

    However, I will try to answer on a best effort basis.

     

    Based on my understanding you have created a wide-open policy from Trust to Wan and Wan to Trust. Also, allowing host-inbound-traffic to all. I think your issue is you can ping the public IP address of the server from the WAN but can't access HTTP.

     

    I assume SRX is not performing the NAT and the traffic has been translated already when it comes to the SRX. If that's the case, I would suggest you to check the sessions on the SRX and check whether you are seeing packets sent/received.

     

    user@host> show security flow session source-prefix <x.x.x.x> destination-prefix <y.y.y.y>

     

    It would be great if you can let me know the topology and correct me If I'm wrong about the above scenario.



  • 3.  RE: What do I have wrong? Return traffic not being allowed

    Posted 07-10-2020 06:16

    Hey!

     

    Thanks for replying.

     

    It's not a problem with the juniper, at all.

     

    my config is correct!

     

    The problem is the other firewall doesn't like sending traffic to an external IP address that's on the same /24

     

    I've verified this by putting a public ip direclty on a VM, and I can't browse to that website either. 

     

    Thanks again!