SRX

 View Only
last person joined: 11 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX340

    Posted 06-15-2022 18:32

    Unable to pass traffic.  These are the steps I have taken:

     

    1. Upgrade SRX 340 to 18.4R3.3
    2. Reboot
    3. Upgrade SRX 340 to 22.1R1.10
    4. Reboot
    5. Factory reset
    6. Apply Basic config option from the JunOS Wizard
    7. Reboot

     

    I am unable to traverse from the Trusted side of the firewall to the untrusted.  I can ping, tracert, etc from the untrusted via the J-WEB Tools. There is no deny all rule configured from the Basic Config option.  So, traffic should be follow across, but it is not. 

    Running Config

    ## Last changed: 2022-06-15 08:59:27 MST
    version 22.1R1.10;
    system {
        host-name LC02;
        root-authentication {
            encrypted-password ""; ## SECRET-DATA
        }
        services {
            ssh {
                root-login allow;
            }
            netconf {
                ssh;
            }
            dhcp-local-server {
                group jdhcp-group {
                    interface fxp0.0;
                    interface irb.0;
                }
            }
            web-management {
                https {
                    system-generated-certificate;
                }
            }
        }
        time-zone MST;
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        name-resolution {
            no-resolve-on-input;
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file interactive-commands {
                interactive-commands any;
            }
            file messages {
                any notice;
                authorization info;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        ntp {
            server north-america.pool.ntp.org version 4 prefer;
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            pre-id-default-policy {
                then {
                    log {
                        session-close;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.0;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                                https;
                            }
                        }
                    }
                    ge-0/0/15.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                            }
                        }
                    }
                    dl0.0 {
                        host-inbound-traffic {
                            system-services {
                                tftp;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    dhcp {
                        update-server;
                    }
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/8 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/9 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/10 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/11 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/12 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/13 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/14 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/15 {
            unit 0 {
                family inet {
                    dhcp {
                        update-server;
                    }
                }
            }
        }
        cl-1/0/0 {
            dialer-options {
                pool 1 priority 100;
            }
        }
        dl0 {
            unit 0 {
                family inet {
                    negotiate-address;
                }
                family inet6 {
                    negotiate-address;
                }
                dialer-options {
                    pool 1;
                    dial-string 1234;
                    always-on;
                }
            }
        }
        fxp0 {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    address 192.168.2.1/24;
                }
            }
        }
    }
    access {
        address-assignment {
            pool junosDHCPPool1 {
                family inet {
                    network 192.168.1.0/24;
                    range junosRange {
                        low 192.168.1.2;
                        high 192.168.1.254;
                    }
                    dhcp-attributes {
                        router {
                            192.168.1.1;
                        }
                        propagate-settings ge-0/0/0.0;
                    }
                }
            }
            pool junosDHCPPool2 {
                family inet {
                    network 192.168.2.0/24;
                    range junosRange {
                        low 192.168.2.2;
                        high 192.168.2.254;
                    }
                    dhcp-attributes {
                        router {
                            192.168.2.1;
                        }
                        propagate-settings ge-0/0/0.0;
                    }
                }
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface irb.0;
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }


    Any help is appreciated 





    ------------------------------
    PETE CASTILLO
    ------------------------------


  • 2.  RE: SRX340

     
    Posted 06-16-2022 10:01
    Is your traffic source from a host connected to irb.0 or from the firewall? Because if you have no hosts connected to vlan 3 then irb.0 will be down. Another possibility is that traffic is being sourced from your management interface, which is not in any zone. Show interfaces terse and show security flow session would help.