Unable to pass traffic. These are the steps I have taken:
- Upgrade SRX 340 to 18.4R3.3
- Reboot
- Upgrade SRX 340 to 22.1R1.10
- Reboot
- Factory reset
- Apply Basic config option from the JunOS Wizard
- Reboot
I am unable to traverse from the Trusted side of the firewall to the untrusted. I can ping, tracert, etc from the untrusted via the J-WEB Tools. There is no deny all rule configured from the Basic Config option. So, traffic should be follow across, but it is not.
Running Config
## Last changed: 2022-06-15 08:59:27 MST
version 22.1R1.10;
system {
host-name LC02;
root-authentication {
encrypted-password ""; ## SECRET-DATA
}
services {
ssh {
root-login allow;
}
netconf {
ssh;
}
dhcp-local-server {
group jdhcp-group {
interface fxp0.0;
interface irb.0;
}
}
web-management {
https {
system-generated-certificate;
}
}
}
time-zone MST;
name-server {
8.8.8.8;
8.8.4.4;
}
name-resolution {
no-resolve-on-input;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file interactive-commands {
interactive-commands any;
}
file messages {
any notice;
authorization info;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server north-america.pool.ntp.org version 4 prefer;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
pre-id-default-policy {
then {
log {
session-close;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
https;
}
}
}
ge-0/0/15.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
dl0.0 {
host-inbound-traffic {
system-services {
tftp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp {
update-server;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
family inet {
dhcp {
update-server;
}
}
}
}
cl-1/0/0 {
dialer-options {
pool 1 priority 100;
}
}
dl0 {
unit 0 {
family inet {
negotiate-address;
}
family inet6 {
negotiate-address;
}
dialer-options {
pool 1;
dial-string 1234;
always-on;
}
}
}
fxp0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
irb {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
}
access {
address-assignment {
pool junosDHCPPool1 {
family inet {
network 192.168.1.0/24;
range junosRange {
low 192.168.1.2;
high 192.168.1.254;
}
dhcp-attributes {
router {
192.168.1.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
pool junosDHCPPool2 {
family inet {
network 192.168.2.0/24;
range junosRange {
low 192.168.2.2;
high 192.168.2.254;
}
dhcp-attributes {
router {
192.168.2.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
Any help is appreciated
------------------------------
PETE CASTILLO
------------------------------