Hello guys, I am setting up a working lab using the vSRX and so far everything was good, NAT, DHCP, etc until I added a second trusted interface. I have ge-0/0/0.0 setup for my WAN and for my internal LAN I have ge-0/0/1.0 and ge-0/0/2.0 setup. Interface ge-0/0/1 is my primary lan (172.16.30.0/24) and that is setup with NAT to the WAN with no issues. Interface ge-0/0/2 connects to another LAN that is my primary LAN for my home (10.0.0.0/24). When I try to reach any of the machines on that second LAN either by ping or just normal TCP traffic I can see on the remote machines the connection from the SRX and then a reply but then that never gets passed to the clients on ge-0/0/1 from the SRX. I did setup a trust-to-trust security policy for "all" but still no luck. I know I have to be missing something but after tearing through docs for 4 days I cannot figure it out and I am at your mercy to move forward with my training
Network Diagram:
SRX Config (sanatized
):
## Last changed: 2014-11-12 09:10:37 CSTversion 12.1X46-D10.2;
groups {
jweb-security-logging {
system {
syslog {
file TestLog {
any any;
archive files 1;
structured-data;
}
}
}
}
}
system {
host-name colo_perimiter_srx;
time-zone America/Chicago;
root-authentication {
encrypted-password "******************************";
}
name-server {
8.8.8.8;
8.8.4.4;
}
login {
retry-options {
tries-before-disconnect 5;
backoff-threshold 3;
backoff-factor 5;
lockout-period 5;
}
user ajmatson {
full-name "***************";
uid 2000;
class super-user;
authentication {
encrypted-password "******************************";
}
}
}
services {
ssh {
root-login deny;
}
web-management {
https {
system-generated-certificate;
}
}
dhcp {
traceoptions {
file dhcp.dbg;
}
pool 172.16.30.0/24 {
address-range low [URL="tel:172.16.30.100"]172.16.30.100[/URL] high [URL="tel:172.16.30.200"]172.16.30.200[/URL];
default-lease-time 3600;
domain-name domain.com;
name-server {
172.16.30.1;
8.8.8.8;
}
router {
172.16.30.1;
}
}
}
}
syslog {
user * {
any emergency;
}
host 10.0.0.56 {
any any;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
file TestLog {
any any;
archive files 1;
structured-data;
}
}
license {
autoupdate {
url [url]https://ae1.juniper.net/junos/key_retrieval;[/url]
}
}
ntp {
server [URL="tel:98.143.24.53"]98.143.24.53[/URL] prefer;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.254.***.***/28;
}
family inet6;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 172.16.30.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
description TO_PROXY;
family inet {
filter {
input FBF;
}
address 10.0.0.230/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.254.***.***;
}
}
security {
log {
mode event;
}
forwarding-options {
family {
inet6 {
mode packet-based;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set NAT-TRUST-TO-UNTRUST {
from zone trust;
to zone untrust;
rule PAT-INTERFACE {
match {
source-address 172.16.30.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool POOL-PORT-FORWARD-FEDORA {
address [URL="tel:172.16.30.100"]172.16.30.100[/URL]/32 port 22;
}
rule-set NAT-UNTRUST-TO-TRUST {
from zone untrust;
rule DEST-NAT {
match {
destination-address [URL="tel:192.254.70.70"]192.254.70.70[/URL]/32;
destination-port 222;
}
then {
destination-nat {
pool {
POOL-PORT-FORWARD-FEDORA;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
source-identity any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
zones {
security-zone trust {
address-book {
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
ping;
all {
except;
}
}
}
}
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
dhcp;
ping;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
https;
ssh;
dhcp;
ping;
}
}
}
}
}
security-zone undefined;
}
}
firewall {
filter FBF {
term PROXY_REDIRECT {
from {
source-address {
172.16.30.1/32 except;
}
destination-address {
0.0.0.0/0;
}
}
then {
routing-instance WBSN_PROXY;
}
}
}
}
routing-instances {
WBSN_PROXY {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.0.56;
}
}
}
}
