Routing between two trusted interfaces on SRX
Hello guys, I am setting up a working lab using the vSRX and so far everything was good, NAT, DHCP, etc until I added a second trusted interface. I have ge-0/0/0.0 setup for my WAN and for my internal LAN I have ge-0/0/1.0 and ge-0/0/2.0 setup. Interface ge-0/0/1 is my primary lan (172.16.30.0/24) and that is setup with NAT to the WAN with no issues. Interface ge-0/0/2 connects to another LAN that is my primary LAN for my home (10.0.0.0/24). When I try to reach any of the machines on that second LAN either by ping or just normal TCP traffic I can see on the remote machines the connection from the SRX and then a reply but then that never gets passed to the clients on ge-0/0/1 from the SRX. I did setup a trust-to-trust security policy for "all" but still no luck. I know I have to be missing something but after tearing through docs for 4 days I cannot figure it out and I am at your mercy to move forward with my training
Network Diagram:
SRX Config (sanatized ):
Network Diagram:
SRX Config (sanatized ):
## Last changed: 2014-11-12 09:10:37 CSTversion 12.1X46-D10.2; groups { jweb-security-logging { system { syslog { file TestLog { any any; archive files 1; structured-data; } } } } } system { host-name colo_perimiter_srx; time-zone America/Chicago; root-authentication { encrypted-password "******************************"; } name-server { 8.8.8.8; 8.8.4.4; } login { retry-options { tries-before-disconnect 5; backoff-threshold 3; backoff-factor 5; lockout-period 5; } user ajmatson { full-name "***************"; uid 2000; class super-user; authentication { encrypted-password "******************************"; } } } services { ssh { root-login deny; } web-management { https { system-generated-certificate; } } dhcp { traceoptions { file dhcp.dbg; } pool 172.16.30.0/24 { address-range low [URL="tel:172.16.30.100"]172.16.30.100[/URL] high [URL="tel:172.16.30.200"]172.16.30.200[/URL]; default-lease-time 3600; domain-name domain.com; name-server { 172.16.30.1; 8.8.8.8; } router { 172.16.30.1; } } } } syslog { user * { any emergency; } host 10.0.0.56 { any any; } file messages { any any; authorization info; } file interactive-commands { interactive-commands any; } file policy_session { user info; match RT_FLOW; archive size 1000k world-readable; structured-data; } file TestLog { any any; archive files 1; structured-data; } } license { autoupdate { url [url]https://ae1.juniper.net/junos/key_retrieval;[/url] } } ntp { server [URL="tel:98.143.24.53"]98.143.24.53[/URL] prefer; } } interfaces { ge-0/0/0 { unit 0 { family inet { address 192.254.***.***/28; } family inet6; } } ge-0/0/1 { unit 0 { family inet { address 172.16.30.1/24; } } } ge-0/0/2 { unit 0 { description TO_PROXY; family inet { filter { input FBF; } address 10.0.0.230/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 192.254.***.***; } } security { log { mode event; } forwarding-options { family { inet6 { mode packet-based; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; queue-size 2000; timeout 20; } land; } } } nat { source { rule-set NAT-TRUST-TO-UNTRUST { from zone trust; to zone untrust; rule PAT-INTERFACE { match { source-address 172.16.30.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool POOL-PORT-FORWARD-FEDORA { address [URL="tel:172.16.30.100"]172.16.30.100[/URL]/32 port 22; } rule-set NAT-UNTRUST-TO-TRUST { from zone untrust; rule DEST-NAT { match { destination-address [URL="tel:192.254.70.70"]192.254.70.70[/URL]/32; destination-port 222; } then { destination-nat { pool { POOL-PORT-FORWARD-FEDORA; } } } } } } } policies { from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; source-identity any; } then { permit; log { session-init; session-close; } } } } from-zone trust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; } } } } zones { security-zone trust { address-book { } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/2.0 { host-inbound-traffic { system-services { ping; all { except; } } } } ge-0/0/1.0 { host-inbound-traffic { system-services { dhcp; ping; } } } } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { ping; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { https; ssh; dhcp; ping; } } } } } security-zone undefined; } } firewall { filter FBF { term PROXY_REDIRECT { from { source-address { 172.16.30.1/32 except; } destination-address { 0.0.0.0/0; } } then { routing-instance WBSN_PROXY; } } } } routing-instances { WBSN_PROXY { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 10.0.0.56; } } } }
Working on currently:
Masters Degree Information Security and Assurance (WGU) / Estimated 06/01/2016
Next Up: CCNP Routing Exam | Certified Ethical Hacker Exam
Cisco Lab: ASA 5506-X, GNS3, 1x 2801 Router, 1x 2650XM, 1x 3750-48TS-E switch, 2x 3550 EMI Switches and 1x 2950T swtich.
Juniper Lab: 1x SRX100H2, 1x J2320 (1GB Flash/1GB RAM, JunOS 11.4R7.5), and 4 JunOS Firefly vSRX Routers in VMWare ESXi 5.1
Masters Degree Information Security and Assurance (WGU) / Estimated 06/01/2016
Next Up: CCNP Routing Exam | Certified Ethical Hacker Exam
Cisco Lab: ASA 5506-X, GNS3, 1x 2801 Router, 1x 2650XM, 1x 3750-48TS-E switch, 2x 3550 EMI Switches and 1x 2950T swtich.
Juniper Lab: 1x SRX100H2, 1x J2320 (1GB Flash/1GB RAM, JunOS 11.4R7.5), and 4 JunOS Firefly vSRX Routers in VMWare ESXi 5.1
Comments
-
zoidberg Member Posts: 365 ■■■■□□□□□□Take a look at your FBF filter and make sure it is configured as intended. As good practice, people usually want a final term in their FBF policy to permit all traffic that does not match the above terms. Without that final permit all, anything that does not match the above terms is discarded. In your case, it looks like traffic from 172.16.30.1 will be discarded and everything else will be sent to the WBSN_PROXY instance.
What is the source/destination of the traffic you are testing? Show us the routing tables? Familiar with how to use security flow traceoptions? They can be helpful with problems like this. -
zoidberg Member Posts: 365 ■■■■□□□□□□Are you sure your FBF filter is on the right interface and direction? You may be looping your traffic. You have it as an input filter on the ge-0/0/2 interface, which is your proxy network interface. Anything leaving that proxy network towards the SRX is just getting FBF back into the proxy network.
-
ajmatson Member Posts: 289Are you sure your FBF filter is on the right interface and direction? You may be looping your traffic. You have it as an input filter on the ge-0/0/2 interface, which is your proxy network interface. Anything leaving that proxy network towards the SRX is just getting FBF back into the proxy network.
You sir are a savior, I guess I need to read up better on Filter Based Forwarding but now I can ping the proxy from the client on the 172 subnet. Thank you so much.Working on currently:
Masters Degree Information Security and Assurance (WGU) / Estimated 06/01/2016
Next Up: CCNP Routing Exam | Certified Ethical Hacker Exam
Cisco Lab: ASA 5506-X, GNS3, 1x 2801 Router, 1x 2650XM, 1x 3750-48TS-E switch, 2x 3550 EMI Switches and 1x 2950T swtich.
Juniper Lab: 1x SRX100H2, 1x J2320 (1GB Flash/1GB RAM, JunOS 11.4R7.5), and 4 JunOS Firefly vSRX Routers in VMWare ESXi 5.1