Cannot ping external leg SRX240



  • Hi All.
    I’m newbe on SRX , i got the machine  and making lab at home .I’m trying to ping external leg of my machine , but no answer, telnet + ssh working . Still no security polices, machine is virgine , Where i need to look , what i need to read. Do SRX have some impliced rules on it ?
    Thank You for the answer.



  • AAAAAAA!!! AAAA!! I’m stupid !!!
    Found the problem !!!
    Then I post i run-by-eyes in config and I get it !!! 
    I ways “locked on zone management”


    zones {
            functional-zone management {
                host-inbound-traffic {
                    system-services {
                        dns;
                        ftp;
                        http;
                        https;
                        ping;
                        ssh;
                    }
                    protocols {
                        all;
                    }
                }


    But my leg ge-0/0/0.0 - is under trust zone !!!


    security-zone trust {
                tcp-rst;
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                http;
                                https;
                                ssh;
                                telnet;
                                dhcp;
                                }
                        }
                    }
                }
            }


    here under trust , under ge-0/0/0.0  - unit 0 - the services is missing “ping”

    Once I run:
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

    It start ping the default 192.168.1.1 interface …

    Thank for all !!!

    The question now - why it not under management zone …
    back to read pdf’s

    B.t.w
    What is best architecture to get managemnt by IP address on SRX240 which will be located on ISP not protected LAN …?



  • Oh no-no no nothing help … But now i make following steps …

    1. Upgrade to 9.6
    2. Set up initial configuration from factory.
    3. Now I have this configuration:

    Last commit: 2009-10-24 12:40:36 UTC by root

    version 9.6R2.11;
    system {
        host-name MY_SRX;
        domain-name google.com;
        root-authentication {
            encrypted-password “XXXXXXX”;
        }
        services {
            ssh;
            web-management {
                http;
            }
        }
        syslog {
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 127.0.0.1/32;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.0.0.138;
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        queue-size 2000;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        zones {
            functional-zone management {
                host-inbound-traffic {
                    system-services {
                        dns;
                        ftp;
                        http;
                        https;
                        ping;
                        ssh;
                    }
                    protocols {
                        all;
                    }
                }
            }
            security-zone trust {
                tcp-rst;
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                http;
                                https;
                                ssh;
                                telnet;
                                dhcp;
                                }
                        }
                    }
                }
            }
            security-zone untrust {
                screen untrust-screen;
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy default-deny {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        deny;
                    }
                }
            }
            default-policy {
                permit-all;
            }
        }
    }

    My TARGET allow management SRX240 from Internet ( Yes I know it not secure but I\ll let only https,ssh,ping). The box will be located in ISP and I need remote access to box by public IP which I’ll get from ISP.
    Lets assume the LAN 10.0.0.0 - is Internet, so I would like set to management interface ge-0/0/0.0 IP:10.0.0.10/255.0.0.0, connect my laptop “10.0.0.11/A” back to back to this ge-0/0/0.0  From another point of view this IP/inteface - it my “world-IP/Interface” the ethernet cable from ISP will be connected to same port on SRX240.



  • if you need to enable ping on    interface , here is the command  :-):

    set security zones securiy-zone [ name of the zone ] interfaces [ name of int ]  host-inbound-traffic system-services ping

    but take care 😉 because after that you need to use the same command to enable telnet & http & ssh



  • @syphang:

    i see.maybe this command will help,

    set security zone security-zone (your zone name where your interface bind to) host-inbound-traffic ping

    LoL - thanks I’ll give the try once will be back today at home
    Thank again
    let you know the status today later



  • i see.maybe this command will help,

    set security zone security-zone (your zone name where your interface bind to) host-inbound-traffic ping



  • @syphang:

    there is a default deny-all policy under security->firewall policy, try change it to permit-all and test ping again.

    Thanks - but this is not a policy. I set it allow-all.
    Let me explain again … this is a ge-0/0/0/ which is has unit 0 with IP address 10.0.0.10 ( let say it may "external-leg-ip). I have laptop with 10.0.0.11 connected back-to-back to ge-0/0/0/ I may telnet,ssh,http to 10.0.0.10 - But can’t ping ???
    I define ge-12/0/0 and ge-13/0/0 to vlanID 1 with ip 192.168.192.1. Create zone “TEST-A” , join ge-12 and ge-13 and vlanID1 to “Test-A”. Add policy between untrust zone and TEST-A  - allow-all. Delete all other polices for Zones.
    Now I may ping from laptop 10.0.0.10 at 192.168.192.1 and station attached to ge-12/0/0/ back-to-back with ip 192.168.192.2 , as well station 192.168.192.2 may ping 192.168.192.1 and 10.0.0.11 (laptop’s IP) but once again can’t ping 10.0.0.10 and again may telnet,ssh,http -
    So problem not in network or routing - problem on security rules where telnet and ssh and htp - opened but ICMP not …
    I think it because ge-0/0/0.0 - management interface … but how I may allow ping to this interface from any address

    Thank again



  • there is a default deny-all policy under security->firewall policy, try change it to permit-all and test ping again.


 

49
Online

38.4k
Users

12.7k
Topics

44.5k
Posts