Wednesday, November 13, 2019

SRX in Transparent Mode not able to ping other devices in same VLAN

Hello Everybody,

I have an SRX in transparent mode, and i configured the two zones trust and untrust and all the polices to allow everything.

I have irb.0 which is in VLAN 3 and has an IP of 172.16.4.254. Devices that are connected to the SRX are able to ping each other. however, i can't ping from the SRX(172.16.4.254) any other devices and vice versa.

From the srx if i ping 172.16.4.1 it will not work and even if i do:

root# run show security flow session source-prefix 172.16.4.1 . it doesn't show anything even though that 172.16.4.1 is continuously pinging 172.16.4.41

below is the SRX config:

.

root# show

## Last changed: 2019-11-13 15:09:27 UTC

version 20190829.221548_builder.r1052644;

system {

root-authentication {

encrypted-password "$6$nPgEtVzv$MBDUcWfKFSDG2x3HYBj0A0Sej7xFvV6E1MK7wudzui7jHv.1n/dTS4jUcxu1lWGNt12GEOjnFSKEBUajcoiyZ/"; ## SECRET-DATA

}

services {

ssh;

netconf {

ssh;

}

dhcp-local-server {

group jdhcp-group {

interface fxp0.0;

interface irb.0;

}

}

web-management {

https {

system-generated-certificate;

}

}

}

name-server {

8.8.8.8;

8.8.4.4;

}

syslog {

archive size 100k files 3;

user * {

any emergency;

}

file messages {

any notice;

authorization info;

}

file interactive-commands {

interactive-commands any;

}

}

max-configurations-on-flash 5;

max-configuration-rollbacks 5;

license {

autoupdate {

url https://ae1.juniper.net/junos/key_retrieval;

}

}

phone-home {

server https://redirect.juniper.net;

rfc-compliant;

}

}

security {

log {

mode stream;

format syslog;

report;

}

screen {

ids-option untrust-screen {

icmp {

ping-death;

}

ip {

source-route-option;

tear-drop;

}

tcp {

syn-flood {

alarm-threshold 1024;

attack-threshold 200;

source-threshold 1024;

destination-threshold 2048;

timeout 20;

}

land;

}

}

}

policies {

from-zone trust to-zone trust {

policy trust-to-trust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

log {

session-init;

session-close;

}

count;

}

}

}

from-zone trust to-zone untrust {

policy trust-to-untrust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

log {

session-init;

session-close;

}

count;

}

}

}

from-zone untrust to-zone trust {

policy UntrusttoTrust {

match {

source-address any;

destination-address any;

application any;

dynamic-application any;

}

then {

permit;

log {

session-init;

session-close;

}

count;

}

}

}

from-zone untrust to-zone untrust {

policy UntrustToUntrust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

log {

session-init;

session-close;

}

count;

}

}

}

}

zones {

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

}

interfaces {

ge-0/0/1.0;

ge-0/0/2.0;

}

}

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

}

interfaces {

ge-0/0/3.0;

ge-0/0/4.0;

}

}

}

}

interfaces {

ge-0/0/1 {

unit 0 {

family ethernet-switching {

interface-mode access;

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/2 {

unit 0 {

family ethernet-switching {

interface-mode access;

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/3 {

unit 0 {

family ethernet-switching {

interface-mode access;

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/4 {

unit 0 {

family ethernet-switching {

interface-mode access;

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/5 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/6 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/7 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/8 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/9 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/10 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/11 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/12 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/13 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/14 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

cl-1/0/0 {

dialer-options {

pool 1 priority 100;

}

}

dl0 {

unit 0 {

family inet {

negotiate-address;

}

family inet6 {

negotiate-address;

}

dialer-options {

pool 1;

dial-string 1234;

always-on;

}

}

}

fxp0 {

unit 0 {

family inet {

address 192.168.1.1/24;

}

}

}

irb {

unit 0 {

family inet {

address 172.16.4.254/16;

}

}

}

}

access {

address-assignment {

pool junosDHCPPool1 {

family inet {

network 192.168.1.0/24;

range junosRange {

low 192.168.1.2;

high 192.168.1.254;

}

dhcp-attributes {

router {

192.168.1.1;

}

propagate-settings ge-0/0/0.0;

}

}

}

pool junosDHCPPool2 {

family inet {

network 192.168.2.0/24;

range junosRange {

low 192.168.2.2;

high 192.168.2.254;

}

dhcp-attributes {

router {

192.168.2.1;

}

propagate-settings ge-0/0/0.0;

}

}

}

}

}

vlans {

vlan-trust {

vlan-id 3;

l3-interface irb.0;

}

}

protocols {

l2-learning {

global-mode transparent-bridge;

}

rstp {

interface all;

}

}

[edit]

root#



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)