Author Topic: Cannot ping external leg SRX240  (Read 13491 times)

thecrow

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Cannot ping external leg SRX240
« on: October 19, 2009, 02:47:24 pm »
Hi All.
I'm newbe on SRX , i got the machine  and making lab at home .I'm trying to ping external leg of my machine , but no answer, telnet + ssh working . Still no security polices, machine is virgine , Where i need to look , what i need to read. Do SRX have some impliced rules on it ?
Thank You for the answer.

syphang

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Cannot ping external leg SRX240
« Reply #1 on: October 20, 2009, 01:45:24 am »
there is a default deny-all policy under security->firewall policy, try change it to permit-all and test ping again.

thecrow

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Cannot ping external leg SRX240
« Reply #2 on: October 20, 2009, 03:53:02 am »
there is a default deny-all policy under security->firewall policy, try change it to permit-all and test ping again.
Thanks - but this is not a policy. I set it allow-all.
Let me explain again .. this is a ge-0/0/0/ which is has unit 0 with IP address 10.0.0.10 ( let say it may "external-leg-ip). I have laptop with 10.0.0.11 connected back-to-back to ge-0/0/0/ I may telnet,ssh,http to 10.0.0.10 - But can't ping ???
I define ge-12/0/0 and ge-13/0/0 to vlanID 1 with ip 192.168.192.1. Create zone "TEST-A" , join ge-12 and ge-13 and vlanID1 to "Test-A". Add policy between untrust zone and TEST-A  - allow-all. Delete all other polices for Zones.
Now I may ping from laptop 10.0.0.10 at 192.168.192.1 and station attached to ge-12/0/0/ back-to-back with ip 192.168.192.2 , as well station 192.168.192.2 may ping 192.168.192.1 and 10.0.0.11 (laptop's IP) but once again can't ping 10.0.0.10 and again may telnet,ssh,http -
So problem not in network or routing - problem on security rules where telnet and ssh and htp - opened but ICMP not ...
I think it because ge-0/0/0.0 - management interface ... but how I may allow ping to this interface from any address

Thank again

syphang

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Cannot ping external leg SRX240
« Reply #3 on: October 20, 2009, 04:36:07 am »
i see.maybe this command will help,

set security zone security-zone (your zone name where your interface bind to) host-inbound-traffic ping

thecrow

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Cannot ping external leg SRX240
« Reply #4 on: October 20, 2009, 05:13:47 am »
i see.maybe this command will help,

set security zone security-zone (your zone name where your interface bind to) host-inbound-traffic ping

LoL - thanks I'll give the try once will be back today at home
Thank again
let you know the status today later

wagdymagdy

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: Cannot ping external leg SRX240
« Reply #5 on: October 20, 2009, 01:38:55 pm »

 if you need to enable ping on     interface , here is the command  :-):

 set security zones securiy-zone [ name of the zone ] interfaces [ name of int ]  host-inbound-traffic system-services ping


but take care :wink: because after that you need to use the same command to enable telnet & http & ssh

thecrow

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Cannot ping external leg SRX240
« Reply #6 on: October 24, 2009, 05:45:12 am »
Oh no-no no nothing help ... But now i make following steps ..

1. Upgrade to 9.6
2. Set up initial configuration from factory.
3. Now I have this configuration:

## Last commit: 2009-10-24 12:40:36 UTC by root
version 9.6R2.11;
system {
    host-name MY_SRX;
    domain-name google.com;
    root-authentication {
        encrypted-password "XXXXXXX";
    }
    services {
        ssh;
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.0.0.138;
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        functional-zone management {
            host-inbound-traffic {
                system-services {
                    dns;
                    ftp;
                    http;
                    https;
                    ping;
                    ssh;
                }
                protocols {
                    all;
                }
            }
        }
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            http;
                            https;
                            ssh;
                            telnet;
                            dhcp;
                            }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
}

My TARGET allow management SRX240 from Internet ( Yes I know it not secure but I\ll let only https,ssh,ping). The box will be located in ISP and I need remote access to box by public IP which I'll get from ISP.
Lets assume the LAN 10.0.0.0 - is Internet, so I would like set to management interface ge-0/0/0.0 IP:10.0.0.10/255.0.0.0, connect my laptop "10.0.0.11/A" back to back to this ge-0/0/0.0  From another point of view this IP/inteface - it my "world-IP/Interface" the ethernet cable from ISP will be connected to same port on SRX240.
 

thecrow

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Cannot ping external leg SRX240
« Reply #7 on: October 24, 2009, 05:52:40 am »
AAAAAAA!!!!! AAAA!! I'm stupid !!!
Found the problem !!!
Then I post i run-by-eyes in config and I get it !!! 
I ways "locked on zone management"

****************************
zones {
        functional-zone management {
            host-inbound-traffic {
                system-services {
                    dns;
                    ftp;
                    http;
                    https;
                    ping;
                    ssh;
                }
                protocols {
                    all;
                }
            }

****************************
But my leg ge-0/0/0.0 - is under trust zone !!!

*********************************
security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            http;
                            https;
                            ssh;
                            telnet;
                            dhcp;
                            }
                    }
                }
            }
        }

****************************

here under trust , under ge-0/0/0.0  - unit 0 - the services is missing "ping"

Once I run:
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

It start ping the default 192.168.1.1 interface ...


Thank for all !!!


The question now - why it not under management zone ....
back to read pdf's

B.t.w
What is best architecture to get managemnt by IP address on SRX240 which will be located on ISP not protected LAN ...?