[j-nsp] SRX240H, strange traffic issue
Christopher Hobbs
chris at altbit.org
Wed Sep 23 14:39:38 EDT 2009
I've got a new SRX240H that I've set up with three interfaces in three
different zones:
trust - ge-0/0/0.0
untrust - ge-0/0/1.0 (attached to our ISP)
dmz - ge-0/0/2.0
If I'm sitting on the firewall itself, I can ping out to all hosts and
interfaces in all three zones as well as hosts on the Interenet. I can
resolve DNS and ssh out to sites both outside and behind the device. If I'm
on a host in either the dmz or trust zones, I'm able to ping/ssh across both
zones, I can hit the trust and dmz interfaces, and I can generally pass
traffic between the two zones as defined by my security policies. I cannot,
however, pass traffic to/from the external interface or to the outside
world.
I have static NAT set up going between the untrust and dmz interfaces that
translates just fine, so I'm thinking it might be a policy issue. The
default policy is to deny-all traffic, but changing it to permit-all and
removing all the policies left me with the exact same issue.
What could I be overlooking? I'm more than happy to post configs and/or
command output if it'd help.
Thanks!
--
C.M. Hobbs, http://altbit.org
More information about the juniper-nsp
mailing list