[j-nsp] SRX240H, strange traffic issue

Christopher Hobbs chris at altbit.org
Wed Sep 23 14:39:38 EDT 2009


I've got a new SRX240H that I've set up with three interfaces in three
different zones:

trust - ge-0/0/0.0
untrust - ge-0/0/1.0 (attached to our ISP)
dmz - ge-0/0/2.0

If I'm sitting on the firewall itself, I can ping out to all hosts and
interfaces in all three zones as well as hosts on the Interenet.  I can
resolve DNS and ssh out to sites both outside and behind the device.  If I'm
on a host in either the dmz or trust zones, I'm able to ping/ssh across both
zones, I can hit the trust and dmz interfaces, and I can generally pass
traffic between the two zones as defined by my security policies.  I cannot,
however, pass traffic to/from the external interface or to the outside
world.

I have static NAT set up going between the untrust and dmz interfaces that
translates just fine, so I'm thinking it might be a policy issue.  The
default policy is to deny-all traffic, but changing it to permit-all and
removing all the policies left me with the exact same issue.

What could I be overlooking?  I'm more than happy to post configs and/or
command output if it'd help.

Thanks!
-- 
C.M. Hobbs, http://altbit.org


More information about the juniper-nsp mailing list