[j-nsp] SRX240H, strange traffic issue

Wed Sep 23 20:21:10 EDT 2009

On Wed, Sep 23, 2009 at 12:54:18PM -0600, Chris Kawchuk wrote:
> Hi Chris,
>
> Here's a reference arch/config;
>
> however, this is all in 1 zone (trust) and everything is allowed. Mix n 
> match? check for allows, alg's, session checks?
>
> this is for the "router mode" config... unsure if this is helpful or not.. 
> JunOS 9.6R1.13 JSR software running.
>
>
>
> Regards,
>
> - Chris.
>
>
> security {
>     zones {
>         security-zone trust {
>             tcp-rst;
>             host-inbound-traffic {
>                 system-services {
>                     any-service;
>                 }
>                 protocols {
>                     all;
>                 }
>             }
>             interfaces {
>                 all;
>             }
>         }
>     }
>     policies {
>         default-policy {
>             permit-all;
>         }
>     }
>     alg {
>         dns disable;
>         ftp disable;
>         h323 disable;
>         mgcp disable;
>         msrpc disable;
>         sunrpc disable;
>         real disable;
>         rsh disable;
>         rtsp disable;
>         sccp disable;
>         sip disable;
>         sql disable;
>         talk disable;
>         tftp disable;
>         pptp disable;
>     }
>     forwarding-options {
>         family {
>             inet6 {
>                 mode packet-based;
>             }
>             iso {
>                 mode packet-based;
>             }
>         }
>     }
>     flow {
>         allow-dns-reply;
>         tcp-session {
>             no-syn-check;
>             no-syn-check-in-tunnel;
>             no-sequence-check;
>         }
>     }
> }
>
>
>
>
>
>
> On 2009-09-23, at 12:39 PM, Christopher Hobbs wrote:
>
>> I've got a new SRX240H that I've set up with three interfaces in three
>> different zones:
>>
>> trust - ge-0/0/0.0
>> untrust - ge-0/0/1.0 (attached to our ISP)
>> dmz - ge-0/0/2.0
>>
>> If I'm sitting on the firewall itself, I can ping out to all hosts and
>> interfaces in all three zones as well as hosts on the Interenet.  I can
>> resolve DNS and ssh out to sites both outside and behind the device.  If 
>> I'm
>> on a host in either the dmz or trust zones, I'm able to ping/ssh across 
>> both
>> zones, I can hit the trust and dmz interfaces, and I can generally pass
>> traffic between the two zones as defined by my security policies.  I 
>> cannot,
>> however, pass traffic to/from the external interface or to the outside
>> world.
>>
>> I have static NAT set up going between the untrust and dmz interfaces that
>> translates just fine, so I'm thinking it might be a policy issue.  The
>> default policy is to deny-all traffic, but changing it to permit-all and
>> removing all the policies left me with the exact same issue.
>>
>> What could I be overlooking?  I'm more than happy to post configs and/or
>> command output if it'd help.
>>
>> Thanks!
>> -- 
>> C.M. Hobbs, http://altbit.org
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

It was a source NAT issue, I'm a complete moron.  Thanks for
the replies.
-- 
C.M. Hobbs, http://altbit.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20090923/b68753c9/attachment.bin>