[j-nsp] SRX loop0 interface only works in trust zone

Luca Salvatore Luca at ninefold.com
Mon Nov 5 22:59:48 EST 2012 

Disregard... Seems the zone name 'management' is reserved for system use.  Renaming that zone to mgmt works as expected.


Luca


-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Luca Salvatore
Sent: Tuesday, 6 November 2012 11:41 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] SRX loop0 interface only works in trust zone

So this is weird..  Configuring a new SRX240 running Junos 11.4r5.5 I have the following config:
run show configuration security zones security-zone management interfaces vlan.10; vlan.85;
lo0.0 {
    host-inbound-traffic {
        system-services {
            ping;
        }


I can't ping my loop0  (10.255.0.8) interface from anywhere.  So I did some traceoptions to see the flow:
Nov  6 08:06:01 08:06:01.516302:CID-0:RT:  routed (x_dst_ip 10.255.0.8) from oob (ge-0/0/15.0 in 0) to lo0.0, Next-hop: 10.255.0.8

Nov  6 08:06:01 08:06:01.516302:CID-0:RT:  policy search from zone oob-> zone management (0x0,0x4be70002,0x2)

Nov  6 08:06:01 08:06:01.516302:CID-0:RT:  app 0, timeout 60s, curr ageout 60s

Nov  6 08:06:01 08:06:01.516302:CID-0:RT:  packet dropped, denied by policy

Nov  6 08:06:01 08:06:01.516302:CID-0:RT:  packet dropped,  policy deny.

Nov  6 08:06:01 08:06:01.516302:CID-0:RT:  flow find session returns error.


Looks pretty clear, no security policy from zone oob to zone management.... But wait, this is junos-self traffic - why do I need a policy for self traffic?  Never had to do this before, perhaps something new in 11.4??
Anyway just for kicks I made the following policy:
run show configuration security policies from-zone oob to-zone management policy oob-to-management {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

So that policy should permit my traffic.... but my pings still fail, traceoptions shows the same as above - packet dropped, policy deny.\ However - If remove the loop0 interface from the management zone, and put it into the trust zone, it works.  I still need a security policy, but the configuration is exactly the same as it is on my management zone:
run show configuration security zones security-zone trust

interfaces {
    lo0.0 {
        host-inbound-traffic {
            system-services {
                ping;
            }


run show configuration security policies from-zone oob to-zone trust policy management {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;

 Pings work with this config.
I don't normally use the default 'trust' zone, am I missing something here?  This should be simple!
Any thoughts?
Luca



_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list