[j-nsp] Ping hosts in zones DMZ and TRUST

deloin.robert at laposte.net deloin.robert at laposte.net
Wed Jul 22 04:01:09 EDT 2015



Hello, 




I try to config my SRX650. 
I defined my interfaces and zones (TRUST, UNTRUST and DMZ). 
I can ping all interfaces of the SRX650 (public @ DMZ, 10.1.5.2 INTERCO, and public @ UNTRUST) 
I can ping outside hosts as 8.8.8.8 for example. 
I can ping my INTERCO interface 10.1.5.1 
But I can't ping host in zone trust, or host in zone DMZ 
Hosts in zone DMZ and zone TRUST are behind switch L2, while my INTERCO interface 10.1.5.1 is directly connected to my SRX interface 10.1.5.2 

I think I don't need proxy arp commands, or nat commands, but I don't know what commands I need to be able to ping all hosts on my network (zones DMZ and TRUST). 

Can you help me ? 

Thanks 

Best regards 


This is my config 

interface 
reth0 { 
redundant-ether-options { 
redundancy-group 1; 
lacp { 
active; 
} 
} 
unit 0 { 
description "INTERFACE zone UNTRUST"; 
family inet { 
address @publique/30; 
} 
} 
} 
reth1 { 
description "INTERFACES DMZ + INTERCO "; 
vlan-tagging; 
redundant-ether-options { 
redundancy-group 1; 
lacp { 
active; 
} 
} 

unit 10 { 
description "VLAN DMZ"; 
vlan-id 10; 
family inet { 
address @publique/27; 
} 
} 
unit 100 { 
description "VLAN INTERCO - vers zone TRUST"; 
vlan-id 100; 
family inet { 
address 10.1.5.2/29; 
} 
} 
} 
} 
. . . . . 
policies { 
from-zone DMZ to-zone UNTRUST { 
policy allow-test { 
match { 
source-address any; 
destination-address any; 
application any; 
} 
then { 
permit; 
} 
} 
} 
from-zone TRUST to-zone UNTRUST { 
policy allow-test { 
match { 
source-address any; 
destination-address any; 
application any; 
} 
then { 
permit; 
} 
} 
} 
from-zone TRUST to-zone DMZ { 
policy allow-test { 
match { 
source-address any; 
destination-address any; 
application any; 
} 
then { 
permit; 
} 
} 
} 
from-zone DMZ to-zone TRUST { 
policy allow-test { 
match { 
source-address any; 
destination-address any; 
application any; 
} 
then { 
permit; 
} 
} 
} 
from-zone DMZ to-zone DMZ { 
policy allow-test { 
match { 
source-address any; 
destination-address any; 
application any; 
} 
then { 
permit; 
} 
} 
} 
from-zone TRUST to-zone TRUST { 
policy allow-test { 
match { 
source-address any; 
destination-address any; 
application any; 
} 
then { 
permit; 
} 
} 
} 
zones { 
security-zone UNTRUST { 
host-inbound-traffic { 
system-services { 
ping; 
} 
} 
interfaces { 
reth0.0; 
} 
} 
security-zone TRUST { 
host-inbound-traffic { 
system-services { 
all; 
} 
} 
interfaces { 
reth1.100; 
} 
} 

security-zone DMZ { 


host-inbound-traffic { 
system-services { 
all; 
} 
} 
interfaces { 
reth1.10; 
} 
} 


More information about the juniper-nsp mailing list