Juniper SRX inter security zone routing

I need the traffic from one of the internal zones to talk to another internal zone which I've configured. I'm not looking to allow untrust traffic into each zone at the moment.

I will be setting up the inbound nat to the correct public IP's but I've not quite got that far yet.. That shouldn't have an affect on routing between the internal zones?

Sorry I'm not quite sure what you're suggesting for this exact issue. I have two policies below which allow any, permit. Should they not allow conversations between the two zones?

from-zone haxby to-zone servatech
from-zone servatech to-zone haxby

Thanks

But I see what you are saying about the static nat, I need to static nat the appropriate IP to the right internal zone using the pool as the subnet.

Thanks

I see, so you want flows between

from-zone haxby to-zone servatech
from-zone servatech to-zone haxby

Everything looks ok, what can't you do?  I assume any host based firewall and routing is configured properly? default route set?

ping
traceroute - both directions?


should work,

harbor235 ;}

ge-0/0/3 {
        description Haxby_LAN;
        unit 0 {
            description Haxby_LAN;
            family ethernet-switching {
                vlan {
                    members vlan-haxby;

Change unit 0 to unit 127 - for vlan 127 as defined, and servatech to unit 128, unit 0 does not allow the proper vlan to forward the correct traffic to the correct interface, hence you cannot route outside you net.


harbor235 ;}

I've done this before but it doesn't allow me to change the unit to anything other than 0.. See below. I can ping the gateway in the other zone so I'm wondering if it's something further downstream, i.e. a switch playing up but I can ping from the juniper into a device in each zone so it doesn't seem like it could be that.

  'unit 128'
    Only unit 0 is valid for this encapsulation
error: configuration check-out failed

Thanks.

My fault , I meant add,

Hmm, I would have used layer 3 ports instead of the SVIs but ...
So the problem is that frames tagged as vlan 127 are being dropped as they traverse the port.
See if you can remove unit 0?

ge-0/0/3 {
        description Haxby_LAN;
        unit 0 {
        }  
        unit 127 {
            description Haxby_LAN;
            family ethernet-switching {
                vlan {
                    members vlan-haxby;
     }
}
}

harbor235 ;}

Is there a guide for L3 ports?

I don't think the frames are being dropped as devices within each network can access the untrust zone fine. I could try changing the port mode to trunk and the Cisco switch it plugs into a trunk to rule that out.

Still not working, only allows unit 0 in the interfaces.

  'unit 128'
    Only unit 0 is valid for this encapsulation

Thanks.

Backup your config,

Try this,

1) edit interfaces ge-0/0/3 unit 0

2) delete description
    delete family ethernet-switching
  delete vlan

3) up

4) delete unit 0

5) edit unit 127
    description Haxby_LAN;
            family ethernet-switching {
                vlan {
                    members vlan-haxby;

does that work?   use commit confirmed for auto rollback

harbor235 ;}

Same error unfortunately,  I think its because I'm using RVI's instead?

once you issue "delete family ethernet-switching" the remaining sub config is removed,  then go up and remove the unit, it works.


harbor235 ;}

You may need to remove the RVI first, then add it back after the ge-0/0/3 port is configured


harbor235 ;}

Vlan-id and logical interface number must match

Configure the RVI:
    Create a Layer 2 VLAN by assigning it a name and a VLAN ID:
    user@switch# set vlans vlan-name vlan-id vlan-id
    Assign an interface to the VLAN by naming the VLAN as a trunk member on the logical interface, thereby making the interface part of the VLAN’s broadcast domain:
    user@switch# set interfaces interface-name unit logical-unit-number family ethernet-switching vlan members vlan-name
    Create a logical Layer 3 RVI (its name will be vlan.logical-interface-number, where the value for logical-interface-number is the value you supplied for vlan-id in Step 1; in the following command, it is the logical-unit-number) on a subnet for the VLAN’s broadcast domain:

    user@switch# set interfaces vlan unit logical-unit-number family inet address inet-address
    Link the Layer 2 VLAN to the logical Layer 3 interface:
 
    user@switch# set vlans vlan-name l3-interface vlan.logical-interface-number

http://www.juniper.net/documentation/en_US/junos13.2/topics/task/configuration/bridging-routed-vlan-interfaces-ex-series-cli.html

Do you have it working?


harbor235 ;}

We do, we did some more troubleshooting from here and the config is right.. We noticed in the flows that the session was sending packets but not recieveing them back. We queried and queried the external company that looks after the servers in the destination zone and they had a different gateway configured. Once they added a static route to the Juniper it started working.. Thanks for your help.

I've requested that this question be closed as follows:

Accepted answer: 0 points for YorkData's comment #a40677656
Assisted answer: 500 points for harbor235's comment #a40673362

for the following reason:

resolved the issue ourselves. Not a configuration issue on the Juniper

I am glad its working out, but my second post did ask checking basic network configuration in the beginning.
Also, based on the config I reviewed it would not work until some of the changes I presented were implemented, such as van-id and unit number matching.

Please review your decision to close without assigning points.


harbor235 ;}

Sorry I did assign points to you.. Will re-submit now.