Juniper SRX inter security zone routing

We are configuring a SRX firewall to terminate multiple offices with seperate vlans and security zones for each office.

We have the config correct for each office having its own vlan and /24 subnet however we are unable to allow one office to talk to another, as below I can ping the gateway within another vlan however I am unable to contact a device within the network after the juniper. see below and config attached.

I thought that configuring multiple security policies permitting the traffic would do the trick.

Thanks.
j-srx-config.txt
YorkDataAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

harbor235Commented:
Looking briefly at your config all your policies are from inside to out and no untrust to inside. This will allow inside to out established traffic to return however outside to in requires a separate security policy to allow that type of flow. Additionally,
you have source nat configured so you will need to accommodate the new flows arriving at the untrusted interface and then ensuring they map to the correct internal resource.

So, static nat and a untrust to <internal_net> policy and traffic definitions will help.


harbor235 ;}

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
YorkDataAuthor Commented:
I need the traffic from one of the internal zones to talk to another internal zone which I've configured. I'm not looking to allow untrust traffic into each zone at the moment.

I will be setting up the inbound nat to the correct public IP's but I've not quite got that far yet.. That shouldn't have an affect on routing between the internal zones?

Sorry I'm not quite sure what you're suggesting for this exact issue. I have two policies below which allow any, permit. Should they not allow conversations between the two zones?

from-zone haxby to-zone servatech
from-zone servatech to-zone haxby

Thanks
YorkDataAuthor Commented:
But I see what you are saying about the static nat, I need to static nat the appropriate IP to the right internal zone using the pool as the subnet.

Thanks
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

harbor235Commented:
I see, so you want flows between

from-zone haxby to-zone servatech
from-zone servatech to-zone haxby

Everything looks ok, what can't you do?  I assume any host based firewall and routing is configured properly? default route set?

ping
traceroute - both directions?


should work,

harbor235 ;}
harbor235Commented:
ge-0/0/3 {
        description Haxby_LAN;
        unit 0 {
            description Haxby_LAN;
            family ethernet-switching {
                vlan {
                    members vlan-haxby;

Change unit 0 to unit 127 - for vlan 127 as defined, and servatech to unit 128, unit 0 does not allow the proper vlan to forward the correct traffic to the correct interface, hence you cannot route outside you net.


harbor235 ;}
YorkDataAuthor Commented:
I've done this before but it doesn't allow me to change the unit to anything other than 0.. See below. I can ping the gateway in the other zone so I'm wondering if it's something further downstream, i.e. a switch playing up but I can ping from the juniper into a device in each zone so it doesn't seem like it could be that.

  'unit 128'
    Only unit 0 is valid for this encapsulation
error: configuration check-out failed

Thanks.
harbor235Commented:
My fault , I meant add,

Hmm, I would have used layer 3 ports instead of the SVIs but ...
So the problem is that frames tagged as vlan 127 are being dropped as they traverse the port.
See if you can remove unit 0?

ge-0/0/3 {
        description Haxby_LAN;
        unit 0 {
        }  
        unit 127 {
            description Haxby_LAN;
            family ethernet-switching {
                vlan {
                    members vlan-haxby;
     }
}
}

harbor235 ;}
YorkDataAuthor Commented:
Is there a guide for L3 ports?

I don't think the frames are being dropped as devices within each network can access the untrust zone fine. I could try changing the port mode to trunk and the Cisco switch it plugs into a trunk to rule that out.

Still not working, only allows unit 0 in the interfaces.

  'unit 128'
    Only unit 0 is valid for this encapsulation

Thanks.
harbor235Commented:
Backup your config,

Try this,

1) edit interfaces ge-0/0/3 unit 0

2) delete description
    delete family ethernet-switching
  delete vlan

3) up

4) delete unit 0

5) edit unit 127
    description Haxby_LAN;
            family ethernet-switching {
                vlan {
                    members vlan-haxby;

does that work?   use commit confirmed for auto rollback

harbor235 ;}
YorkDataAuthor Commented:
Same error unfortunately,  I think its because I'm using RVI's instead?
harbor235Commented:
once you issue "delete family ethernet-switching" the remaining sub config is removed,  then go up and remove the unit, it works.


harbor235 ;}
harbor235Commented:
You may need to remove the RVI first, then add it back after the ge-0/0/3 port is configured


harbor235 ;}
harbor235Commented:
Vlan-id and logical interface number must match

Configure the RVI:
    Create a Layer 2 VLAN by assigning it a name and a VLAN ID:
    user@switch# set vlans vlan-name vlan-id vlan-id
    Assign an interface to the VLAN by naming the VLAN as a trunk member on the logical interface, thereby making the interface part of the VLAN’s broadcast domain:
    user@switch# set interfaces interface-name unit logical-unit-number family ethernet-switching vlan members vlan-name
    Create a logical Layer 3 RVI (its name will be vlan.logical-interface-number, where the value for logical-interface-number is the value you supplied for vlan-id in Step 1; in the following command, it is the logical-unit-number) on a subnet for the VLAN’s broadcast domain:

    user@switch# set interfaces vlan unit logical-unit-number family inet address inet-address
    Link the Layer 2 VLAN to the logical Layer 3 interface:
 
    user@switch# set vlans vlan-name l3-interface vlan.logical-interface-number

http://www.juniper.net/documentation/en_US/junos13.2/topics/task/configuration/bridging-routed-vlan-interfaces-ex-series-cli.html
harbor235Commented:
Do you have it working?


harbor235 ;}
YorkDataAuthor Commented:
We do, we did some more troubleshooting from here and the config is right.. We noticed in the flows that the session was sending packets but not recieveing them back. We queried and queried the external company that looks after the servers in the destination zone and they had a different gateway configured. Once they added a static route to the Juniper it started working.. Thanks for your help.
YorkDataAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for YorkData's comment #a40677656
Assisted answer: 500 points for harbor235's comment #a40673362

for the following reason:

resolved the issue ourselves. Not a configuration issue on the Juniper
harbor235Commented:
I am glad its working out, but my second post did ask checking basic network configuration in the beginning.
Also, based on the config I reviewed it would not work until some of the changes I presented were implemented, such as van-id and unit number matching.

Please review your decision to close without assigning points.


harbor235 ;}
YorkDataAuthor Commented:
Sorry I did assign points to you.. Will re-submit now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.