Search My Techie Guy

Friday, November 13, 2015

Connected a firewall (SRX240) but i can't ping the Point to Point Interfaces

Problem:

Just completed connecting a firewall (SRX 240) to a switch.
The link is supposed to be a trunk carrying multiple VLANs, however, i couldn't ping the Point-to-Point IPs from the switch or the firewall yet the interfaces are UP.

Example Config: 

On the Firewall:

set interfaces ge-0/0/13 description my_test_link
set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members TEST
set interfaces vlan unit 590 description my_test_vlan
set interfaces vlan unit 590 family inet address 10.0.90.5/30
set vlans TEST vlan-id 590
set vlans TEST l3-interface vlan.590

On the switch:

set interfaces ge-0/0/16 description my_test_link
set interfaces ge-0/0/16 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/16 unit 0 family ethernet-switching vlan members 590
set interfaces vlan unit 590 description my_test_vlan
set interfaces vlan unit 590 family inet address 10.0.90.6/30
set vlans TEST vlan-id 590
set vlans TEST l3-interface vlan.590

Normally, this would be enough to bring UP the point-to-point if this were a switch to switch connection. But because the default firewall behavoiur is to block all traffic, trying to ping the firewall interfaces from the switch or vice versa will fail.

solution: 

Add this config

set security zones security-zone trust interfaces vlan.590
set security zones security-zone trust interfaces vlan.590 host-inbound-traffic system-services all
set security zones security-zone trust interfaces vlan.590 host-inbound-traffic protocols all

what this additional config does is to put the interface in a security zone and permit inbound traffic to that interface.
Post a Comment