So I learned something interesting. Sounds fundamental but just never really thought about it.
I was trying to ping from an SRX loopback to another. I had ping allowed on the zone host-inbound-traffic but it would not ping. Interfaces were in the correct zone. I could see the traffic going to the firewall on a packet capture but could not ping.
Finally after playing and playing I found out that what I had to do was allow the traffic to go from zone UNTRUST to zone UNTRUST. I had it already in UNTRUST to junos-host so that was not an issue. I was under the impression that since my external interface and my loopback were in UNTRUST and I was allowing it from UNTRUST to junos-host, it would be good. Boy was I wrong.
Which after I got it working it made since. I was going from UNTRUST to UNTRUST to junos-host. Explained why my VPN was not working as well.
Anyways, live and learn. Time for more labbing.
No comments:
Post a Comment