We have an SRX100H2 that I'm trying to lock down. Basically, it's a branch VPN, and I only want to pass limited traffic thru the tunnel.
I've set everything up (VPN, NAT, etc.), and traffic passes fine as long as the default policy is accept, but nothing passes through the SRX when I change it to deny-all.
As an example, when I try to ping from 10.12.7.2 to 10.252.253.5, I get the following in the traffic log:
Mar 30 00:07:55 VPN-Test-01 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.12.7.2/1->10.252.253.5/23388 icmp 1(8) default-deny(global) vpn trust UNKNOWN UNKNOWN N/A(N/A) st0.0 UNKNOWN policy deny
I've included what I hope are the relevant sections of the config. Again, everything works just how I want it if the default policy is set to accept-all, but not with deny-all.
Thanks!
...Ralph Johnston