SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Workstation cannot reach the internet via SRX

    Posted 01-29-2014 19:24

    Hi Everyone,

     

        I have a workstation that is having issues connecting to the internet via an SRX device. From the SRX device I am able to reach the internet however, when I try to reach the internet from the workstation station I am unable too. Below is ping results from the SRX device. I also put a small diagram so you can see the layout and the configs on the SRX device. Please advise on what could be the issue?

     

    xxxx@Juniper1> show configuration | display set
    set system name-server 208.67.222.222
    set system name-server 208.67.220.220
    set system services ssh
    set system services telnet
    set system services xnm-clear-text
    set system services web-management http interface vlan.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface vlan.0
    set system services dhcp router 10.1.1.1
    set system services dhcp pool 10.1.1.0/24 address-range low 10.1.1.2
    set system services dhcp pool 10.1.1.0/24 address-range high 10.1.1.254
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces fe-0/0/0 unit 0 family inet dhcp
    set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces vlan unit 0 family inet address 10.1.1.1/24
    set protocols stp
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set trust-to-untrust from zone trust
    set security nat source rule-set trust-to-untrust to zone untrust
    set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
    set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces vlan.0
    set security zones security-zone trust interfaces fe-0/0/7.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
    set vlans vlan-trust vlan-id 3
    set vlans vlan-trust l3-interface vlan.0

     

    xxxx@Juniper1> ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=250 time=40.343 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=250 time=36.330 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=250 time=36.137 ms
    64 bytes from 8.8.8.8: icmp_seq=3 ttl=250 time=35.973 ms
    64 bytes from 8.8.8.8: icmp_seq=4 ttl=250 time=37.613 ms
    ^C
    --- 8.8.8.8 ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 35.973/37.279/40.343/1.638 ms

    victor@Juniper1>

     

     

    Thank you

     

    Victor

     

     

    Screen Shot 2014-01-29 at 10.19.48 PM.png


    #routing
    #Internet
    #Juniper
    #firewall
    #SRX


  • 2.  RE: Workstation cannot reach the internet via SRX

    Posted 01-30-2014 08:12

    Your workstation does not have DNS information, under DHCP hierarchy configure DNS information or configure static entry in your work station



  • 3.  RE: Workstation cannot reach the internet via SRX

    Posted 01-30-2014 08:45

    The workstation received the DNS server from the SRX and I even statically configured a DNS server on the workstation and it still not reach the internet.



  • 4.  RE: Workstation cannot reach the internet via SRX

    Posted 01-30-2014 08:53

    A quick glance does not show anything wrong. 

     

    If you execute the operational mode command > show security flow session and match on the IP prefix of the PC do you see a session established for the flow? You should see outbound packets at least. 



  • 5.  RE: Workstation cannot reach the internet via SRX

    Posted 01-30-2014 16:36

    When I match for the host workstation I don't see anything. I am trying to ping DNS 8.8.8.8 when trying performing the match. See below:

     

    user@Juniper1> show security flow session | match 10.1.1.2

     

     



  • 6.  RE: Workstation cannot reach the internet via SRX
    Best Answer

     
    Posted 01-30-2014 20:14

    Dear 

     

    I don't see any need to put the below line in the config 

     

    set security zones security-zone trust interfaces fe-0/0/7.0

     

     as interface is ethernet-switching and member for vlan-trust (set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust) , so only l3-interface vlan.0 should be member of the zone which is already in your config, 

     

    to understand what happen to your ping packet , the best way is to enable traceoption under security flow

     

    [edit security flow traceoptions]
    SRX# show
    file reachability-internet;
    flag basic-datapath;
    packet-filter filter-1 {
    protocol icmp;
    destination-prefix 8.8.8.8/32;

    source-prefix 10.1.1.2/32

    }

     

     

     

    Regards



  • 7.  RE: Workstation cannot reach the internet via SRX

    Posted 01-30-2014 23:42

    Hi,

     

    under "set system services dhcp pool" you must "propagate-settings vlan.0". interface for propagate dhcp.

    also try under "security zones security-zone trust interfaces vlan.0" put "host-inbound-traffic protocols all"

     

    for test make ping from srx vlan interface

    ping 8.8.8.8 interface vlan.0



  • 8.  RE: Workstation cannot reach the internet via SRX

    Posted 01-31-2014 06:33

    Its working now. I am able to reach the internet not sure what was going on. I checked the flow sessions again and saw various sessions being established to the internet. Thank you all for your help.



  • 9.  RE: Workstation cannot reach the internet via SRX

     
    Posted 01-31-2014 12:34

     

    Happy to know that 🙂 , you are welcome!