SRX

Expand all | Collapse all

SRX: no internet access inside zones

Jump to Best Answer
  • 1.  SRX: no internet access inside zones

    Posted 09-09-2019 06:00

    Hello everyone,

     

    I have a problem that within the zone there is no internet access. I am troubleshooting but I cannot get further. I also cannot see what I am doing wrong in my config. Can you help me with this?. only on the srx there is internet connectivity and i can ping from source adress 10.200.5.8 (public ip for srx) towards public adressen example google.

     

    i have attached srx340 and ex3400 configs.

     

    issues:

    1. There is no internet acces within ot-application reth.1.30 zones (example).

    2. I can ping (10.200.5.8) but cannot accessing the j-web management of the switches?, is this a security policy issue?

    3. I can ping Idrac adressen of the servers but i cannot access the idrac console web?, is this a security policy issue?

     

     

    Thanx.

     

    Attachment(s)

    txt
    ex3400.txt   7K 1 version
    txt
    SRX340.txt   14K 1 version


  • 2.  RE: SRX: no internet access inside zones

    Posted 09-09-2019 09:36

    Suli,

     

    Lets start troubleshooting from ot-application to Internet first; I checked the config of the SRX and confirmed the following:

     

    Topology

     

            "OT-application vlan 30"                "untrust"
    ---------(reth1.30: 172.22.2.1/24)-SRX-(ge-0/0/7:192.168.150.30/30)----------------INTERNET
                                        |
    				    |--(ge-5/0/7:192.168.250.30/30)----------------INTERNET

     

    Default route is present

     

    routing-options {
        rib inet.0 {
            static {
                route 0.0.0.0/0 next-hop [ 192.168.150.29 192.168.250.29 ];

     

    Sec-policy is allowing the traffic

     

    from-zone ot-application to-zone untrust {
    	policy OT-application-to-Untrust {
    		match {
    			source-address any;
    			destination-address any;
    			application any;
    		}
    		then {
    			permit;
    		}	

     

    Proper NAT is configured for reaching the Internet

     

    security {
        nat {
            source {
                rule-set otapplication-to-internet {
                    from zone ot-application;
                    to zone untrust;
                    rule internet-access {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }

     

    The config looks correct to me. Can you try pining 8.8.8.8 from a host within ot-application zone and check if there is a session created:

     

    > show security flow session source-prefix [PC_Address] destination-prefix 8.8.8.8 protocol icmp

     

    If you dont see any session then try running flow traceoptions to confirm if the SRX is dropping the packets:

     

    # set security flow traceoptions file TRACE
    # set security flow traceoptions flag basic-datapath
    # set security flow traceoptions packet-filter TEST source-prefix [PC_Address]
    # set security flow traceoptions packet-filter TEST destination-prefix 8.8.8.8
    # commit

    [try the ping]

    > show log TRACE

     



  • 3.  RE: SRX: no internet access inside zones

    Posted 09-09-2019 10:24

    thank u for responding.

     

    Show security flow session:

    Session ID: 256206, Policy name: OT-application-to-Untrust/6, State: Active, Timeout: 52, Valid
    In: 172.22.2.8/1 --> 8.8.8.8/16557;icmp, Conn Tag: 0x0, If: reth1.30, Pkts: 1, Bytes: 84,
    Out: 8.8.8.8/16557 --> 192.168.150.30/55646;icmp, Conn Tag: 0x0, If: ge-0/0/7.1409, Pkts: 0, Bytes: 0,



  • 4.  RE: SRX: no internet access inside zones
    Best Answer

    Posted 09-09-2019 10:33

    Suli,

     

    Packets are leaving the SRX but not returning back, so this is a problem outside the SRX:

     

    Show security flow session:
    
    Session ID: 256206, Policy name: OT-application-to-Untrust/6, State: Active, Timeout: 52, Valid
    In: 172.22.2.8/1 --> 8.8.8.8/16557;icmp, Conn Tag: 0x0, If: reth1.30, Pkts: 1, Bytes: 84,
    Out: 8.8.8.8/16557 --> 192.168.150.30/55646;icmp, Conn Tag: 0x0, If: ge-0/0/7.1409, Pkts: 0, Bytes: 0,

     

    I can also see that source NAT was applied correctly. You might want to check with your ISP.

     



  • 5.  RE: SRX: no internet access inside zones

    Posted 09-09-2019 10:50

    The switch configuration you shared is from a switch that sits between the SRX and the Internet? If so, please let us know what are the ports conneting to ge-0/0/7 and ge-5/0/7 of the SRX and what is the port connecting to the Internet modem. That way we could quickly check the config on the switch as well.

     



  • 6.  RE: SRX: no internet access inside zones

    Posted 09-09-2019 11:18

    This is the topology:

     

    4xswitches (virtual chasis) > 2xSRX (cluster)> internet

     

    SRX:

    ge-0/0/7 connecting towards ISP1 vlan 1409

    ge-5/0/7 ISP2 vlan 2409

     

    10.200.5.81 should be 5.200.5.81.

     

     

    on EX switches:

    interfaces ge-2/0/46 and ge-0/0/46 are stated as internet, but to make it clear this interface are not direct connected towards ISP. The firewall has reth0.100 as the "internet" interface and the firewall itself has 5.200.5.81 as the IP address. We made this vlan for reaching the firewall on public via 5.200.5.81.

     

    reth0 {
    description "switch - internet";
    vlan-tagging;
    redundant-ether-options {
    redundancy-group 1;
    lacp {
    active;
    periodic slow;
    }
    }
    unit 100 {
    description "public ip-range";
    vlan-id 100;
    family inet {
    address 5.200.5.81/29 {
    primary;
    preferred;
    }

     

     

     

     



  • 7.  RE: SRX: no internet access inside zones

    Posted 09-09-2019 12:34

    Suli,

     

    Im confused with the flow of the traffic. I understood that the packets sent from a PC within ot-application zone will reach the SRX on reth1.30 and then the SRX will send them to the switch via its ge-0/0/7 or ge-5/0/7 interface. However, Im not sure what should happen next; will the switch send the packets back to the SRX so they are sent via reth0.100 to the Internet?

     

     



  • 8.  RE: SRX: no internet access inside zones

    Posted 09-09-2019 13:23

    Hello,

     

    you can ignore the reth0.100. What important is the packets sent from a PC within ot-application zone will reach the SRX on reth1.30 and then the SRX will send them via its ge-0/0/7 or ge-5/0/7 interface towards ISP. The ge-0/0/7 or ge-5/0/7 are  interfaces on SRX towards ISP.

     

    SRX:

    ge-0/0/7 {
    description "ISP-router-01 - cable ID 3611";
    vlan-tagging;
    unit 1409 {
    vlan-id 1409;
    family inet {
    address 192.168.150.30/30;
    }
    }
    ge-5/0/7 {
    description "ISP.net-router-02 - cable ID 3711";
    vlan-tagging;
    unit 2409 {
    vlan-id 2409;
    family inet {
    address 192.168.250.30/30;
    }

     

    routing-options {
    rib inet.0 {
    static {
    route 0.0.0.0/0 next-hop [ 192.168.150.29 192.168.250.29 ];
    }
    }



  • 9.  RE: SRX: no internet access inside zones

    Posted 09-09-2019 14:54

    OK good, then you need to check any devices sitting in front of the SRX or with the ISP as you stated.

     

    Good luck with that and keep us posted. Please also mark the post as Resolved if you consider so.

     



  • 10.  RE: SRX: no internet access inside zones

    Posted 09-11-2019 08:08

    Hello,

     

    problem is resolved now. What went wrong is, i have configured the NAT with "then source-nat interface", but the outgoing interface has a private IP address so that won't work. So i needed a source-nat pool where i can choose a public IP in mine assigned range as a public NAT address from our network transmission suplier towards ISP.

     

    Topology

            "OT-application vlan 30"                "untrust"
    ---------(reth1.30: 172.22.2.1/24)-SRX-(ge-0/0/7:192.168.150.30/30)----------------INTERNET
                                        |
    				    |--(ge-5/0/7:192.168.250.30/30)----------------INTERNET

     

    thanks.

     



  • 11.  RE: SRX: no internet access inside zones

    Posted 09-09-2019 11:46

    I ll be reporting this to my ISP. thank u