SRX

Expand all | Collapse all

Just starting out with junos, So a noob question here..

Jump to Best Answer
  • 1.  Just starting out with junos, So a noob question here..

    Posted 05-12-2018 15:11

    I dont have a basic layer three connectivity between my two juniper srx210. I have two interfaces directly connected to each other, yet they cant ping each other. I will attach the config please let me know what I am doing wrong.

     

    aabdulr2# run show configuration
    ## Last commit: 2018-05-12 21:39:31 UTC by aabdulr2
    version 12.1X44-D35.5;
    system {
    root-authentication {
    encrypted-password "$1$rdyA1q4X$qgkB.rb9I252lF9kT3H4q/"; ## SECRET-DATA
    }
    name-server {
    208.67.222.222;
    208.67.220.220;
    }
    login {
    user aabdulr2 {
    uid 2003;
    class super-user;
    authentication {
    encrypted-password "$1$GyQmW9Kw$/zy7vBUhKqZQs7jJPLUaq1"; ## SECRET-DATA
    }
    }
    }
    services {
    ssh;
    telnet;
    xnm-clear-text;
    web-management {
    http {
    interface vlan.0;
    }
    https {
    system-generated-certificate;
    interface vlan.0;
    }
    }
    inactive: dhcp {
    router {
    192.168.1.1;
    }
    pool 192.168.1.0/24 {
    address-range low 192.168.1.2 high 192.168.1.254;
    }
    propagate-settings ge-0/0/0.0;
    }
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive-commands {
    interactive-commands error;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 10.0.0.2/24;
    }
    }
    }
    lo0 {
    unit 0 {
    family inet {
    address 192.168.1.2/24;
    }
    }
    }
    }
    security {
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule source-nat-rule {
    match {
    source-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    }
    policies {
    from-zone trust to-zone untrust {
    policy trust-to-untrust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    security-zone untrust {
    screen untrust-screen;
    }
    }
    }

     

     

     

     

    and for R2

     

     

     

    aabdulr2> show configuration
    ## Last commit: 2018-05-12 21:22:18 UTC by aabdulr2
    version 11.2R4.3;
    system {
    root-authentication {
    encrypted-password "$1$mqFiB.CD$K2.1ChYJMPmk0Az/MKlN8/"; ## SECRET-DATA
    }
    name-server {
    208.67.222.222;
    208.67.220.220;
    }
    login {
    user aabdulr2 {
    uid 2003;
    class super-user;
    authentication {
    encrypted-password "$1$4Tfka88U$tMLnvxLATCtomUOeh40T7/"; ## SECRET-DATA
    }
    }
    }
    services {
    ssh;
    telnet;
    xnm-clear-text;
    web-management {
    http {
    interface vlan.0;
    }
    https {
    system-generated-certificate;
    interface vlan.0;
    }
    }
    inactive: dhcp {
    router {
    192.168.1.1;
    }
    pool 192.168.1.0/24 {
    address-range low 192.168.1.2 high 192.168.1.254;
    }
    propagate-settings ge-0/0/0.0;
    }
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive-commands {
    interactive-commands error;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 10.0.0.1/30;
    }
    }
    }
    lo0 {
    unit 0 {
    family inet {
    address 192.168.1.1/24;
    }
    }
    }
    }
    security {
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule source-nat-rule {
    match {
    source-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    }
    policies {
    from-zone trust to-zone untrust {
    policy trust-to-untrust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    security-zone untrust {
    screen untrust-screen;
    }
    }
    }



  • 2.  RE: Just starting out with junos, So a noob question here..
    Best Answer

    Posted 05-13-2018 00:21

    Hello,

    Looks like You connected R1 ge-0/0/0 to R2 ge-0/0/0. Then You have 2 issues:

    1/ ge-0/0/0.0 netmask on R1 is /24 but on ge-0/0/0.0 netmask on R2 is /30

    2/ ge-0/0/0.0 on R1 is not assigned to any zone, likewise ge-0/0/0.0 on R2 is not assigned to any zone.

    BTW, by default any SRX interface not explicitly assigned elsewhere is in Null zone and any traffic is not allowed in Null zone.

    HTH

    Thx
    Alex

     



  • 3.  RE: Just starting out with junos, So a noob question here..

    Posted 05-13-2018 00:40

    okay thanks for the that. So does this mean that every time i am working with an interface on Layer3 I need to assign it to a zone ? If yes, what are zones and what can be configured in a zone?

     

    also i have applied the corections you suggested nd that still did not solve the porblem

     

    Thanks for all the help 



  • 4.  RE: Just starting out with junos, So a noob question here..

    Posted 05-13-2018 02:07

    Hello,

    If You are not familiar with firewall "zone" concept, I strongly suggest You first read the book "JUNOS Security" 

    https://www.amazon.co.uk/gp/product/1449381715

    Or at least chapter 4 that discusses the JUNOS security-related concepts.

    On the topic "applied corrections, still does not work" - please share Your latest configs.

    HTH

    Thx

    Alex

     



  • 5.  RE: Just starting out with junos, So a noob question here..

    Posted 05-13-2018 02:35

    so I ended up solving the issue by adding the interface ge-0/0/0.0 to a trusted zone. Thank for all the help!!