Routing

 View Only
last person joined: 5 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  Routing to Internet only works for one IP Address SRX 550

    Posted 02-06-2020 01:17

    Hi everybody,

    I have a very strange behavior and cannot explain it to me.
    I have a /28 network. It contains Linux systems which all have the same network configuration.
    But only one  can access the Internet. That one with the first usable IP from this network.
    All others can´t access the internet. All devices se each other within the network. Everyone can also reach the default GW. But only one device can also access the Internet.
    If you make a traceroute to 8.8.8.8 , even the first HOP (own gateway) will be shown with "*". I assume that this is a firewall topic (Juniper SRX 550) but cannot find anything there.

    Does anyone have an idea what this could be? 



  • 2.  RE: Routing to Internet only works for one IP Address SRX 550

     
    Posted 02-06-2020 01:48
    Hi qSkills,

    Is it always “any” one device that can access? Please validate by perhaps shutting the first one down 😊. If yes, then it sounds like a NATting issue where only 1-1 translation is happening versus many-one. Please check if there’s a static NAT or something.

    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).


  • 3.  RE: Routing to Internet only works for one IP Address SRX 550
    Best Answer

     
    Posted 02-06-2020 01:59

    Hello,

     

    If Traffic is going through firewall then you may check the policy configuration if /28 is allowed as source-address or not.

    As you rightly said, Traceroute may not be allowed by default, so that's why it's showing * at first hop itself.

     

    Thanks,

    Shina M.

     

     



  • 4.  RE: Routing to Internet only works for one IP Address SRX 550

    Posted 02-06-2020 02:36

    Shutting down the interface with the first ip didnt change the behavior.  This is, how its configured:

     
    sysadmin@nfw001> show security nat source rule snat_all
node0:
--------------------------------------------------------------------------

source NAT rule: snat_all Rule-set: corp-net-webserver-to-untrust
Rule-Id : 30
Rule position : 30
From zone : corp-net-webserver
To zone : untrust
Match
Source addresses : 172.50.1.0 - 172.50.1.15
Destination addresses : 0.0.0.0 - 255.255.255.255
Destination port : 0 - 0
Action : interface
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 57473

node1:
--------------------------------------------------------------------------

source NAT rule: snat_all Rule-set: corp-net-webserver-to-untrust
Rule-Id : 30
Rule position : 30
From zone : corp-net-webserver
To zone : untrust
Match
Source addresses : 172.50.1.0 - 172.50.1.15
Destination addresses : 0.0.0.0 - 255.255.255.255
Destination port : 0 - 0
Action : interface
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 2


  • 5.  RE: Routing to Internet only works for one IP Address SRX 550

    Posted 02-06-2020 04:56

    there was a policy for this zone which allows all applications but only one source-address.

    Thank you all for your help