Routing

Expand all | Collapse all

Routing to Internet only works for one IP Address SRX 550

Jump to Best Answer
  • 1.  Routing to Internet only works for one IP Address SRX 550

    Posted 02-06-2020 01:17

    Hi everybody,

    I have a very strange behavior and cannot explain it to me.
    I have a /28 network. It contains Linux systems which all have the same network configuration.
    But only one  can access the Internet. That one with the first usable IP from this network.
    All others can´t access the internet. All devices se each other within the network. Everyone can also reach the default GW. But only one device can also access the Internet.
    If you make a traceroute to 8.8.8.8 , even the first HOP (own gateway) will be shown with "*". I assume that this is a firewall topic (Juniper SRX 550) but cannot find anything there.

    Does anyone have an idea what this could be? 



  • 2.  RE: Routing to Internet only works for one IP Address SRX 550

     
    Posted 02-06-2020 01:48
    Hi qSkills,

    Is it always “any” one device that can access? Please validate by perhaps shutting the first one down 😊. If yes, then it sounds like a NATting issue where only 1-1 translation is happening versus many-one. Please check if there’s a static NAT or something.

    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).


  • 3.  RE: Routing to Internet only works for one IP Address SRX 550
    Best Answer

     
    Posted 02-06-2020 01:59

    Hello,

     

    If Traffic is going through firewall then you may check the policy configuration if /28 is allowed as source-address or not.

    As you rightly said, Traceroute may not be allowed by default, so that's why it's showing * at first hop itself.

     

    Thanks,

    Shina M.

     

     



  • 4.  RE: Routing to Internet only works for one IP Address SRX 550

    Posted 02-06-2020 02:36

    Shutting down the interface with the first ip didnt change the behavior.  This is, how its configured:

     
    sysadmin@nfw001> show security nat source rule snat_all
    node0:
    --------------------------------------------------------------------------
    
    source NAT rule: snat_all Rule-set: corp-net-webserver-to-untrust
    Rule-Id : 30
    Rule position : 30
    From zone : corp-net-webserver
    To zone : untrust
    Match
    Source addresses : 172.50.1.0 - 172.50.1.15
    Destination addresses : 0.0.0.0 - 255.255.255.255
    Destination port : 0 - 0
    Action : interface
    Persistent NAT type : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout : 0
    Max session number : 0
    Translation hits : 57473
    
    node1:
    --------------------------------------------------------------------------
    
    source NAT rule: snat_all Rule-set: corp-net-webserver-to-untrust
    Rule-Id : 30
    Rule position : 30
    From zone : corp-net-webserver
    To zone : untrust
    Match
    Source addresses : 172.50.1.0 - 172.50.1.15
    Destination addresses : 0.0.0.0 - 255.255.255.255
    Destination port : 0 - 0
    Action : interface
    Persistent NAT type : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout : 0
    Max session number : 0
    Translation hits : 2


  • 5.  RE: Routing to Internet only works for one IP Address SRX 550

    Posted 02-06-2020 04:56

    there was a policy for this zone which allows all applications but only one source-address.

    Thank you all for your help