SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Workstation cannot reach the internet via SRX

    Posted 01-29-2014 19:24

    Hi Everyone,

     

        I have a workstation that is having issues connecting to the internet via an SRX device. From the SRX device I am able to reach the internet however, when I try to reach the internet from the workstation station I am unable too. Below is ping results from the SRX device. I also put a small diagram so you can see the layout and the configs on the SRX device. Please advise on what could be the issue?

     

    xxxx@Juniper1> show configuration | display set
    set system name-server 208.67.222.222
    set system name-server 208.67.220.220
    set system services ssh
    set system services telnet
    set system services xnm-clear-text
    set system services web-management http interface vlan.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface vlan.0
    set system services dhcp router 10.1.1.1
    set system services dhcp pool 10.1.1.0/24 address-range low 10.1.1.2
    set system services dhcp pool 10.1.1.0/24 address-range high 10.1.1.254
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces fe-0/0/0 unit 0 family inet dhcp
    set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces vlan unit 0 family inet address 10.1.1.1/24
    set protocols stp
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set trust-to-untrust from zone trust
    set security nat source rule-set trust-to-untrust to zone untrust
    set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
    set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces vlan.0
    set security zones security-zone trust interfaces fe-0/0/7.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
    set vlans vlan-trust vlan-id 3
    set vlans vlan-trust l3-interface vlan.0

     

    xxxx@Juniper1> ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=250 time=40.343 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=250 time=36.330 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=250 time=36.137 ms
    64 bytes from 8.8.8.8: icmp_seq=3 ttl=250 time=35.973 ms
    64 bytes from 8.8.8.8: icmp_seq=4 ttl=250 time=37.613 ms
    ^C
    --- 8.8.8.8 ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 35.973/37.279/40.343/1.638 ms

    victor@Juniper1>

     

     

    Thank you

     

    Victor

     

     

    Screen Shot 2014-01-29 at 10.19.48 PM.png


    #routing
    #Internet
    #Juniper
    #firewall
    #SRX


  • 2.  RE: Workstation cannot reach the internet via SRX

    Posted 01-30-2014 08:12

    Your workstation does not have DNS information, under DHCP hierarchy configure DNS information or configure static entry in your work station



  • 3.  RE: Workstation cannot reach the internet via SRX

    Posted 01-30-2014 08:45

    The workstation received the DNS server from the SRX and I even statically configured a DNS server on the workstation and it still not reach the internet.



  • 4.  RE: Workstation cannot reach the internet via SRX

    Posted 01-30-2014 08:53

    A quick glance does not show anything wrong. 

     

    If you execute the operational mode command > show security flow session and match on the IP prefix of the PC do you see a session established for the flow? You should see outbound packets at least. 



  • 5.  RE: Workstation cannot reach the internet via SRX

    Posted 01-30-2014 16:36

    When I match for the host workstation I don't see anything. I am trying to ping DNS 8.8.8.8 when trying performing the match. See below:

     

    user@Juniper1> show security flow session | match 10.1.1.2

     

     



  • 6.  RE: Workstation cannot reach the internet via SRX
    Best Answer

     
    Posted 01-30-2014 20:14

    Dear 

     

    I don't see any need to put the below line in the config 

     

    set security zones security-zone trust interfaces fe-0/0/7.0

     

     as interface is ethernet-switching and member for vlan-trust (set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust) , so only l3-interface vlan.0 should be member of the zone which is already in your config, 

     

    to understand what happen to your ping packet , the best way is to enable traceoption under security flow

     

    [edit security flow traceoptions]
    SRX# show
    file reachability-internet;
    flag basic-datapath;
    packet-filter filter-1 {
    protocol icmp;
    destination-prefix 8.8.8.8/32;

    source-prefix 10.1.1.2/32

    }

     

     

     

    Regards



  • 7.  RE: Workstation cannot reach the internet via SRX

    Posted 01-30-2014 23:42

    Hi,

     

    under "set system services dhcp pool" you must "propagate-settings vlan.0". interface for propagate dhcp.

    also try under "security zones security-zone trust interfaces vlan.0" put "host-inbound-traffic protocols all"

     

    for test make ping from srx vlan interface

    ping 8.8.8.8 interface vlan.0



  • 8.  RE: Workstation cannot reach the internet via SRX

    Posted 01-31-2014 06:33

    Its working now. I am able to reach the internet not sure what was going on. I checked the flow sessions again and saw various sessions being established to the internet. Thank you all for your help.



  • 9.  RE: Workstation cannot reach the internet via SRX

     
    Posted 01-31-2014 12:34

     

    Happy to know that 🙂 , you are welcome!