Good time of day everyone,
I've stumbled upon an issue which bugs me for 2 days -
My ISP provided me with a gateway, that is on a different subnet, than my WAN IP. Previously I've used CentOS with iptables and didn't experience any issues, but with SRX210H I always get no route to host, when I try to ping outside world.
Below is the config of my device. I've tried to add default gateway with resolve, through WAN ip, but still no luck.
Bit new to Junos and will greatly appreciate if you point me in the right direction, where I did mistake.
Let's say my WAN IP is 78.4.230.120/30 and gateway is 194.85.128.10
version 12.1R1.9;
system {
host-name gw-02;
root-authentication {
encrypted-password "xxxx";
}
name-server {
8.8.8.8;
8.8.4.4;
}
services {
ssh;
telnet;
web-management {
http;
}
dhcp {
maximum-lease-time 86400;
default-lease-time 86400;
name-server {
10.1.232.11;
8.8.8.8;
}
pool 10.2.232.0/24 {
address-range low 10.2.232.50 high 10.2.232.200;
router {
10.2.232.1;
}
server-identifier 10.2.232.1;
}
propagate-settings ge-0/0/0;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.2.232.1/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 78.4.230.120/30;
}
}
}
st0 {
unit 0 {
family inet;
family inet6;
}
}
}
routing-options {
static {
route 10.1.232.0/24 next-hop st0.0;
route 0.0.0.0/0 {
next-hop 194.85.128.10;
resolve;
}
route 194.85.128.0/24 next-hop 78.4.230.120/30;
}
}
protocols {
rip {
group beeline {
neighbor fe-0/0/7.0;
}
}
}
policy-options {
policy-statement advertise-rip-routes {
term from-direct {
from protocol direct;
then accept;
}
term from-rip {
from protocol rip;
then accept;
}
}
}
security {
ike {
proposal ike_porposal1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 36000;
}
policy ike_pol_dc_vpn {
mode main;
proposals ike_porposal1;
pre-shared-key ascii-text "xxxx";
}
policy ike_pol_wizard_dyn_vpn {
mode aggressive;
proposal-set compatible;
pre-shared-key ascii-text "xxxx";
}
gateway gw_dc_vpn {
ike-policy ike_pol_dc_vpn;
address x.x.x.x;
local-identity inet 78.4.230.120;
external-interface fe-0/0/7.0;
}
gateway gw_wizard_dyn_vpn {
ike-policy ike_pol_wizard_dyn_vpn;
dynamic {
hostname gw-02;
connections-limit 50;
ike-user-type group-ike-id;
}
dead-peer-detection;
external-interface fe-0/0/7.0;
xauth access-profile remote_access_profile;
}
}
ipsec {
proposal ipsec_proposal2 {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 36000;
}
policy ipsec_pol_dc_vpn {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec_proposal2;
}
policy ipsec_pol_wizard_dyn_vpn {
perfect-forward-secrecy {
keys group2;
}
proposal-set compatible;
}
vpn dc_vpn {
bind-interface st0.0;
ike {
gateway gw_dc_vpn;
ipsec-policy ipsec_pol_dc_vpn;
}
establish-tunnels immediately;
}
vpn wizard_dyn_vpn {
ike {
gateway gw_wizard_dyn_vpn;
ipsec-policy ipsec_pol_wizard_dyn_vpn;
}
}
}
dynamic-vpn {
access-profile remote_access_profile;
clients {
wizard-dyn-group {
remote-protected-resources {
10.2.232.0/24;
}
ipsec-vpn wizard_dyn_vpn;
user {
client0;
client1;
}
}
}
}
nat {
source {
rule-set interface-nat {
from zone trust;
to zone untrust;
rule rule1 {
match {
source-address 10.2.232.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust_any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy policy_out_dc_vpn {
match {
source-address addr_10_2_232_0_24;
destination-address addr_10_1_232_0_24;
application any;
}
then {
permit;
}
}
policy policy_in_dc_vpn {
match {
source-address addr_10_1_232_0_24;
destination-address addr_10_2_232_0_24;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy untrust_any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy ike_untrust {
match {
source-address any;
destination-address any;
application [ junos-ike junos-ike-nat junos-ssh ];
}
then {
permit;
}
}
policy policy_in_wizard_dyn_vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn wizard_dyn_vpn;
}
}
}
}
}
}
zones {
security-zone trust {
address-book {
address addr_10_2_232_0_24 10.2.232.0/24;
address addr_10_1_232_0_24 10.1.232.0/24;
}
host-inbound-traffic {
system-services {
telnet;
ssh;
http;
ping;
all;
ike;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
st0.0 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
telnet;
ssh;
http;
ping;
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/7.0;
}
}
}
}
access {
profile remote_access_profile {
client client0 {
firewall-user {
password "xx";
}
}
client client1 {
firewall-user {
password "xxx";
}
}
address-assignment {
pool dyn-vpn-address-pool;
}
}
address-assignment {
pool dyn-vpn-address-pool {
family inet {
network 16.17.18.0/24;
xauth-attributes {
primary-dns 8.8.8.8/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile remote_access_profile;
}
}
Thank's in advance for reply.