Junos OS

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  SRX300 is unable to access internet after untrust zone is configured as static IP

    Posted 05-08-2024 02:16

    Hi all,

    I am new to Juniper. The trust zone of my SRX300 is able to access internet if I configure my SRX for untrust zone to be as dynamic IP from ISP. However, if I configure untrust zone as static IP, the trust zone is unable to access internet. Do not know whether there are any wrong configurations that are set on my SRX300.

    Much appreciative if there is someone who can help.

    Here is some information for my SRX300.

    I configure ge-0/0/0 for untrust zone and IP is set as static IP. IP address is 122.147.169.20/24. Gateway is 122.147.169.254.

    The IP of SRX itself is 10.10.10.1. The range of trust zone's IP is from 10.10.10.2 to 10.10.10.254.

    The below is my configuration.

     
    ## Last changed: 2024-05-08 11:14:59 UTC
    version 19.4R3-S1.3;
    system {
        host-name 300;
        root-authentication {
            encrypted-password "$6$J8Q9Q0AM$vedZ.FOfoNqcfA319yAnjJXH2BkuxbXZDJ7aMj2xTsEumr0/Pvh.moGhncI60HwN1VRnNpBZBI28ZBFy5Sqa.1";
        }
        services {
            ssh;
            netconf {
                ssh;
            }
            dhcp-local-server {
                group jdhcp-group {
                    interface irb.0;
                }
            }
            web-management {
                https {
                    system-generated-certificate;
                }
            }
        }
        time-zone UTC;
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
            }
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.0;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    ge-0/0/7.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 122.147.169.20/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family inet {
                    dhcp {
                        update-server;
                    }
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    address 10.10.10.1/24;
                }
            }
        }
    }
    access {
        address-assignment {
            pool junosDHCPPool {
                family inet {
                    network 10.10.10.0/24;
                    range junosDHCPPool_range {
                        low 10.10.10.2;
                        high 10.10.10.254;
                    }
                    dhcp-attributes {
                        router {
                            10.10.10.1;
                        }
                        propagate-settings ge-0/0/0.0;
                    }
                }
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface irb.0;
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 122.147.169.1;
        }
    }



    ------------------------------
    Tokumasa Sanada
    ------------------------------


  • 2.  RE: SRX300 is unable to access internet after untrust zone is configured as static IP

    Posted 05-09-2024 04:08

    Firstly, be very careful with logging an "any any any" policy, you will kill the SRX's disks.

    Either consider using a more specific policy, or use syslog instead of local logging.

    The other thing is, you've got the untrust zone configured to use interface ge-0/0/7, but you've statically configured ge-0/0/0, so it will fail.

    security-zone untrust {
                screen untrust-screen;
                interfaces {
                    ge-0/0/7.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;

    The reason it worked with DHCP, is because ge-0/0/7 would've gotten the IP from the ISP, not ge-0/0/0.

    Simply move the configuration from ge-0/0/0, to ge-0/0/7, or place ge-0/0/0 in the untrust zone too.



    ------------------------------
    ANDREY LEO
    ------------------------------



  • 3.  RE: SRX300 is unable to access internet after untrust zone is configured as static IP

    Posted 05-09-2024 23:19

    Hi ANDREYLEO,

    I had move ge-0/0/0 to untrust zone but the result is still same.



    ------------------------------
    Tokumasa Sanada
    ------------------------------



  • 4.  RE: SRX300 is unable to access internet after untrust zone is configured as static IP

    Posted 05-10-2024 05:44

    How are you testing internet connectivity?

    I would say check the ARP of the internet-facing interface first to see if you're even getting anything from your default gateway.

    show arp no-resolve interface ge-0/0/7.0

    Also, can you confirm the current configuration when you make changes, as quite a few have been made now.

    show configuration | display set | no-more

    You may just have an ISP that doesn't allow static IPs. In this case, you can only have access to their network once they exchange DHCP details.

    How are you connected to your ISP, have they just provided you a cable to connect to, or is there another router/modem after your firewall?

    Is this a business circuit?

    You might want to do some more forensic testing.

    First, create a policy that matches the exact source-address and destination addresses you'll be using in a test.

    Perhaps use 10.10.10.2 as the source address (use whichever source address your trust host has), and something like 8.8.8.8 as the destination.

    set security address-book trust address 10.10.10.2/32 10.10.10.2/32
    set security address-book trust attach zone trust
    set security address-book untrust address 8.8.8.8/32 8.8.8.8/32
    set security address-book untrust attach zone untrust
     
    set security policies from-zone trust to-zone untrust policy trust-to-google-dns match source-address 10.10.10.2/32
    set security policies from-zone trust to-zone untrust policy trust-to-google-dns match destination-address 8.8.8.8/32
    set security policies from-zone trust to-zone untrust policy trust-to-google-dns match application any
    set security policies from-zone trust to-zone untrust policy trust-to-google-dns then permit
    set security policies from-zone trust to-zone untrust policy trust-to-google-dns then count
    insert security policies from-zone trust to-zone untrust policy trust-to-google-dns before policy trust-to-untrust

    Check the config, commit it, then exit configuration mode.

    Then start a ping to 8.8.8.8 from the trust host.

    First check to see if the policy is being hit

    show security policies from-zone trust to-zone untrust hit-count 

    or

    show security policies from-zone trust to-zone untrust policy-name trust-to-google-dns detail

    Next, whilst the ping is still running and if the policy IS being hit, check the active flows:

    show security flow session destination-prefix 8.8.8.8/32

    You should at least see packets in the outgoing direction.

    Finally, check that your NAT rule is being hit correctly.

    Run the following command:

    show security nat source rule trust-to-untrust

    In addition, make sure there is only one interface in the untrust zone at a time if you're using then source-nat interface.

    If you have an ARP for your gateway, you see your policy is being hit, your NAT rule is being hit and the flows show one way traffic, then the issue is likely beyond the SRX.

    Please paste the results of all tests so that we can have a full picture of the troubleshooting steps.



    ------------------------------
    ANDREY LEO
    ------------------------------



  • 5.  RE: SRX300 is unable to access internet after untrust zone is configured as static IP

    Posted 05-14-2024 05:13

    Hi ANDREY,

    The issue was solved by adding name-server to DHCP attributes.

    Thanks.



    ------------------------------
    Tokumasa Sanada
    ------------------------------