My PC does not have the gateway and DNS which can be checked. these only can be checked from another one network device.
Anyway, the issue was solved.
Thank you.
Original Message:
Sent: 05-10-2024 09:21
From: Nikolay Semov
Subject: SRX300 is unable to access internet after untrust zone is configured as static IP
I meant check the IP config on the PC to double-check my suspicion. On Windows, for example, you can open command prompt and say ipconfig /all to check what address, gateway, and DNS the computer has configured.
------------------------------
Nikolay Semov
Original Message:
Sent: 05-10-2024 06:25
From: Tokumasa Sanada
Subject: SRX300 is unable to access internet after untrust zone is configured as static IP
Hi Nikolay,
Thank you for the assistance.
After the IP of name-server is added, the PC is able to access internet.
However, I would like to confirm what do you mean for You can verify this by examining the active IP configuration on the endpoint?
------------------------------
Tokumasa Sanada
Original Message:
Sent: 05-10-2024 00:10
From: Nikolay Semov
Subject: SRX300 is unable to access internet after untrust zone is configured as static IP
Your internal client machine at 10.10.10.2 is not getting any DNS server information. You can verify this by examining the active IP configuration on the endpoint.
Because ge-0/0/0.0 has a static IP address, it has no settings it can propagate downstream to your clients. So, instead of propagate-settings, you can add name-server under dhcp-attributes.
------------------------------
Nikolay Semov
Original Message:
Sent: 05-09-2024 23:15
From: Tokumasa Sanada
Subject: SRX300 is unable to access internet after untrust zone is configured as static IP
Hi Nikolay,
The below information is my configuration and the information which you require.
Thanks for the assistance.
## Last changed: 2024-05-10 10:40:32 UTC
version 20200609.165031.6_builder.r1115480;
system {
host-name 300;
root-authentication {
encrypted-password "$6$7afJ0nYU$6u/giqzQruSPgvpcmodxrqcVlviIHPucJ6MsgXlT/w7zMt3WyCGsdAVU0ejSyqpaPZDyJaknvwDGevD.SM6qU1";
}
services {
ssh;
netconf {
ssh;
}
dhcp-local-server {
group jdhcp-group {
interface irb.0;
}
}
web-management {
https {
system-generated-certificate;
}
}
}
time-zone UTC;
name-server {
8.8.8.8;
8.8.4.4;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
https;
}
}
}
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 122.147.169.20/24;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family inet {
dhcp {
update-server;
}
}
}
}
irb {
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
}
access {
address-assignment {
pool junosDHCPPool {
family inet {
network 10.10.10.0/24;
range junosDHCPPool_range {
low 10.10.10.2;
high 10.10.10.254;
}
dhcp-attributes {
router {
10.10.10.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 122.147.169.254;
}
}
show route
show arp no-resolve
ping 8.8.8.8
show security policies hit-count
------------------------------
Tokumasa Sanada
Original Message:
Sent: 05-09-2024 00:15
From: Nikolay Semov
Subject: SRX300 is unable to access internet after untrust zone is configured as static IP
Please share the latest, most up-to-date configuration you have running.
Also helpful, the output of:
show route
show arp no-resolve
ping 8.8.8.8
show security policies hit-count
------------------------------
Nikolay Semov
Original Message:
Sent: 05-08-2024 23:56
From: Tokumasa Sanada
Subject: SRX300 is unable to access internet after untrust zone is configured as static IP
Hi,
I had changed to 122.147.169.254. The result is still same.
------------------------------
Tokumasa Sanada
Original Message:
Sent: 05-08-2024 23:09
From: bkamen
Subject: SRX300 is unable to access internet after untrust zone is configured as static IP
Look at your "default gateway" -- You want 122.147.169.254 not 122.147.169.1
routing-options { static { route 0.0.0.0/0 next-hop 122.147.169.1; }}
------------------------------
Ben Kamen
Original Message:
Sent: 05-08-2024 23:04
From: Tokumasa Sanada
Subject: SRX300 is unable to access internet after untrust zone is configured as static IP
Hi Nicolay,
I added ge-0/0/0 to untrust zone. Trust zone is still unable to access internet.
------------------------------
Tokumasa Sanada
Original Message:
Sent: 05-08-2024 10:38
From: Nikolay Semov
Subject: SRX300 is unable to access internet after untrust zone is configured as static IP
Add ge-0/0/0 to security-zone untrust.
------------------------------
Nikolay Semov
Original Message:
Sent: 05-08-2024 02:16
From: Tokumasa Sanada
Subject: SRX300 is unable to access internet after untrust zone is configured as static IP
Hi all,
I am new to Juniper. The trust zone of my SRX300 is able to access internet if I configure my SRX for untrust zone to be as dynamic IP from ISP. However, if I configure untrust zone as static IP, the trust zone is unable to access internet. Do not know whether there are any wrong configurations that are set on my SRX300.
Much appreciative if there is someone who can help.
Here is some information for my SRX300.
I configure ge-0/0/0 for untrust zone and IP is set as static IP. IP address is 122.147.169.20/24. Gateway is 122.147.169.254.
The IP of SRX itself is 10.10.10.1. The range of trust zone's IP is from 10.10.10.2 to 10.10.10.254.
The below is my configuration.
## Last changed: 2024-05-08 11:14:59 UTC
version 19.4R3-S1.3;
system {
host-name 300;
root-authentication {
encrypted-password "$6$J8Q9Q0AM$vedZ.FOfoNqcfA319yAnjJXH2BkuxbXZDJ7aMj2xTsEumr0/Pvh.moGhncI60HwN1VRnNpBZBI28ZBFy5Sqa.1";
}
services {
ssh;
netconf {
ssh;
}
dhcp-local-server {
group jdhcp-group {
interface irb.0;
}
}
web-management {
https {
system-generated-certificate;
}
}
}
time-zone UTC;
name-server {
8.8.8.8;
8.8.4.4;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 122.147.169.20/24;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family inet {
dhcp {
update-server;
}
}
}
}
irb {
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
}
access {
address-assignment {
pool junosDHCPPool {
family inet {
network 10.10.10.0/24;
range junosDHCPPool_range {
low 10.10.10.2;
high 10.10.10.254;
}
dhcp-attributes {
router {
10.10.10.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 122.147.169.1;
}
}
------------------------------
Tokumasa Sanada
------------------------------