vSRX - configuration issues.

View Only

last person joined: 4 days ago

Securing your network and related platform configuration and troubleshooting with Juniper security technologies including Advance Threat Prevention, Cloud-Based Management Services, Cloud-delivered Security, Cloud Workload Protection, DDoS, Juniper Secure and other solutions.

Back to discussions

Expand all | Collapse all

vSRX - configuration issues.

1. vSRX - configuration issues.

Recommend

PATRYK MICHNO

Posted 07-21-2022 09:50

Hi Guys,

I am new in junipers. I have my home lab with Eve ng + vSRX.

I wanted to deploy some tests and seems I something do not work as expected.

this is my lab schema:

my vSRX configuration:

groups {
    band-config {
        interfaces {
            ge-0/0/1 {
                unit <*>;
            }
        }
    }
}
system {
    host-name juniper1.core;
    root-authentication {
        encrypted-password "$6$aQBfcfum$upB6GogFCmc9UfQAyIQDYGdR4CLjlMPBRUNPfp/RSVKKa2a0me30iA2zLEZYPXNL621.Mo5klfvCkD6FrN5Z6/"; ## SECRET-DATA
    }
    services {
        ssh {
            root-login allow;
            protocol-version v2;
            port 22;
        }
        web-management {
            http {
                interface [ fxp0.0 ge-0/0/0.0 ];
            }
            https {
                system-generated-certificate;
                interface [ fxp0.0 ge-0/0/0.0 ];
            }
        }
    }
    name-server {
        8.8.8.8;
    }
    syslog {
        file interactive-commands {
            interactive-commands any;
        }
        file messages {
            any any;
            authorization info;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
security {
    policies {
        global {
            policy internet-access {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    from-zone Servers;
                    to-zone Internet;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internet {
            host-inbound-traffic {
                system-services {
                    ssh;
                    ping;
                }
            }
            interfaces {
                ge-0/0/5.0;
            }
        }
        security-zone Servers {
            host-inbound-traffic {
                system-services {
                    ping;
                    ssh;
                }
            }
            interfaces {
                ge-0/0/3.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                        }
                    }
                }
                ge-0/0/4.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                        }
                    }
                }
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        speed 100m;
        unit 0 {
            family inet {
                address 192.168.45.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.20.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.44.1/24;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family inet {
                address 93.42.40.1/8;
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family inet {
                address 93.42.50.1/8;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                address 192.168.178.151/24;
            }
        }
    }
    fxp0 {
        disable;
        unit 0 {
            family inet {
                address 192.168.178.150/24;
            }
        }
    }
}
routing-options {
    rib inet.0 {
        static {
            route 0.0.0.0/0 next-hop 192.168.178.1;
        }
    }
    static {
        route 192.168.44.0/24 next-hop 192.168.44.10;
        route 192.168.45.0/24 next-hop 192.168.178.1;
        route 0.0.0.0/0 next-hop 192.168.178.1;
    }
}

Problem is I can't ping internet via vSRX. From the machines I can ping default gateway but I can't ping for example 8.8.8.8 from the machine via vSRX.

I am not sure if I did something bad in the configuration? Can you maybe guys check? I would really appreaciate that.

Patryk

------------------------------
PATRYK MICHNO
------------------------------

2. RE: vSRX - configuration issues.

Recommend

spuluka

Posted 07-21-2022 10:19

Since you are not doing any source nat on the vSRX do you have the return routes for your device subnets configured on the home router pointed back to the vSRX 192.168.178.150?

And does the nat policy on the home router cover these other subnets when forwarded to the internet?

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
------------------------------

Original Message

Original Message:
Sent: 07-21-2022 08:52
From: PATRYK MICHNO
Subject: vSRX - configuration issues.

Hi Guys,

I am new in junipers. I have my home lab with Eve ng + vSRX.

I wanted to deploy some tests and seems I something do not work as expected.

this is my lab schema:

my vSRX configuration:

groups {    band-config {        interfaces {            ge-0/0/1 {                unit <*>;            }        }    }}system {    host-name juniper1.core;    root-authentication {        encrypted-password "$6$aQBfcfum$upB6GogFCmc9UfQAyIQDYGdR4CLjlMPBRUNPfp/RSVKKa2a0me30iA2zLEZYPXNL621.Mo5klfvCkD6FrN5Z6/"; ## SECRET-DATA    }    services {        ssh {            root-login allow;            protocol-version v2;            port 22;        }        web-management {            http {                interface [ fxp0.0 ge-0/0/0.0 ];            }            https {                system-generated-certificate;                interface [ fxp0.0 ge-0/0/0.0 ];            }        }    }    name-server {        8.8.8.8;    }    syslog {        file interactive-commands {            interactive-commands any;        }        file messages {            any any;            authorization info;        }    }    license {        autoupdate {            url https://ae1.juniper.net/junos/key_retrieval;        }    }}security {    policies {        global {            policy internet-access {                match {                    source-address any;                    destination-address any;                    application any;                    from-zone Servers;                    to-zone Internet;                }                then {                    permit;                }            }        }    }    zones {        security-zone Internet {            host-inbound-traffic {                system-services {                    ssh;                    ping;                }            }            interfaces {                ge-0/0/5.0;            }        }        security-zone Servers {            host-inbound-traffic {                system-services {                    ping;                    ssh;                }            }            interfaces {                ge-0/0/3.0 {                    host-inbound-traffic {                        system-services {                            ping;                            ssh;                        }                    }                }                ge-0/0/4.0 {                    host-inbound-traffic {                        system-services {                            ping;                            ssh;                        }                    }                }                ge-0/0/0.0 {                    host-inbound-traffic {                        system-services {                            ping;                            ssh;                        }                    }                }            }        }    }}interfaces {    ge-0/0/0 {        speed 100m;        unit 0 {            family inet {                address 192.168.45.1/24;            }        }    }    ge-0/0/1 {        unit 0 {            family inet {                address 192.168.20.1/24;            }        }    }    ge-0/0/2 {        unit 0 {            family inet {                address 192.168.44.1/24;            }        }    }    ge-0/0/3 {        unit 0 {            family inet {                address 93.42.40.1/8;            }        }    }    ge-0/0/4 {        unit 0 {            family inet {                address 93.42.50.1/8;            }        }    }    ge-0/0/5 {        unit 0 {            family inet {                address 192.168.178.151/24;            }        }    }    fxp0 {        disable;        unit 0 {            family inet {                address 192.168.178.150/24;            }        }    }}routing-options {    rib inet.0 {        static {            route 0.0.0.0/0 next-hop 192.168.178.1;        }    }    static {        route 192.168.44.0/24 next-hop 192.168.44.10;        route 192.168.45.0/24 next-hop 192.168.178.1;        route 0.0.0.0/0 next-hop 192.168.178.1;    }}

Problem is I can't ping internet via vSRX. From the machines I can ping default gateway but I can't ping for example 8.8.8.8 from the machine via vSRX.

I am not sure if I did something bad in the configuration? Can you maybe guys check? I would really appreaciate that.

Patryk

------------------------------
PATRYK MICHNO
------------------------------

3. RE: vSRX - configuration issues.

Recommend

PATRYK MICHNO

Posted 07-21-2022 10:27

Thanks, you actually point out something which I did not think threw.

I want those pulbic ips 93.0.0.0/8 subnet. If I activate NAT it should work with the security zone I did?

something like that :

 nat {
        source {
            rule-set trust-to-untrust {
                from zone Servers;
                to zone Internet;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }

------------------------------
PATRYK MICHNO
------------------------------

Original Message

Original Message:
Sent: 07-21-2022 10:18
From: STEVE PULUKA
Subject: vSRX - configuration issues.

Since you are not doing any source nat on the vSRX do you have the return routes for your device subnets configured on the home router pointed back to the vSRX 192.168.178.150?

And does the nat policy on the home router cover these other subnets when forwarded to the internet?

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 07-21-2022 08:52
From: PATRYK MICHNO
Subject: vSRX - configuration issues.

Hi Guys,

I am new in junipers. I have my home lab with Eve ng + vSRX.

I wanted to deploy some tests and seems I something do not work as expected.

this is my lab schema:

my vSRX configuration:

groups {    band-config {        interfaces {            ge-0/0/1 {                unit <*>;            }        }    }}system {    host-name juniper1.core;    root-authentication {        encrypted-password "$6$aQBfcfum$upB6GogFCmc9UfQAyIQDYGdR4CLjlMPBRUNPfp/RSVKKa2a0me30iA2zLEZYPXNL621.Mo5klfvCkD6FrN5Z6/"; ## SECRET-DATA    }    services {        ssh {            root-login allow;            protocol-version v2;            port 22;        }        web-management {            http {                interface [ fxp0.0 ge-0/0/0.0 ];            }            https {                system-generated-certificate;                interface [ fxp0.0 ge-0/0/0.0 ];            }        }    }    name-server {        8.8.8.8;    }    syslog {        file interactive-commands {            interactive-commands any;        }        file messages {            any any;            authorization info;        }    }    license {        autoupdate {            url https://ae1.juniper.net/junos/key_retrieval;        }    }}security {    policies {        global {            policy internet-access {                match {                    source-address any;                    destination-address any;                    application any;                    from-zone Servers;                    to-zone Internet;                }                then {                    permit;                }            }        }    }    zones {        security-zone Internet {            host-inbound-traffic {                system-services {                    ssh;                    ping;                }            }            interfaces {                ge-0/0/5.0;            }        }        security-zone Servers {            host-inbound-traffic {                system-services {                    ping;                    ssh;                }            }            interfaces {                ge-0/0/3.0 {                    host-inbound-traffic {                        system-services {                            ping;                            ssh;                        }                    }                }                ge-0/0/4.0 {                    host-inbound-traffic {                        system-services {                            ping;                            ssh;                        }                    }                }                ge-0/0/0.0 {                    host-inbound-traffic {                        system-services {                            ping;                            ssh;                        }                    }                }            }        }    }}interfaces {    ge-0/0/0 {        speed 100m;        unit 0 {            family inet {                address 192.168.45.1/24;            }        }    }    ge-0/0/1 {        unit 0 {            family inet {                address 192.168.20.1/24;            }        }    }    ge-0/0/2 {        unit 0 {            family inet {                address 192.168.44.1/24;            }        }    }    ge-0/0/3 {        unit 0 {            family inet {                address 93.42.40.1/8;            }        }    }    ge-0/0/4 {        unit 0 {            family inet {                address 93.42.50.1/8;            }        }    }    ge-0/0/5 {        unit 0 {            family inet {                address 192.168.178.151/24;            }        }    }    fxp0 {        disable;        unit 0 {            family inet {                address 192.168.178.150/24;            }        }    }}routing-options {    rib inet.0 {        static {            route 0.0.0.0/0 next-hop 192.168.178.1;        }    }    static {        route 192.168.44.0/24 next-hop 192.168.44.10;        route 192.168.45.0/24 next-hop 192.168.178.1;        route 0.0.0.0/0 next-hop 192.168.178.1;    }}

Problem is I can't ping internet via vSRX. From the machines I can ping default gateway but I can't ping for example 8.8.8.8 from the machine via vSRX.

I am not sure if I did something bad in the configuration? Can you maybe guys check? I would really appreaciate that.

Patryk

------------------------------
PATRYK MICHNO
------------------------------

Security

vSRX - configuration issues.

PATRYK MICHNO07-21-2022 09:50

spuluka07-21-2022 10:19

PATRYK MICHNO07-21-2022 10:27

1. vSRX - configuration issues.

2. RE: vSRX - configuration issues.

3. RE: vSRX - configuration issues.