Happy New Year to all,
Can anyone help Here is my config file. Still not able to ping out
## Last changed: 2022-12-30 19:49:59 EST
version 22.3R1.11;
groups {
noded;
node0 {
system {
backup-router 192.168.1.1 destination [ 128.0.0.0/1 192.100.0.0/16 ];
}
}
}
system {
host-name gw3;
root-authentication {
Xxxxx }
login {
user xxxxxxx {
uid 2002;
class super-user;
authentication {
xxxxxxxx }
}
}
services {
ssh {
root-login allow;
}
netconf {
ssh;
}
dhcp-local-server {
group jdhcp-group {
interface fxp0.0;
interface irb.0;
}
}
web-management {
http {
interface [ vlan.0 ge-0/0/0.0 ge-0/0/7.0 fxp0.0 ];
}
https {
system-generated-certificate;
}
session {
idle-timeout 1440;
session-limit 7;
}
}
}
backup-router 192.168.1.1 destination [ 0.0.0.0/1 128.0.0.0/1 ];
time-zone America/New_York;
name-server {
69.13.54.137;
69.13.54.138;
8.8.8.8;
8.8.4.4;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file interactive-commands {
interactive-commands any;
}
file messages {
any notice;
authorization info;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url
https://ae1.juniper.net/junos/key_retrieval;}
}
ntp {
server 132.163.97.5 prefer;
server 128.138.141.177 prefer;
}
phone-home {
server
https://redirect.juniper.net;rfc-compliant;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy our-internet-policy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy our-deny-policy {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
pre-id-default-policy {
then {
log {
session-close;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
ssh;
}
protocols {
all;
}
}
interfaces {
irb.0;
ge-0/0/7.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
https;
ping;
}
}
}
ge-0/0/15.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
dl0.0 {
host-inbound-traffic {
system-services {
tftp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description Internet;
family inet {
address xxx.182.158.254/24 {
web-authentication {
http;
https;
redirect-to-https;
}
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family inet {
address 10.10.20.254/24;
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
family inet {
dhcp {
vendor-id Juniper-srx345;
}
}
}
}
cl-1/0/0 {
dialer-options {
pool 1 priority 100;
}
}
dl0 {
unit 0 {
family inet {
negotiate-address;
}
family inet6 {
negotiate-address;
}
dialer-options {
pool 1;
dial-string 1234;
always-on;
}
}
}
fxp0 {
unit 0 {
family inet {
address 192.168.1.1/24 {
web-authentication {
http;
https;
redirect-to-https;
}
}
}
}
}
irb {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.1.2/24;
}
}
}
}
firewall {
family inet {
filter Trusted-Mgm {
term Management-IP {
from {
source-address {
197.153.56.212/32;
}
}
}
}
}
}
access {
profile local {
client echouafnist {
firewall-user {
password "$9$U4D.5n6A01hCtvWXxdV.Pf5n/"; ## SECRET-DATA
}
}
address-assignment {
pool junosDHCPPool1;
}
}
address-assignment {
pool junosDHCPPool1 {
family inet {
network 192.168.1.0/24;
range junosRange {
low 192.168.1.2;
high 192.168.1.254;
}
dhcp-attributes {
router {
192.168.1.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
pool junosDHCPPool2 {
family inet {
network 192.168.2.0/24;
range junosRange {
low 192.168.2.2;
high 192.168.2.254;
}
dhcp-attributes {
router {
192.168.2.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile local;
banner {
success "Welcome BB";
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop xxx.182.144.1;
}
}
------------------------------
JAY ECHOUAFNI
------------------------------
Original Message:
Sent: 12-29-2022 06:39
From: JAY ECHOUAFNI
Subject: SRX345 No internet access
Hi everyone,
I have been pulling my hair for 2 days trying to configure an SRX345. I have been using Netscreens ISG-2000 web interfaces and the SRX version 23 J-Web is a whole new ball Game.
My issue is I have a static route set for my untrust WAN interface ge-0/0/0 to my datacenter IP which is not in my subnet group. But when I ping anything outside my firewall I getping: sendto: No route to host.
run show route
inet.0: 3 destinations, 4 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.1.0/24 *[Direct/0] 1d 04:53:03
> via fxp0.0
[Direct/0] 17:22:54
> via lo0.0
192.168.1.1/32 *[Local/0] 1d 04:53:03
Local via fxp0.0
192.168.1.2/32 *[Local/0] 17:22:54
Local via lo0.0
trust-vr.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.20.0/24 *[Direct/0] 13:44:14
> via ge-0/0/7.0
10.10.20.254/32 *[Local/0] 13:44:14
Local via ge-0/0/7.0
192.168.2.1/32 *[Local/0] 13:44:14
Reject
untrust-vr.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
XXX.182.158.0/24 *[Direct/0] 02:02:57
> via ge-0/0/0.0
XXX.182.158.254/32 *[Local/0] 02:02:57
Local via ge-0/0/0.0
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 1d 04:53:07
MultiRecv
trust-vr.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 13:44:16
MultiRecv
untrust-vr.inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
fe80::d2dd:490f:fce5:5ac1/128
*[Local/0] 13:44:15
Local via dl0.0
ff02::2/128 *[INET6/0] 13:44:16
MultiRecv
I have my static Route set 0.0.0.0/0 set to XXX.182.141.1
In my old IG-2000 I used to have untrust-vr not sure if I need to setup a routing-instance I did but did not help
If anyone can help. Please
------------------------------
JAY ECHOUAFNI
------------------------------