SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Unable to ping internet from SVI on Juniper SRX320

    Posted 10-12-2022 11:45
    Hi,

    I have a question about pinging out from an SVI to the internet.

    AS a relative beginner I setup a test SRX320 and setup NAT on the LAN interface. 

    It didn't appear to be working , so I put a Laptop onto the sub interface,  I was going to do a Traceroute to 8.8.8.8 but I found if worked perfectly and I could browse the internet fine.
    My home Network is 192.168.0.x /25 and my ISP router is 192.168.0.1 I set the juniper ge-0/0/0.0 to 192.\68.0.202/24 and a gateway of 192.168.0.1 and it works fine

    I setup NAT and was testing it with ping 8.8.8.8 source 192.168.10.1 ( The LAN interface on ge-0/0/1.0 ) and it fails to ping 8.8.8.8.
    When I connect a Laptop to 192.168.10.1 ( IP Address 192.168.10.2 ) to try and fault find where the issue is I find it can successfully ping 8.8.8.8

    I've uploaded my config etc. any help would be Appreciated.

    ------------------------------
    John Kinnaird
    ------------------------------

    Attachment(s)

    txt
    Juniper.txt   17 KB 1 version
    txt
    Juniper from Laptop.txt   2 KB 1 version
    rtf
    Show route forward.rtf   54 KB 1 version


  • 2.  RE: Unable to ping internet from SVI on Juniper SRX320

    Posted 10-12-2022 16:45
    Traffic sourced from the box itself is from the junos-host zone, not the trust (as you might expect).  You have no NAT rule covering from junos-host zone.

    Also, as is, your config is a bit of a mess style wise, IMO.  You have only a single zone in use and you are writing nat and security policies from trust to trust, with a disconnected untrust.  I mean, what you have will work, its just not best practice.

    ------------------------------
    David Divins
    ------------------------------



  • 3.  RE: Unable to ping internet from SVI on Juniper SRX320

    Posted 10-15-2022 06:09
    The reason I have the internet zone as trusted is to allow me to ssh onto the router - The internet port connects to my home network and through that to the internet.

    happy to change to console access to test if required, but that's not an ideal permanent fix. This is purely a Test / Learning device.

    I spent quite a bit of time trying to fault find why NAT wasn't working , it was only when I  added a laptop to do a Traceroute when I discovered it did work but not from the SVI ( 192.168.10.1 )

    ------------------------------
    John Kinnaird
    ------------------------------



  • 4.  RE: Unable to ping internet from SVI on Juniper SRX320

    Posted 10-15-2022 07:22
    ssh to an Junos interface
    SSH being allowed in SRX firewall is based on the zone configuration itself allowing ssh (or all) under system services 

    security zones security-zone trust host-inbound-traffic system-services

    So you could just add ssh here in the untrust zone to permit that process instead of moving the interface from one zone to another.

    Naturally being a security person one would never turn on ssh access to a device open to all on the public internet only in our labs.

    Self Traffic concept
    Traffic that either terminates to the SRX or originates from the SRX is assigned to the junos-host zone.  So any policy that would be created (security or nat) would be to this zone.  

    Typically security just uses the host-inbound-traffic in general to permit what is needed but security policy would be created to narrow that using junos-host.

    Typically nat is not needed.  When requesting outbound connections on the SRX you simply make the ping/trace/ssh request and the SRX will automatically select the interface on the SRX facing that traffic as the source address and no nat is needed.

    https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/security-zone-configuration.html



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: Unable to ping internet from SVI on Juniper SRX320

    Posted 10-15-2022 13:56
    Ahh that makes sense ! 

    Self Traffic concept
    Traffic that either terminates to the SRX or originates from the SRX is assigned to the junos-host zone.  So any policy that would be created (security or nat) would be to this zone.  

    So in future for Fault finding I'd need to physically connect a laptop - I get it now, I assume that's also the case in a loopback interface.

    I'll move the Internet to an untrusted zone and enable ssh on that ! I can maybe use an access list to limit access to my  PC and Laptop ( when I get to that chapter in the book )

    Thanks for your help everyone !


    ------------------------------
    John Kinnaird
    ------------------------------