|
| Author |
Message |
|
edFEes
|
 |
Post subject: NAT's CONFIGURATION IS NOT WORKING srx210 | Posted: Mon Jun 06, 2016 12:54 am |
|
|
NAT's CONFIGURATION IS NOT WORKING srx210
Hi everybody I trying to configure a JUNIPER srx 210 firewall and I'm stuck on one problem. I can't access the internet from lan interface network vlan.11. I think that I'm missing something, I can ping everything from the srx but nothing from lan interface network vlan.11 using the comand: ping 8.8.8.8 interface vlan.11 I think my NAT configuration is not working. Thanks in advance My configuration: Code: ## Last changed: 2016-06-06 03:21:06 UTC
version 12.1X46-D45.4;
system {
host-name FW_SRX_210;
time-zone America/LaPaz;
root-authentication {
encrypted-password "*********************"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user adminsw {
uid 2000;
class super-user;
authentication {
encrypted-password "******************"; ## SECRET-DATA
}
}
}
services {
ssh;
xnm-clear-text;
web-management {
https {
system-generated-certificate;
}
}
dhcp {
pool 192.168.7.0/24 {
address-range low 192.168.7.61 high 192.168.7.150;
domain-name ende.bo;
name-server {
10.10.0.17;
10.10.0.32;
10.10.0.10;
}
wins-server {
10.10.0.17;
10.10.0.32;
}
router {
192.168.7.1;
}
next-server 10.170.10.2;
}
pool 192.168.8.0/24 {
address-range low 192.168.8.60 high 192.168.8.80;
domain-name ende.bo;
name-server {
10.10.0.17;
10.10.0.32;
10.10.0.10;
}
wins-server {
10.10.0.17;
10.10.0.32;
}
router {
192.168.8.1;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 176.58.109.199;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VLAN_RED_LAN_DATOS_ default VLAN_ADM_ANT VLAN_TELEFONOS_CISCO VLAN_RED_PLANTA_SOLAR ];
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members VAN_TELEFONOS_IP_;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members VLAN_RED_LAN_DATOS_;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/5 {
unit 0 {
family inet {
address 10.xxx.xxx.10/29;
}
}
}
fe-0/0/6 {
unit 0 {
/*internet CONECCTION*/
family inet {
address 181.xxx.xxx.18/29;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 10.xxx.xxx.114/29;
}
}
}
st0 {
unit 1 {
family inet {
mtu 1500;
address 10.172.4.24/24;
}
family inet6;
}
unit 2 {
family inet {
mtu 1500;
address 10.172.9.7/24;
}
family inet6;
}
}
vlan {
unit 1 {
family inet {
address 10.150.7.1/24;
}
}
unit 3 {
family inet {
address 10.150.17.1/24;
}
}
unit 10 {
family inet {
address 192.168.7.1/24;
}
}
unit 11 {
family inet {
address 192.168.8.1/24;
}
}
unit 20 {
family inet {
address 10.110.7.1/24;
}
}
unit 140 {
family inet {
address 192.168.207.1/24;
}
}
unit 150 {
family inet {
address 10.50.7.1/24;
}
}
unit 490 {
family inet {
address 10.249.7.1/24;
}
}
}
}
routing-options {
static {
route 10.xxx.xxx.0/29 next-hop 10.xxx.xxx.113;
route 10.xxx.xxx.0/29 next-hop 10.xxx.xxx.9;
route 0.0.0.0/0 next-hop 181.xxx.xxx.17;
}
}
protocols {
ospf {
area 0.0.0.0 {
network-summary-export export-ospf;
network-summary-import import-ospf;
interface vlan.1;
interface vlan.10;
interface vlan.20;
interface vlan.150;
interface vlan.140;
interface st0.1 {
interface-type p2p;
metric 10;
}
interface st0.2 {
interface-type p2p;
metric 20;
}
interface vlan.3;
interface vlan.490;
interface vlan.11;
}
}
stp;
}
policy-options {
policy-statement export-ospf {
term export-ospf {
from protocol direct;
then accept;
}
}
policy-statement import-ospf {
term import-ospf {
from protocol ospf;
then accept;
}
}
}
security {
ike {
proposal phase1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy ike-policy {
mode main;
proposals phase1;
pre-shared-key ascii-text "***************";
}
gateway ike-gw {
ike-policy ike-policy;
address 10.***.***.3;
external-interface fe-0/0/7.0;
}
}
ipsec {
proposal phase2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy ipsec-policy {
perfect-forward-secrecy {
keys group2;
}
proposals phase2;
}
vpn ipsec- {
bind-interface st0.1;
vpn-monitor {
optimized;
}
ike {
gateway ike-gw;
ipsec-policy ipsec-policy;
}
establish-tunnels immediately;
}
}
alg {
sip disable;
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set planta-solar-to-untrust {
from zone trust;
to zone untrust;
rule red-planta-solar {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.11 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
fe-0/0/5.0;
fe-0/0/6.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_ADM {
address-book {
address RED_LAN_ADM_ 10.150.7.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
vlan.3;
}
}
security-zone ZONA_TELF_IP_ {
address-book {
address RED_TELF_IP_ 10.110.7.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.20 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_RED_CAM_ {
address-book {
address RED_LAN_CAMARAS_IP 10.50.7.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.150 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_RED_DATOS_ {
address-book {
address RED_LAN_ 192.168.7.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.10 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_BIOMETRICOS_ {
address-book {
address RED_BIOMETRICOS_ 192.168.207.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.140 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone VPN_OSFP {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
st0.2 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
security-zone ZONA_TELF_IP_CISCO {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.490 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_RED_PLANTA_SOLAR {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
vlans {
VAN_TELEFONOS_IP_ {
vlan-id 20;
l3-interface vlan.20;
}
VLAN_ADM_ANT {
vlan-id 3;
l3-interface vlan.3;
}
VLAN_BIOMETRICO_ {
vlan-id 140;
l3-interface vlan.140;
}
VLAN_RED_CAMARAS_ {
vlan-id 150;
l3-interface vlan.150;
}
VLAN_RED_LAN_DATOS_ {
vlan-id 10;
l3-interface vlan.10;
}
VLAN_RED_PLANTA_SOLAR {
vlan-id 11;
l3-interface vlan.11;
}
VLAN_TELEFONOS_CISCO {
description "TELEFONOS CISCO";
vlan-id 490;
interface {
ge-0/0/1.0;
}
l3-interface vlan.490;
}
default {
l3-interface vlan.1;
}
}
Any idea how I can fix it? Thanks Ed.
|
|
|
|
|
|
|
|
|
Guest
|
|
Post subject: Re: NAT's CONFIGURATION IS NOT WORKING srx210 | Posted: Mon Jun 06, 2016 5:48 am |
|
|
Hi Ed. Your config looks good. While pinging can you check "> show security flow session destination-prefix 8.8.8.8" from another terminal and post the output here (try to hash the last 2 octests of the IP so I can see if NAT works)? Worth enabling traceoptions: Code: set security flow traceoptions file flowtrace.log
set security flow traceoptions file size 10m
set security flow traceoptions flag packet-drops
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter 1way protocol icmp
Look for dropped packets.
|
|
|
|
|
|
|
|
Guest
|
|
Post subject: Re: NAT's CONFIGURATION IS NOT WORKING srx210 | Posted: Mon Jun 06, 2016 2:32 pm |
|
|
Hi. I tried "> show security flow session destination-prefix 8.8.8.8" While I pinging from another terminal. The output is: Code: root@FW_SRX_210> ...ion destination-prefix 8.8.8.8
Session ID: 5326, Policy name: self-traffic-policy/1, Timeout: 38, Valid
In: 192.168.8.1/22 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/22;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 9783, Policy name: self-traffic-policy/1, Timeout: 32, Valid
In: 192.168.8.1/16 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/16;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 18010, Policy name: self-traffic-policy/1, Timeout: 20, Valid
In: 192.168.8.1/4 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/4;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 19545, Policy name: self-traffic-policy/1, Timeout: 26, Valid
In: 192.168.8.1/10 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/10;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 20055, Policy name: self-traffic-policy/1, Timeout: 30, Valid
In: 192.168.8.1/13 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/13;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 20340, Policy name: self-traffic-policy/1, Timeout: 42, Valid
In: 192.168.8.1/25 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/25;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 20410, Policy name: self-traffic-policy/1, Timeout: 20, Valid
In: 192.168.8.1/3 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/3;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 20908, Policy name: self-traffic-policy/1, Timeout: 22, Valid
In: 192.168.8.1/6 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/6;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 21436, Policy name: self-traffic-policy/1, Timeout: 56, Valid
In: 192.168.8.1/39 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/39;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 21827, Policy name: self-traffic-policy/1, Timeout: 18, Valid
In: 192.168.8.1/2 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/2;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 22076, Policy name: self-traffic-policy/1, Timeout: 48, Valid
In: 192.168.8.1/31 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/31;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 22269, Policy name: self-traffic-policy/1, Timeout: 24, Valid
In: 192.168.8.1/8 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/8;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 22509, Policy name: self-traffic-policy/1, Timeout: 52, Valid
In: 192.168.8.1/36 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/36;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 22692, Policy name: self-traffic-policy/1, Timeout: 32, Valid
In: 192.168.8.1/15 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/15;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 22794, Policy name: self-traffic-policy/1, Timeout: 28, Valid
In: 192.168.8.1/11 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/11;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 22995, Policy name: self-traffic-policy/1, Timeout: 40, Valid
In: 192.168.8.1/24 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/24;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 23019, Policy name: self-traffic-policy/1, Timeout: 34, Valid
In: 192.168.8.1/18 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/18;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 23020, Policy name: self-traffic-policy/1, Timeout: 16, Valid
In: 192.168.8.1/0 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/0;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 23056, Policy name: self-traffic-policy/1, Timeout: 36, Valid
In: 192.168.8.1/19 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/19;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 23083, Policy name: self-traffic-policy/1, Timeout: 24, Valid
In: 192.168.8.1/7 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/7;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 23180, Policy name: self-traffic-policy/1, Timeout: 44, Valid
In: 192.168.8.1/28 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/28;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 23211, Policy name: self-traffic-policy/1, Timeout: 44, Valid
In: 192.168.8.1/27 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/27;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 23362, Policy name: self-traffic-policy/1, Timeout: 56, Valid
In: 192.168.8.1/40 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/40;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 23402, Policy name: self-traffic-policy/1, Timeout: 36, Valid
In: 192.168.8.1/20 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/20;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 23506, Policy name: self-traffic-policy/1, Timeout: 34, Valid
In: 192.168.8.1/17 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/17;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 23628, Policy name: self-traffic-policy/1, Timeout: 46, Valid
In: 192.168.8.1/29 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/29;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 23931, Policy name: self-traffic-policy/1, Timeout: 58, Valid
In: 192.168.8.1/42 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/42;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 23963, Policy name: self-traffic-policy/1, Timeout: 50, Valid
In: 192.168.8.1/33 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/33;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 24156, Policy name: self-traffic-policy/1, Timeout: 26, Valid
In: 192.168.8.1/9 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/9;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 24168, Policy name: self-traffic-policy/1, Timeout: 50, Valid
In: 192.168.8.1/34 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/34;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 24373, Policy name: self-traffic-policy/1, Timeout: 40, Valid
In: 192.168.8.1/23 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/23;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 24414, Policy name: self-traffic-policy/1, Timeout: 54, Valid
In: 192.168.8.1/38 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/38;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 24474, Policy name: self-traffic-policy/1, Timeout: 38, Valid
In: 192.168.8.1/21 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/21;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 24714, Policy name: self-traffic-policy/1, Timeout: 42, Valid
In: 192.168.8.1/26 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/26;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 24807, Policy name: self-traffic-policy/1, Timeout: 30, Valid
In: 192.168.8.1/14 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/14;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 24837, Policy name: self-traffic-policy/1, Timeout: 48, Valid
In: 192.168.8.1/32 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/32;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 25273, Policy name: self-traffic-policy/1, Timeout: 28, Valid
In: 192.168.8.1/12 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/12;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 25297, Policy name: self-traffic-policy/1, Timeout: 22, Valid
In: 192.168.8.1/5 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/5;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 25851, Policy name: self-traffic-policy/1, Timeout: 54, Valid
In: 192.168.8.1/37 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/37;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 26300, Policy name: self-traffic-policy/1, Timeout: 18, Valid
In: 192.168.8.1/1 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/1;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 26514, Policy name: self-traffic-policy/1, Timeout: 58, Valid
In: 192.168.8.1/41 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/41;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 26585, Policy name: self-traffic-policy/1, Timeout: 52, Valid
In: 192.168.8.1/35 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/35;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Session ID: 27907, Policy name: self-traffic-policy/1, Timeout: 46, Valid
In: 192.168.8.1/30 --> 8.8.8.8/24828;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/24828 --> 192.168.8.1/30;icmp, If: fe-0/0/6.0, Pkts: 0, Bytes: 0
Total sessions: 43
root@FW_SRX_210>
|
|
|
|
|
|
|
|
admin
|
|
Post subject: Re: NAT's CONFIGURATION IS NOT WORKING srx210 | Posted: Mon Jun 06, 2016 4:02 pm |
|
Site Admin
Joined: Mon Aug 03, 2009 8:43 am
Posts: 104
|
There's your problem. Self originated traffic is still classified coming from zone "junos-host" no matter what src interface it's used. Either test from within the "trust" network pinging 8.8.8.8 or set up following config: Code: # top show security nat source rule-set self-internet
from zone junos-host;
to zone untrust;
rule RE-internet {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
} Please post your results and don't forget to also add a security policy "from-zone junos-host to zone internet" to allow this traffic.
_________________ VPSie - SSD VPS servers in AMS-IX, LINX, DE-CIX https://vpsie.com
|
|
|
|
|
|
|
|
nosdefe
|
|
Post subject: Re: NAT's CONFIGURATION IS NOT WORKING srx210 | Posted: Tue Jun 07, 2016 3:49 pm |
|
Joined: Sun Jun 05, 2016 11:20 pm
Posts: 2
|
Hello. The problem was solved. Again I tried "> show security flow session destination-prefix 8.8.8.8" While I pinging from another terminal. The output is: Code: root@FW_SRX_210% cli
root@FW_SRX_210> ...ion destination-prefix 8.8.8.8
Session ID: 61753, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 192.168.8.1/47 --> 8.8.8.8/23534;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/23534 --> 181.115.0.18/24860;icmp, If: fe-0/0/6.0, Pkts: 1, Byt es: 84
Session ID: 62548, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 192.168.8.1/46 --> 8.8.8.8/23534;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/23534 --> 181.115.0.18/6455;icmp, If: fe-0/0/6.0, Pkts: 1, Byte s: 84
Total sessions: 2
root@FW_SRX_210> With yours advice I tried this new configuration: Code: nat {
source {
rule-set planta-solar-to-untrust {
from zone [ trust junos-host ];
to zone untrust;
rule red-planta-solar {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
} It was not necesary to add a security policy "from-zone junos-host to zone internet" to allow this traffic, but it is necesary add a security policy "from-zone trust to zone internet" because vlan.11 is within the area trust. Thanks for your colaboration.
|
|
|
|
|
|
|
|
|
| Users browsing this forum: No registered users and 0 guests |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
|
  News  Site map  SitemapIndex  RSS Feed Channel list
|
|
