|
| Author |
Message |
|
netmat
|
 |
Post subject: [Problem] No internet connection | Posted: Tue Apr 07, 2015 2:31 pm |
|
Joined: Tue Apr 07, 2015 10:40 am
Posts: 1
|
[Problem] No internet connection
Hi Guys, I trying to configure my first juniper srx firewall and from last week I'm stuck on one problem. I can't access the internet from my management lan... I think that I'm missing something, I can ping everything from the srx but nothing from the management lan... My configuration: Code:
## Last changed: 2015-04-06 22:09:53 BST
version 12.1X44-D35.5;
system {
host-name srx;
time-zone Europe/London;
root-authentication {
encrypted-password "******************************"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user access {
uid 2000;
class super-user;
authentication {
encrypted-password "*********************"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface [ vlan.0 ge-0/0/1.0 ];
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 176.58.109.199;
}
}
interfaces {
ge-0/0/0 {
description wan;
unit 0 {
family inet {
address 5.2*.***.54/29;
}
}
}
ge-0/0/1 {
description lan;
unit 0 {
family inet {
address 10.0.1.1/24;
}
}
}
ge-0/0/2 {
description DMZ;
unit 0 {
family inet {
address 10.0.2.1/24;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 5.2*.***.53;
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set lan-to-wan {
from zone lan;
to zone wan;
rule lan-to-wan-r1 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set dmz-to-wan {
from zone DMZ;
to zone wan;
rule dmz-to-wan-r1 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
5.2*.***.55/32;
5.2*.***.56/32;
5.2*.***.57/32;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
}
security-zone wan {
interfaces {
ge-0/0/0.0;
}
}
security-zone lan {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone DMZ {
interfaces {
ge-0/0/2.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
Any idea how I can fix it? Thanks, Matt
|
|
|
|
|
|
|
|
|
admin
|
|
Post subject: Re: [Problem] No internet connection | Posted: Wed Apr 08, 2015 4:16 am |
|
Site Admin
Joined: Mon Aug 03, 2009 8:43 am
Posts: 104
|
Hi Matt,
What is your management lan exactly ? I see you are only allowing traffic from-zone trust to-zone untrust and drop everything else. You could have missed this.
_________________ VPSie - SSD VPS servers in AMS-IX, LINX, DE-CIX https://vpsie.com
|
|
|
|
|
|
|
|
admin
|
|
Post subject: Re: [Problem] No internet connection | Posted: Wed Apr 08, 2015 4:22 am |
|
Site Admin
Joined: Mon Aug 03, 2009 8:43 am
Posts: 104
|
It looks like you have both "wan" and "untrust" security zones intended for internet facing as well as "lan" and "trust" for your internal LAN. You need to make sure the security policies reflect the actual zones you intend on using.
You can also remove the unused ones to avoid confusion in the future.
Also, from web-management, I suspect your management zones are "lan" and "trust". Your Internet facing side seems to be "wan" security zone as it contains the ge-0/0/0 interface. Your security policies have to allow traffic from trust -> wan and from lan -> wan. The way it is configured right now it isn't supposed to work.
_________________ VPSie - SSD VPS servers in AMS-IX, LINX, DE-CIX https://vpsie.com
|
|
|
|
|
|
|
|
lucybrade
|
|
Post subject: Re: [Problem] No internet connection | Posted: Sat Apr 11, 2015 2:14 am |
|
Joined: Fri Apr 10, 2015 2:48 pm
Posts: 1
|
admin@vMX-TEST> monitor traffic interface ge-0/0/1.10 no-resolve write-file ospf.pcap matching "ip proto 89" size 1514
Address resolution is OFF.
Listening on ge-0/0/1.10, capture size 1514 bytes
|
|
|
|
|
|
|
|
|
| Users browsing this forum: No registered users and 0 guests |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
|
  News  Site map  SitemapIndex  RSS Feed Channel list
|
|
