Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Nov 13, 2019 4:33 pm


Username:
Subject:
Message body:
Enter your message here, it may contain no more than 60000 characters. 

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
Font size:
 
Font colour
Options:
BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON
Disable BBCode
Disable smilies
Do not automatically parse URLs
Confirmation code
Confirmation code:
In an effort to prevent automatic submissions, we require that you enter both of the words displayed into the text field underneath.
     

Topic review - [Problem] No internet connection
Author Message
Post subject: Re: [Problem] No internet connection  |  Post Posted: Sat Apr 11, 2015 2:14 am
admin@vMX-TEST> monitor traffic interface ge-0/0/1.10 no-resolve write-file ospf.pcap matching "ip proto 89" size 1514
Address resolution is OFF.
Listening on ge-0/0/1.10, capture size 1514 bytes
Post subject: Re: [Problem] No internet connection  |  Post Posted: Wed Apr 08, 2015 4:22 am
It looks like you have both "wan" and "untrust" security zones intended for internet facing as well as "lan" and "trust" for your internal LAN. You need to make sure the security policies reflect the actual zones you intend on using.

You can also remove the unused ones to avoid confusion in the future.

Also, from web-management, I suspect your management zones are "lan" and "trust". Your Internet facing side seems to be "wan" security zone as it contains the ge-0/0/0 interface. Your security policies have to allow traffic from trust -> wan and from lan -> wan. The way it is configured right now it isn't supposed to work.
Post subject: Re: [Problem] No internet connection  |  Post Posted: Wed Apr 08, 2015 4:16 am
Hi Matt,

What is your management lan exactly ? I see you are only allowing traffic from-zone trust to-zone untrust and drop everything else. You could have missed this.
Post subject: [Problem] No internet connection  |  Post Posted: Tue Apr 07, 2015 2:31 pm
Hi Guys,

I trying to configure my first juniper srx firewall and from last week I'm stuck on one problem. I can't access the internet from my management lan... I think that I'm missing something, I can ping everything from the srx but nothing from the management lan...









My configuration:
Code:

## Last changed: 2015-04-06 22:09:53 BST
version 12.1X44-D35.5;
system {
    host-name srx;
    time-zone Europe/London;
    root-authentication {
        encrypted-password "******************************"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user access {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "*********************"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface [ vlan.0 ge-0/0/1.0 ];
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 176.58.109.199;
    }
}
interfaces {
    ge-0/0/0 {
        description wan;
        unit 0 {
            family inet {
                address 5.2*.***.54/29;
            }
        }
    }
    ge-0/0/1 {
        description lan;
        unit 0 {
            family inet {
                address 10.0.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        description DMZ;
        unit 0 {
            family inet {
                address 10.0.2.1/24;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 5.2*.***.53;
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set lan-to-wan {
                from zone lan;
                to zone wan;
                rule lan-to-wan-r1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set dmz-to-wan {
                from zone DMZ;
                to zone wan;
                rule dmz-to-wan-r1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    5.2*.***.55/32;
                    5.2*.***.56/32;
                    5.2*.***.57/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
        security-zone wan {
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone lan {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone DMZ {
            interfaces {
                ge-0/0/2.0;
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}



Any idea how I can fix it?

Thanks,
Matt
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO