ROUTING INSTANCE is not working on firewall srx210
Hi everybody
I am trying to configure a JUNIPER srx 210 firewall and I'm stuck on one problem. My ROUTING-INSTANCE configuration is not working. Let me to explain you:
The firewall srx 210 has two conections:
-The first one is a VPN conection.
-The second one is a INTERNET conection.
The main routing-table has the default-route to the VPN conection (ST0.1 interface).
The routing-instance is type forwarding and has only a default-route. The default-route permit access to the INTERNET conection but I can't access the internet from LAN interface network vlan.11 (192.168.8.1/24). I think that I'm missing something. I did the next configuration:
- Rib group configuration
- Filter configuracion
- Routing instance configuration
- Source NAT configuration
My configuration is:
Code:
## Last changed: 2016-06-06 03:21:06 UTC
version 12.1X46-D45.4;
system {
host-name FW_SRX_210;
time-zone America/LaPaz;
root-authentication {
encrypted-password "*********************"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user adminsw {
uid 2000;
class super-user;
authentication {
encrypted-password "******************"; ## SECRET-DATA
}
}
}
services {
ssh;
xnm-clear-text;
web-management {
https {
system-generated-certificate;
}
}
dhcp {
pool 192.168.7.0/24 {
address-range low 192.168.7.61 high 192.168.7.150;
domain-name ende.bo;
name-server {
10.10.0.17;
10.10.0.32;
10.10.0.10;
}
wins-server {
10.10.0.17;
10.10.0.32;
}
router {
192.168.7.1;
}
next-server 10.170.10.2;
}
pool 192.168.8.0/24 {
address-range low 192.168.8.60 high 192.168.8.80;
domain-name ende.bo;
name-server {
10.10.0.17;
10.10.0.32;
10.10.0.10;
}
wins-server {
10.10.0.17;
10.10.0.32;
}
router {
192.168.8.1;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 176.58.109.199;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VLAN_RED_LAN_DATOS_ default VLAN_ADM_ANT VLAN_TELEFONOS_CISCO VLAN_RED_PLANTA_SOLAR ];
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members VAN_TELEFONOS_IP_;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members VLAN_RED_LAN_DATOS_;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/5 {
unit 0 {
family inet {
address 10.xxx.xxx.10/29;
}
}
}
fe-0/0/6 {
unit 0 {
/*internet CONECCTION*/
family inet {
address 181.xxx.xxx.18/29;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 10.xxx.xxx.114/29;
}
}
}
st0 {
unit 1 {
family inet {
mtu 1500;
address 10.172.4.24/24;
}
family inet6;
}
unit 2 {
family inet {
mtu 1500;
address 10.172.9.7/24;
}
family inet6;
}
}
vlan {
unit 1 {
family inet {
address 10.150.7.1/24;
}
}
unit 3 {
family inet {
address 10.150.17.1/24;
}
}
unit 10 {
family inet {
address 192.168.7.1/24;
}
}
unit 11 {
family inet {
filter {
input filtroadsl-COBIJA;
}
address 192.168.8.1/24;
}
}
unit 20 {
family inet {
address 10.110.7.1/24;
}
}
unit 140 {
family inet {
address 192.168.207.1/24;
}
}
unit 150 {
family inet {
address 10.50.7.1/24;
}
}
unit 490 {
family inet {
address 10.249.7.1/24;
}
}
}
}
routing-options {
interface-routes {
rib-group inet TABLA-RUTAS;
}
static {
route 10.xxx.xxx.0/29 next-hop 10.xxx.xxx.113;
route 10.xxx.xxx.0/29 next-hop 10.xxx.xxx.9;
route 0.0.0.0/0 next-hop st0.1;
}
rib-groups {
TABLA-RUTAS {
import-rib [ inet.0 R-I-VR-COBIJA.inet.0 ];
}
}
}
protocols {
ospf {
area 0.0.0.0 {
network-summary-export export-ospf;
network-summary-import import-ospf;
interface vlan.1;
interface vlan.10;
interface vlan.20;
interface vlan.150;
interface vlan.140;
interface st0.1 {
interface-type p2p;
metric 10;
}
interface st0.2 {
interface-type p2p;
metric 20;
}
interface vlan.3;
interface vlan.490;
interface vlan.11;
}
}
stp;
}
policy-options {
policy-statement export-ospf {
term export-ospf {
from protocol direct;
then accept;
}
}
policy-statement import-ospf {
term import-ospf {
from protocol ospf;
then accept;
}
}
}
security {
ike {
proposal phase1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy ike-policy {
mode main;
proposals phase1;
pre-shared-key ascii-text "***************";
}
gateway ike-gw {
ike-policy ike-policy;
address 10.***.***.3;
external-interface fe-0/0/7.0;
}
}
ipsec {
proposal phase2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy ipsec-policy {
perfect-forward-secrecy {
keys group2;
}
proposals phase2;
}
vpn ipsec- {
bind-interface st0.1;
vpn-monitor {
optimized;
}
ike {
gateway ike-gw;
ipsec-policy ipsec-policy;
}
establish-tunnels immediately;
}
}
alg {
sip disable;
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set planta-solar-to-untrust {
from zone [ trust junos-host];
to zone untrust;
rule red-planta-solar {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone VPN_OSFP to-zone ZONA_RED_DATOS_COBIJA {
policy POLIT_VPN_OSPF_A_ZONA_RED_DATOS_COBIJA {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone ZONA_RED_DATOS_COBIJA to-zone VPN_OSFP {
policy POLIT_ZONA_RED_DATOS_COBIJA_A_VPN_OSPF {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone junos-host to-zone untrust {
policy POLIT_JUNOS_HOST_A_UNTRUST {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.11 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
fe-0/0/5.0;
fe-0/0/6.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_ADM {
address-book {
address RED_LAN_ADM_ 10.150.7.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
vlan.3;
}
}
security-zone ZONA_TELF_IP_ {
address-book {
address RED_TELF_IP_ 10.110.7.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.20 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_RED_CAM_ {
address-book {
address RED_LAN_CAMARAS_IP 10.50.7.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.150 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_RED_DATOS_COBIJA {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.10 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_BIOMETRICOS_ {
address-book {
address RED_BIOMETRICOS_ 192.168.207.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.140 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone VPN_OSFP {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
st0.2 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
security-zone ZONA_TELF_IP_CISCO {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.490 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_RED_PLANTA_SOLAR {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
firewall {
family inet {
filter filtroadsl-COBIJA {
term 1 {
from {
source-address {
192.168.8.0/24;
}
}
then {
routing-instance R-I-VR-COBIJA;
}
}
term 2 {
then accept;
}
}
}
}
routing-instances {
R-I-VR-COBIJA {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 181.xxx.xxx.17;
}
}
}
}
vlans {
VAN_TELEFONOS_IP_ {
vlan-id 20;
l3-interface vlan.20;
}
VLAN_ADM_ANT {
vlan-id 3;
l3-interface vlan.3;
}
VLAN_BIOMETRICO_ {
vlan-id 140;
l3-interface vlan.140;
}
VLAN_RED_CAMARAS_ {
vlan-id 150;
l3-interface vlan.150;
}
VLAN_RED_LAN_DATOS_ {
vlan-id 10;
l3-interface vlan.10;
}
VLAN_RED_PLANTA_SOLAR {
vlan-id 11;
l3-interface vlan.11;
}
VLAN_TELEFONOS_CISCO {
description "TELEFONOS CISCO";
vlan-id 490;
interface {
ge-0/0/1.0;
}
l3-interface vlan.490;
}
default {
l3-interface vlan.1;
}
}
I think my routing instance configuration is not working because I tried "> show security flow session destination-prefix 8.8.8.8" While I pinging from another terminal with the command:
>ping 8.8.8.8 source 192.168.8.1
The result is:
Code:
root@FW_SRX_210_PETY_RAY_COBIJA> show security flow session destination-pre...
Session ID: 33663, Policy name: self-traffic-policy/1, Timeout: 38, Valid
In: 192.168.8.1/13 --> 8.8.8.8/23937;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/23937 --> 192.168.8.1/13;icmp, If: st0.1, Pkts: 0, Bytes: 0
Session ID: 39737, Policy name: self-traffic-policy/1, Timeout: 26, Valid
In: 192.168.8.1/0 --> 8.8.8.8/23937;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/23937 --> 192.168.8.1/0;icmp, If: st0.1, Pkts: 0, Bytes: 0
Session ID: 40372, Policy name: self-traffic-policy/1, Timeout: 52, Valid
In: 192.168.8.1/27 --> 8.8.8.8/23937;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/23937 --> 192.168.8.1/27;icmp, If: st0.1, Pkts: 0, Bytes: 0
Session ID: 41080, Policy name: self-traffic-policy/1, Timeout: 44, Valid
In: 192.168.8.1/18 --> 8.8.8.8/23937;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/23937 --> 192.168.8.1/18;icmp, If: st0.1, Pkts: 0, Bytes: 0
Session ID: 41647, Policy name: self-traffic-policy/1, Timeout: 58, Valid
In: 192.168.8.1/33 --> 8.8.8.8/23937;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/23937 --> 192.168.8.1/33;icmp, If: st0.1, Pkts: 0, Bytes: 0
Session ID: 43458, Policy name: self-traffic-policy/1, Timeout: 42, Valid
In: 192.168.8.1/16 --> 8.8.8.8/23937;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/23937 --> 192.168.8.1/16;icmp, If: st0.1, Pkts: 0, Bytes: 0
I see:
Code:
Out: 8.8.8.8/21056 --> 192.168.8.1/115;icmp, If: st0.1, Pkts: 0, Bytes: 0
instead of
Code:
Out: 8.8.8.8/23534 --> 181.xxx.xxx.18/6455;icmp, If: fe-0/0/6.0, Pkts: 1, Bytes: 84
Thanks in advance. Ed.