Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
https://forum.ivorde.com/

[Problem] No internet connection
https://forum.ivorde.com/no-internet-connection-t19793.html
Page 1 of 1

Author:  netmat [ Tue Apr 07, 2015 2:31 pm ]
Post subject:  [Problem] No internet connection

Hi Guys,

I trying to configure my first juniper srx firewall and from last week I'm stuck on one problem. I can't access the internet from my management lan... I think that I'm missing something, I can ping everything from the srx but nothing from the management lan...









My configuration:
Code:

## Last changed: 2015-04-06 22:09:53 BST
version 12.1X44-D35.5;
system {
    host-name srx;
    time-zone Europe/London;
    root-authentication {
        encrypted-password "******************************"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user access {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "*********************"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface [ vlan.0 ge-0/0/1.0 ];
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 176.58.109.199;
    }
}
interfaces {
    ge-0/0/0 {
        description wan;
        unit 0 {
            family inet {
                address 5.2*.***.54/29;
            }
        }
    }
    ge-0/0/1 {
        description lan;
        unit 0 {
            family inet {
                address 10.0.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        description DMZ;
        unit 0 {
            family inet {
                address 10.0.2.1/24;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 5.2*.***.53;
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set lan-to-wan {
                from zone lan;
                to zone wan;
                rule lan-to-wan-r1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set dmz-to-wan {
                from zone DMZ;
                to zone wan;
                rule dmz-to-wan-r1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    5.2*.***.55/32;
                    5.2*.***.56/32;
                    5.2*.***.57/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
        security-zone wan {
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone lan {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone DMZ {
            interfaces {
                ge-0/0/2.0;
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}



Any idea how I can fix it?

Thanks,
Matt

Author:  admin [ Wed Apr 08, 2015 4:16 am ]
Post subject:  Re: [Problem] No internet connection

Hi Matt,

What is your management lan exactly ? I see you are only allowing traffic from-zone trust to-zone untrust and drop everything else. You could have missed this.

Author:  admin [ Wed Apr 08, 2015 4:22 am ]
Post subject:  Re: [Problem] No internet connection

It looks like you have both "wan" and "untrust" security zones intended for internet facing as well as "lan" and "trust" for your internal LAN. You need to make sure the security policies reflect the actual zones you intend on using.

You can also remove the unused ones to avoid confusion in the future.

Also, from web-management, I suspect your management zones are "lan" and "trust". Your Internet facing side seems to be "wan" security zone as it contains the ge-0/0/0 interface. Your security policies have to allow traffic from trust -> wan and from lan -> wan. The way it is configured right now it isn't supposed to work.

Author:  lucybrade [ Sat Apr 11, 2015 2:14 am ]
Post subject:  Re: [Problem] No internet connection

admin@vMX-TEST> monitor traffic interface ge-0/0/1.10 no-resolve write-file ospf.pcap matching "ip proto 89" size 1514
Address resolution is OFF.
Listening on ge-0/0/1.10, capture size 1514 bytes

Page 1 of 1 All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/