Junos OS

last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.

  • 1.  Junos-ES Basic Setup

    Posted 01-25-2010 02:32

    Hi people,

    I am new to Junos. I want to test out a simple Junos-ES setup, but it doesn' work like I want. I try to build a very simple router config without Nat. Here is this config.

     

    version 9.2R1.10;
    system {
        host-name gw01;
        domain-name my.local;
        root-authentication {
            encrypted-password "$1$55NlTuP4$Mxiph57KFUL4bZlBHrm9V/";
        }
        services {
            ssh;
            telnet;
            web-management {
                http;
            }
        }
        syslog {
            user * {
                any emergency;
            }
            file messages {
                any any;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                description INTERNAL;
                family inet {
                    address 172.17.1.1/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                description EXTERNAL;
                family inet {
                    address 192.168.1.2/24;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 127.0.0.1/32;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 192.168.1.1;
        }
    }
    security {
        zones {
            security-zone trust {
                tcp-rst;
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone untrust {
                interfaces {
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy default-deny {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            default-policy {
                deny-all;
            }
        }
    }

     

    I have successful ping to external interface 192.168.1.2 from the local host (ip=172.17.1.2), but next hop ping to 192.168.1.1 does not work.

    When I make a little changes in this config to setup a simple source interface Nat, it seems all work good. In this case I can ping 192.168.1.1 and even connect to http server on it.

     

     

    <...>
        from-zone trust to-zone untrust{
            policy Int2Ext {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
<...>

     

     

    I don't understand why a first config does not work. It make me crazy Smiley Sad

    Can you please check my config, if there is a misktake I doesn't see.

     



  • 2.  RE: Junos-ES Basic Setup
    Best Answer

    Posted 01-25-2010 04:05

    Hello there,

    Config seems pretty basic to me.

    Does your system at 192.168.1.1 have a route back to 172.17.1.2?

    With src NAT, all traffic sent from 172.17.1.2 to 192.168.1.1 gets its src.IP NAT-ed to 192.168.1.2 and of course, your system at 192.168.1.1 knows how to route to its connected subnet.

    Rgds

    Alex



  • 3.  RE: Junos-ES Basic Setup

    Posted 01-25-2010 13:57

    Thanks to Alex, I have review my test network config with more accuracy. This junos config is correct!

    It seems a problem was somewhere in PC's host firewall + test virtual machine options.

     

    Thank you once more! Smiley Happy