Hi people,
I am new to Junos. I want to test out a simple Junos-ES setup, but it doesn' work like I want. I try to build a very simple router config without Nat. Here is this config.
version 9.2R1.10;
system {
host-name gw01;
domain-name my.local;
root-authentication {
encrypted-password "$1$55NlTuP4$Mxiph57KFUL4bZlBHrm9V/";
}
services {
ssh;
telnet;
web-management {
http;
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description INTERNAL;
family inet {
address 172.17.1.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
description EXTERNAL;
family inet {
address 192.168.1.2/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
}
}
security {
zones {
security-zone trust {
tcp-rst;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone untrust {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
deny-all;
}
}
}
I have successful ping to external interface 192.168.1.2 from the local host (ip=172.17.1.2), but next hop ping to 192.168.1.1 does not work.
When I make a little changes in this config to setup a simple source interface Nat, it seems all work good. In this case I can ping 192.168.1.1 and even connect to http server on it.
<...>
from-zone trust to-zone untrust{
policy Int2Ext {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
source-nat {
interface;
}
}
}
}
}
<...>
I don't understand why a first config does not work. It make me crazy
Can you please check my config, if there is a misktake I doesn't see.