Cannot access Internet on DMZ interface SRX240

last person joined: yesterday

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

Cannot access Internet on DMZ interface SRX240

Jump to Best Answer

1. Cannot access Internet on DMZ interface SRX240

0 Recommend
Erdem
Posted 07-12-2012 03:44

Reply Reply Privately
Hi all,

I confugure the SA2500 connect with SRX240 for SSL VPN. when I SSL from internet, it connect successful and I can access my internal network from external, but it cannot access Internet. Then I try to plug the network cable directly from the SRX240 DMZ port to my laptop, and configure my laptop default gateway as firewall DMZ IP address, it also cannot access Internet. Here is my configuration:

ge-0/0/0 {
unit 0 {
family inet {
filter {
input block-ssh-attack;
}
address 202.125.210.118/28;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.0.1/23;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.100.254/24;
}
}
}
nat{
source {
pool Internet-NAT {
address {
202.125.210.119/32 to 202.125.210.119/32;
}
}
pool GE {
address {
202.125.210.120/32 to 202.125.210.120/32;
}
}
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule GE {
match {
source-address [ 192.168.0.65/32 192.168.0.66/32 192.168.0.63/32 192.168.0.64/32 ];
}
then {
source-nat {
pool {
GE;
}
}
}
}
rule Internet {
match {
source-address 192.168.0.0/23;
}
then {
source-nat {
pool {
Internet-NAT;
}
}
}
}
}
rule-set DMZ-Untrust {
from zone DMZ;
to zone untrust;
rule DMZ-internet {
match {
source-address 192.168.100.0/24;
}
then {
source-nat {
pool {
Internet-NAT;
}
}
}
}
}
}
static {
rule-set DMZ-Static-NAT {
from zone untrust;
rule DMZ-Static-NAT {
match {
destination-address 202.125.210.126/32;
}
then {
static-nat prefix 192.168.100.1/32;
}
}
rule Polycom {
match {
destination-address 202.125.210.125/32;
}
then {
static-nat prefix 192.168.0.50/32;
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
202.125.210.119/32 to 202.125.210.119/32;
202.125.210.120/32 to 202.125.210.120/32;
202.125.210.126/32 to 202.125.210.126/32;
202.125.210.125/32 to 202.125.210.125/32;
}
}
}
}
policies {
from-zone trust to-zone untrust{

policy Polycom-IP-50 {
match {
source-address 192.168.0.50;
destination-address any;
application any;
}
then {
permit;
count;
}
}
policy trust-to-untrust {
match {
source-address 192.168.0.0/23;
destination-address any;
application [ GoogleTalk junos-irc junos-msn junos-ntp Webhosting junos-ymsg APPLE-ICHAT-SNATMAP junos-http junos-https junos-ftp junos-ssh junos-ping junos-whois junos-dns-udp junos-dns-tcp HTTP-EXT-TCP-8000 HTTP-EXT-TXP-8080 HTTP-EXT-TCP-8100 HTTP-EXT-TCP-8200 HTTP-EXT-TCP-8888 HTTP-EXT-TCP-9080 HTTP-EXT-TCP-3128 junos-http-ext Traceroute Netmeeting-389 Netmeeting-TCP-522 Netmeeting-TCP-1503 Netmeeting-TCP-1731 AsiaNewsLive-Set Secure-POP-IMAP-Set SecureLDAP ];
}
then {
permit;
log {
inactive: session-init;
session-close;
}
count;
}
}
policy Any {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
session-close;
}
count;
}
}

from-zone trust to-zone DMZ {
policy Trust-DMZ {
match {
source-address 192.168.0.0/23;
destination-address 192.168.100.0/24;
application any;
}
then {
permit;
count;
}
}
policy Trust-DMZ-ANY {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
count;
}
}
}
from-zone DMZ to-zone trust {
policy DMZ-Trust {
match {
source-address 192.168.100.0/24;
destination-address 192.168.0.0/23;
application any;
}
then {
permit;
count;
}
}
policy DMZ-Trust-ANY {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
count;
}
}
}
from-zone untrust to-zone trust {
policy Untrust-Trust {
match {
source-address any;
destination-address 192.168.0.50;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
policy Untrust-Trust-ANY {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone DMZ to-zone untrust {
policy DMZ-LAN {
match {
source-address 192.168.100.0/24;
destination-address any;
application any;
}
then {
permit;
count;
}
}
policy DMZ-Untrust-ANY {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
count;
}
}
}
from-zone untrust to-zone DMZ {
policy Incoming-NAT {
match {
source-address any;
destination-address IP-192.168.100.1;
application [ junos-http junos-https ];
}
then {
permit;
count;
}
}
policy Untrust-DMZ-Any {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
count;
}
}
}
2. RE: Cannot access Internet on DMZ interface SRX240

Best Answer

0 Recommend
Erdem
Posted 07-12-2012 04:48
| view attached

Reply Reply Privately
Hi

You need to add a source nat rule for the DMZ Network.

I have a similar setup here SRX & SA700.

I have attached my working config with passwords and IP addresses changed. It also has been setup for TCP443 and UDP 4500 to allow ESP with fallback to SSL for the SA700.

Attachment(s)

SRX config with comments.txt 33 KB 1 version
3. RE: Cannot access Internet on DMZ interface SRX240

0 Recommend
Erdem
Posted 07-15-2012 19:30

Reply Reply Privately
Thanks for your help, I can access Internet already.

SRX

Cannot access Internet on DMZ interface SRX240

Erdem07-12-2012 03:44

Erdem07-12-2012 04:48Best Answer

Erdem07-15-2012 19:30

1. Cannot access Internet on DMZ interface SRX240

2. RE: Cannot access Internet on DMZ interface SRX240 Best Answer

3. RE: Cannot access Internet on DMZ interface SRX240

2. RE: Cannot access Internet on DMZ interface SRX240

Best Answer