Help with configuration srx240

last person joined: 15 hours ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

Help with configuration srx240

Jump to Best Answer

1. Help with configuration srx240

Recommend

Erdem

Posted 07-26-2012 05:28

Hey All,

i have some trouble to get a configuration working for my srx240 and i hope someone can provide some assistance and/or advise..

ge0/0/0 = uplink network, i have define it as 192.168.0.2/30 (192.168.0.1/30 is come from other router)

ge0/0/1 = a mini network 192.168.12.1/30 (a server is connect directly to this port)

ge0/0/2 = mini network 192.168.13.1/24

ge0/0/15 = management for the srx240

All i want to have it work isthat all network is able to

- go from ge0/0/0 to ge0/0/1 and reverse

- go from ge0/0/0 to ge0/0/2 and reverse

- go from ge0/0/1 to ge0/0/2 and reverse (optinal )

status now

at this moment "from the router" I can ping to everyway (192.168.0.1, 192.168.0.2, 192.168.12.1, 192.168.12.2 etc)

once i connect a computer at ge0/0/2 (from 192.168.13.2) and I want to

- ping to ge0/0/0 192.168.0.2 (port on the srx), it works

- ping to ge0/0/0 192.168.0.1, it doesnt work

- ping to ge0/0/1 192.168.12.1 (port on the srx), it doesnt work

- ping to ge0/0/1 192.168.12.2 (server behind the srx), it doesnt work

can someone have a look and maybe guide me to the right direction? by the way, i dont need the srx to handle firewall, security etc...

interfaces {
    ge-0/0/0 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "uplink 192.168.0.1/16";
            family inet {
                address 192.168.0.2/30;
            }
        }
    }
    ge-0/0/1 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "mini network 1 192.168.12.1/30";
            family inet {
                address 192.168.12.1/30;
            }
        }
    }
    ge-0/0/2 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "mini network 2 192.168.13.1/24";
            family inet {
                address 192.168.13.1/24;
            }
        }
    }
    ge-0/0/15 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "maintenance 192.168.15.1/30";
            family inet {
                address 192.168.15.1/30;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet inside;
    }
    static {
        route 0.0.0.0/0 next-hop 192.168.0.1;
    }
    rib-groups {
        inside {
            import-rib inet.0;
        }
    }
}
protocols {
    stp;
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/15.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
        security-zone uplink {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone mininetwork1 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone mininetwork2 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/2.0;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone uplink {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone mininetwork1 {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone mininetwork2 {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone uplink to-zone mininetwork1 {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone uplink to-zone mininetwork2 {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone mininetwork1 to-zone uplink {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone mininetwork2 to-zone uplink {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

2. RE: Help with configuration srx240

0 Recommend
AdamLin
Posted 07-26-2012 05:47

Reply Reply Privately
You're missing some security policies, If you don't want to bother with the security policies, just do set security policies default-policy permit-all. delete what you don't need, like screens, nat, and even the policies.
You can also have your firewall run in packet-mode instead, like a router, which I guess is what you want:

delete security
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based
set security forwarding-options family inet6 mode packet-based
3. RE: Help with configuration srx240

0 Recommend
Erdem
Posted 07-26-2012 06:07

Reply Reply Privately
thanks for you reply,

i will have it test asap, thanks!
4. RE: Help with configuration srx240

0 Recommend
Erdem
Posted 07-30-2012 02:01

Reply Reply Privately
Dear AdamLi,

after your suggestion i have adapt my configuration to following

interfaces { ge-0/0/0 { gigether-options { auto-negotiation; } unit 0 { description "uplink 192.168.0.1/16"; family inet { address 192.168.0.2/30; } } } ge-0/0/1 { gigether-options { auto-negotiation; } unit 0 { description "mini network 1 192.168.12.1/30"; family inet { address 192.168.12.1/30; } } } ge-0/0/2 { gigether-options { auto-negotiation; } unit 0 { description "mini network 2 192.168.13.1/24"; family inet { address 192.168.13.1/24; } } } ge-0/0/15 { gigether-options { auto-negotiation; } unit 0 { description "maintenance 192.168.15.1/30"; family inet { address 192.168.15.1/30; } } } } routing-options { interface-routes { rib-group inet inside; } static { route 0.0.0.0/0 next-hop 192.168.0.1; } rib-groups { inside { import-rib inet.0; } } } protocols { stp; } security { forwarding-options { family { inet6 { mode packet-based; } mpls { mode packet-based; } iso { mode packet-based; } } } }

the status now is that

at this moment "from the router" I can ping to everyway (192.168.0.1, 192.168.0.2, 192.168.12.1, 192.168.12.2 etc)

once i connect a computer at ge0/0/2 (from 192.168.13.2) and I want to

- ping to ge0/0/0 192.168.0.2 (port on the srx), it works

- ping to ge0/0/0 192.168.0.1,still doesnt work

- ping to ge0/0/1 192.168.12.1 (port on the srx), works now

- ping to ge0/0/1 192.168.12.2 (server behind the srx), works now

somehow the Juniper doesnt allow the network go "out" to 192.168.0.1, as from juniper itself it can ping to the 192.168.0.1, I assume its possible... do you have any suggestion ?
5. RE: Help with configuration srx240

0 Recommend
AdamLin
Posted 07-30-2012 05:11

Reply Reply Privately
Just to make sure, are there routes to your networks on the 192.168.0.1 device? Now that there is no source-nat anymore.

I see you have rib groups configured, are there routes/forwarding entries in place in the table where ge-0/0/2 is located? I'm just assuming you're using some sort of filter based forwarding here, else you can remove everything which has to do with rib-groups and interface-routes.
6. RE: Help with configuration srx240

0 Recommend
Erdem
Posted 07-30-2012 14:23

Reply Reply Privately
Hi,

After configure the SRX to packet mode so it become as a pure router no security feature applied anymore. That's why your problem now (ping to ge0/0/0 192.168.0.1,still doesn't work) is routing problem.

I will give you suggestion if you go to the router (192.168.0.1) and type show route for your PC IP (192.168.13.2) I believe you will not find this route in the routing table.

If so just add static route to your subnet (192.168.13.0/24) with next-hop (192.168.0.2) on the router and try again from your PC.

I hope it helps you. Please share with us the final status and let us know when it solved

Regards,

Mohamed Elhariry

JNCIE-M/T # 1059, CCNP & CCIP

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
7. RE: Help with configuration srx240
Best Answer

0 Recommend
Erdem
Posted 07-31-2012 02:32

Reply Reply Privately
Hey all,

After some testing, i have add a loopback in my configuration, i have finally have it working

lo0 { unit 0 { family inet { address 127.0.0.1/32; } } }

it s still quite weird in my opinion... but anyway, it works, 😄 Thanks for all your help 😄

SRX

Help with configuration srx240

Erdem07-26-2012 05:28

AdamLin07-26-2012 05:47

Erdem07-26-2012 06:07

Erdem07-30-2012 02:01

AdamLin07-30-2012 05:11

Erdem07-30-2012 14:23

Erdem07-31-2012 02:32Best Answer

1. Help with configuration srx240

2. RE: Help with configuration srx240

3. RE: Help with configuration srx240

4. RE: Help with configuration srx240

5. RE: Help with configuration srx240

6. RE: Help with configuration srx240

7. RE: Help with configuration srx240 Best Answer

7. RE: Help with configuration srx240
Best Answer