SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
cdrauto
Contributor
cdrauto
Posts: 16
Registered: ‎03-31-2011
0
Accepted Solution

Help with configuration srx240

Options

‎07-26-2012 05:28 AM

Hey All,

 

i have some trouble to get a configuration working for my srx240 and i hope someone can provide some assistance and/or advise..

 

ge0/0/0 = uplink network, i have define it as 192.168.0.2/30 (192.168.0.1/30 is come from other router)

ge0/0/1 = a mini network 192.168.12.1/30 (a server is connect directly to this port)

ge0/0/2 = mini network 192.168.13.1/24

ge0/0/15 = management for the srx240

 

All i want to have it work isthat all network is able to

-  go from ge0/0/0 to ge0/0/1 and reverse

-  go from ge0/0/0 to ge0/0/2 and reverse

-  go from ge0/0/1 to ge0/0/2 and reverse (optinal )

 

status now

at this moment "from the router" I can ping to everyway (192.168.0.1, 192.168.0.2, 192.168.12.1, 192.168.12.2 etc)

once i connect a computer at ge0/0/2 (from 192.168.13.2) and I want to

- ping  to ge0/0/0 192.168.0.2 (port on the srx), it works

- ping to ge0/0/0 192.168.0.1, it doesnt work

- ping to ge0/0/1 192.168.12.1 (port on the srx), it doesnt work

- ping to ge0/0/1 192.168.12.2 (server behind the srx), it doesnt work

 

can someone have a look and maybe guide me to the right direction? by the way, i dont need the srx to handle firewall, security etc...

 

interfaces {
    ge-0/0/0 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "uplink 192.168.0.1/16";
            family inet {
                address 192.168.0.2/30;
            }
        }
    }
    ge-0/0/1 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "mini network 1 192.168.12.1/30";
            family inet {
                address 192.168.12.1/30;
            }
        }
    }
    ge-0/0/2 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "mini network 2 192.168.13.1/24";
            family inet {
                address 192.168.13.1/24;
            }
        }
    }
    ge-0/0/15 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "maintenance 192.168.15.1/30";
            family inet {
                address 192.168.15.1/30;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet inside;
    }
    static {
        route 0.0.0.0/0 next-hop 192.168.0.1;
    }
    rib-groups {
        inside {
            import-rib inet.0;
        }
    }
}
protocols {
    stp;
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/15.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
        security-zone uplink {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone mininetwork1 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone mininetwork2 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/2.0;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone uplink {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone mininetwork1 {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone mininetwork2 {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone uplink to-zone mininetwork1 {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone uplink to-zone mininetwork2 {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone mininetwork1 to-zone uplink {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone mininetwork2 to-zone uplink {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

 

 

Message 1 of 7 (1,200 Views)
 
Reply
Super Contributor
AdamLin
Posts: 166
Registered: ‎08-02-2010
0

Re: Help with configuration srx240

[ Edited ]
Options

‎07-26-2012 05:46 AM - edited ‎07-26-2012 05:55 AM

You're missing some security policies, If you don't want to bother with the security policies, just do set security policies default-policy permit-all. delete what you don't need, like screens, nat, and even the policies.
You can also have your firewall run in packet-mode instead, like a router, which I guess is what you want:

delete security
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based
set security forwarding-options family inet6 mode packet-based

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Message 2 of 7 (1,197 Views)
 
Reply
cdrauto
Contributor
cdrauto
Posts: 16
Registered: ‎03-31-2011
0

Re: Help with configuration srx240

Options

‎07-26-2012 06:06 AM

thanks for you reply,

 

i will have it test asap, thanks!

Message 3 of 7 (1,188 Views)
 
Reply
cdrauto
Contributor
cdrauto
Posts: 16
Registered: ‎03-31-2011
0

Re: Help with configuration srx240

Options

‎07-30-2012 02:01 AM

Dear AdamLi,

 

after your suggestion i have adapt my configuration to following

 

interfaces {
    ge-0/0/0 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "uplink 192.168.0.1/16";
            family inet {
                address 192.168.0.2/30;
            }
        }
    }
    ge-0/0/1 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "mini network 1 192.168.12.1/30";
            family inet {
                address 192.168.12.1/30;
            }
        }
    }
    ge-0/0/2 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "mini network 2 192.168.13.1/24";
            family inet {
                address 192.168.13.1/24;
            }
        }
    }
    ge-0/0/15 {
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "maintenance 192.168.15.1/30";
            family inet {
                address 192.168.15.1/30;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet inside;
    }
    static {
        route 0.0.0.0/0 next-hop 192.168.0.1;
    }
    rib-groups {
        inside {
            import-rib inet.0;
        }
    }
}
protocols {
    stp;
}
security {
    forwarding-options {
        family {
            inet6 {
                mode packet-based;
            }
            mpls {
                mode packet-based;
            }
            iso {
                mode packet-based;
            }
        }
    }
}

 the status now is that

at this moment "from the router" I can ping to everyway (192.168.0.1, 192.168.0.2, 192.168.12.1, 192.168.12.2 etc)

once i connect a computer at ge0/0/2 (from 192.168.13.2) and I want to

- ping  to ge0/0/0 192.168.0.2 (port on the srx), it works

- ping to ge0/0/0 192.168.0.1,still doesnt work

- ping to ge0/0/1 192.168.12.1 (port on the srx), works now

- ping to ge0/0/1 192.168.12.2 (server behind the srx), works now

 

somehow the Juniper doesnt allow the network go "out" to 192.168.0.1, as from juniper itself it can ping to the 192.168.0.1, I assume its possible... do you have any suggestion ?

Message 4 of 7 (1,141 Views)
 
Reply
Super Contributor
AdamLin
Posts: 166
Registered: ‎08-02-2010
0

Re: Help with configuration srx240

[ Edited ]
Options

‎07-30-2012 05:11 AM - edited ‎07-30-2012 05:22 AM

Just to make sure, are there routes to your networks on the 192.168.0.1 device? Now that there is no source-nat anymore.

 

I see you have rib groups configured, are there routes/forwarding entries in place in the table where ge-0/0/2 is located? I'm just assuming you're using some sort of filter based forwarding here, else you can remove everything which has to do with rib-groups and interface-routes.

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Message 5 of 7 (1,134 Views)
 
Reply
Recognized Expert
Recognized Expert
mhariry
Posts: 256
Registered: ‎06-01-2011
0

Re: Help with configuration srx240

Options

‎07-30-2012 02:22 PM

Hi,

 

After configure the SRX to packet mode so it become as a pure router no security feature applied anymore. That's why your problem now (ping to ge0/0/0 192.168.0.1,still doesn't work) is routing problem.

 

I will give you suggestion if you go to the router (192.168.0.1) and type show route for your PC IP (192.168.13.2) I believe you will not find this route in the routing table.

 

If so just add static route to your subnet (192.168.13.0/24) with next-hop (192.168.0.2) on the router and try again from your PC.

 

I hope it helps you. Please share with us the final status and let us know when it solved

 

Regards,

 

Mohamed Elhariry

 

JNCIE-M/T # 1059, CCNP & CCIP

 

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

Message 6 of 7 (1,118 Views)
 
Reply
cdrauto
Contributor
cdrauto
Posts: 16
Registered: ‎03-31-2011
0

Re: Help with configuration srx240

Options

‎07-31-2012 02:32 AM

Hey all,

 

After some testing, i have add a loopback in my configuration, i have finally have it working

 

    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }

 it s still quite weird in my opinion... but anyway, it works, :smileyvery-happy: Thanks for all your help :smileyvery-happy:

Message 7 of 7 (1,105 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.