Hi,
I am working on connecting a firewall 240 to the Internet providedby the ISP.
I currently followed this guide http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/routing-protocol-bgp-security-point-to-point-peering-session-configuring-cli.html but if I try to ping to internet to for example 8.8.8.8 it does not work.
It looks like the BGP protocol is working fine, as all the troubleshooting commands looks fine.
What am I missing ?
## Last changed: 2013-08-26 09:58:14 UTC
version 11.4R7.5;
groups {
node0 {
system {
host-name trunks;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.16.20.1/24;
}
}
}
}
}
node1 {
system {
host-name goten;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.16.20.2/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
root-authentication {
encrypted-password "$1$j"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
xnm-clear-text;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
cluster {
reth-count 2;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
ge-0/0/5 weight 255;
ge-5/0/5 weight 255;
ge-0/0/6 weight 255;
ge-5/0/6 weight 255;
ge-0/0/7 weight 255;
ge-5/0/7 weight 255;
}
}
}
}
interfaces {
ge-0/0/5 {
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/6 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/7 {
gigether-options {
redundant-parent reth2;
}
}
ge-5/0/5 {
gigether-options {
redundant-parent reth1;
}
}
ge-5/0/6 {
gigether-options {
redundant-parent reth0;
}
}
ge-5/0/7 {
gigether-options {
redundant-parent reth2;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/4;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-5/0/4;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 172.2.1.1/24;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.26.1.90/30;
}
}
}
reth2 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.26.1.94/30;
}
}
}
}
routing-options {
autonomous-system 65400;
}
protocols {
bgp {
group external-peers {
type external;
peer-as 65300;
neighbor 10.26.1.89;
neighbor 10.26.1.93;
}
}
stp;
}
security {
nat {
source {
rule-set nat-trust-outgoing {
from zone trust;
to zone untrust;
rule r1 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy from-trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy tmp-untrust-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
interfaces {
reth1.0 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
}
}
}
reth2.0 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
}
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
ping;
traceroute;
}
protocols {
all;
}
}
interfaces {
reth0.0 {
host-inbound-traffic {
system-services {
ssh;
ping;
}
}
}
}
}
}
}
Peer: 10.26.1.89+179 AS 65300 Local: 10.26.1.90+62176 AS 65400
Type: External State: Established Flags: <Sync>
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: Cease
Options: <Preference PeerAS Refresh>
Holdtime: 90 Preference: 170
Number of flaps: 2
Last flap event: Stop
Error: 'Cease' Sent: 2 Recv: 0
Peer ID: 10.26.1.89 Local ID: 10.26.1.90 Active Holdtime: 90
Keepalive Interval: 30 Peer index: 0
BFD: disabled, down
Local Interface: reth1.0
NLRI for restart configured on peer: inet-unicast
NLRI advertised by peer: inet-unicast
NLRI for this session: inet-unicast
Peer supports Refresh capability (2)
Stale routes from peer are kept for: 300
Peer does not support Restarter functionality
Peer does not support Receiver functionality
Peer supports 4 byte AS extension (peer-as 65300)
Peer does not support Addpath
Table inet.0 Bit: 10000
RIB State: BGP restart is complete
Send state: in sync
Active prefixes: 1
Received prefixes: 1
Accepted prefixes: 1
Suppressed due to damping: 0
Advertised prefixes: 0
Last traffic (seconds): Received 1 Sent 27 Checked 1
Input messages: Total 210 Updates 3 Refreshes 0 Octets 4077
Output messages: Total 243 Updates 0 Refreshes 0 Octets 4781
Output Queue[0]: 0
Peer: 10.26.1.93 AS 65300 Local: 10.26.1.94 AS 65400
Type: External State: Idle Flags: <PeerInterfaceError>
Last State: Active Last Event: Stop
Last Error: None
Options: <Preference PeerAS Refresh>
Holdtime: 90 Preference: 170
Number of flaps: 0
> show bgp group
Group Type: External Local AS: 65400
Name: external-peers Index: 0 Flags: <>
Holdtime: 0
Total peers: 2 Established: 1
10.26.1.89+179
10.26.1.93
inet.0: 1/1/1/0
Groups: 1 Peers: 2 External: 2 Internal: 0 Down peers: 1 Flaps: 2
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
1 1 0 0 0 0
show bgp summary
Groups: 1 Peers: 2 Down peers: 1
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
1 1 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
10.26.1.89 65300 215 249 0 2 1:03:40 1/1/1/0 0/0/0/0
10.26.1.93 65300 0 0 0 0 1:28:53 Idle
> ping 10.26.1.89
PING 10.26.1.89 (10.26.1.89): 56 data bytes
64 bytes from 10.26.1.89: icmp_seq=0 ttl=255 time=2.624 ms
64 bytes from 10.26.1.89: icmp_seq=1 ttl=255 time=2.156 ms
^C
--- 10.26.1.89 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.156/2.390/2.624/0.234 ms
> ping 10.26.1.93
PING 10.26.1.93 (10.26.1.93): 56 data bytes
64 bytes from 10.26.1.93: icmp_seq=0 ttl=254 time=13.857 ms
64 bytes from 10.26.1.93: icmp_seq=1 ttl=254 time=8.525 ms
64 bytes from 10.26.1.93: icmp_seq=2 ttl=254 time=8.652 ms
^C
--- 10.26.1.93 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.525/10.345/13.857/2.484 ms
{primary:node1}
> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
{primary:node1}