SRX

H all

i have EX3200 and SRX220 on my network. SRX220 is on stick and connect to ISP throught PPPoE.

 I got IP @ and i can ping internet from my public IP and ping my public IP from vlan on  EX3200

I have 2 static routes:

route 0.0.0.0/0 next-hop pp0.0

route 192.168.0.0/16 next-hop 190.168.90.254

my trouble is, i cant ping internet from vlan inside. i did nat static or source nat but impossible to ping google.

please i need some idea.

Thanks for quick action

Hi...

  Let me understand the setup. Is it like below?

Client ----- EXswitch-------srx220--------Internet

Now, please help by adding the IP and VLAN details and current config on SRX.

Thanks,

SHKM

here are config

Switch EX3200

   services {
        web-management {
            https {
                system-generated-certificate;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members Net_Admin;
                }
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members Server_Admin;
                }
            }
        }
    }
    ge-0/0/46 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
    vlan {
        unit 10 {
            family inet {
                address 192.168.0.5/24;
            }
        }
        unit 90 {
            family inet {
                address 192.168.90.253/24;
            }
        }
    }
}
vlans {
    Net_Admin {
        vlan-id 90;
        l3-interface vlan.90;
    }
    Server_Admin {
        vlan-id 10;
        l3-interface vlan.10;
    }
}

SRX220  Config

interfaces {
    ge-0/0/6 {
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
    vlan {
        unit 10 {
            family inet {
                address 192.168.0.6/24;
            }
        }
        unit 90 {
            family inet {
                address 192.168.90.254/24;
            }
        }
    }
}
vlans {
    Net_Admin {
        vlan-id 90;
        l3-interface vlan.90;
    }
    Server_Admin {
        vlan-id 10;
        l3-interface vlan.10;
    }
}
        
    pp0 {
        unit 0 {
            ppp-options {
                pap {
                    local-name "######";
                    local-password "$9$9yiSp01SyKL7Vlev8X7bwGUjk5Qz369tu"; ## SECRET-DATA
                    passive;
                }
            }
            pppoe-options {
                underlying-interface ge-0/0/6.0;
                idle-timeout 0;
                auto-reconnect 10;
                client;
            }
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/32 next-hop pp0.0;

         route 192.168.0.0./16 next-hop 192.168.90.254
    }
}
security {
    forwarding-options {
        family {
            mpls {
                mode packet-based;
            }
        }
    }
    nat {
        source {
            pool internet {
                address {
                    192.197...../32; ###my public ip, for security purpuse i removed 2 last digit ###
                }
            }
            rule-set internet {
                from zone trust;
                to zone untrust;
                rule vlan_internet {
                    match {
                        source-address 192.168.0.0/16;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            pool {
                                internet;
                            }
                        }
                    }
                }
            }
        }
        proxy-arp {
            interface pp0.0 {
                address {
                    192.197..../32; ### my public ip, for security purpuse i removed 2 last digit ###
                }
            }
        }
    }
    zones {
        security-zone untrust {
            interfaces {
                pp0.0;
            }
        }
        security-zone trust {
            interfaces {
                ge-0/0/7.10;
                ge-0/0/7.90;
           
            }
        }
    }
}

Thank you

Hi,

You have configure LAN route with wrong next hop

 route 192.168.0.0./16 next-hop 192.168.90.254

it should be 90.253 not 90.254

i made the change but it's still the same

cant ping internet

OK,

Also in the trust zone u should match on vlan.10, vlan.90 interfaces not f0/0/7.10 & f0/0/7.90

Ping result
########################
1 ) Ping my public IP from computer is ok as you can see :SUCCESS

C:\Program Files\Windows Resource Kits\Tools>pathping 192.197....

Tracing route to 192.197... over a maximum of 30 hops

  0  Mobile.aei.local [192.168.90.1]
  1  192.197....

Computing statistics for 25 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           Mobile.aei.local [192.168.90.1
                                0/ 100 =  0%   |
  1    2ms     0/ 100 =  0%     0/ 100 =  0%  192.197.....

Trace complete.

############################################################

2 ) Ping google from computer as you can see

C:\Program Files\Windows Resource Kits\Tools>pathping 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  0  Mobile.....local [192.168.90.1]
  1  192.168.90.254
  2     *        *        *
Computing statistics for 50 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           Mobile.aei.local [192.168.90.1]
                                0/ 100 =  0%   |
  1    0ms     0/ 100 =  0%     0/ 100 =  0%  192.168.90.254
                              100/ 100 =100%   |
  2  ---     100/ 100 =100%     0/ 100 =  0%  Mobile....local [0.0.0.0]

Trace complete.

##########################################################

3) ping on SRX220 from interface vlan.90 to google.ca FAILED
 
root@AEI1-SRX220> ping 8.8.8.8 source 192.168.90.254
PING 8.8.8.8 (8.8.8.8): 56 data bytes

#########################################################

4) ping on SRX220 from Egress interface (PP0.0) to google.ca SUCCESS 
root@AEI1-SRX220> ping 8.8.8.8 source 192.197....
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=48 time=35.731 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=48 time=35.842 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=48 time=41.723 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=48 time=41.737 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=48 time=35.898 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=48 time=35.581 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=48 time=35.861 ms
^C
--- 8.8.8.8 ping statistics ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max/stddev = 35.581/37.482/41.737/2.689 ms

#################################################
here is my NAT config

forwarding-options {
    family {
        mpls {
            mode packet-based;
        }
    }
}
nat {
    source {
        rule-set 1 {
            from zone trust;
            to zone untrust;
            rule 1a {
                match {
                    source-address 192.168.0.0/16;
                    destination-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }
}
zones {
    security-zone untrust {
        interfaces {
            pp0.0;
        }
    }
    security-zone trust {
        interfaces {
            vlan.10;
            vlan.50;
            vlan.60;
            vlan.70;
            vlan.80;
            vlan.90;
        }
    }
}

##############################
Route config

root@AEI1-SRX220> show configuration routing-options
static {
    route 0.0.0.0/0 next-hop pp0.0;
    route 192.168.0.0/16 next-hop 192.168.90.253;
}

Thanks

I think you configure the FW to work as packet mode. That's why no security features like NAT or policy will be used.

you can remove this part

forwarding-options {
    family {
        mpls {
            mode packet-based;
        }
    }
}

then it will ask for reboot to restore policy features again and work on flow mode

then after reboot u need security policy from trust to untrust to allow he traffic

hi !!

when i removed
forwarding-options {
    family {
        mpls {
            mode packet-based; 

the local trafic is impossible. workstation can not ping the Gateway on SRX220, But from SRX220 i can ping my workstation.

Is there any way to authorize inbound trafic, because even if put the interace connected to EX3200 for local trafic in TRUST ZONE, it does not work

Thanks

Yes my friend

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

set security policies from-zone trust to-zone untrust policy pol-1 match source-address any
set security policies from-zone trust to-zone untrust policy pol-1 match destination-address any
set security policies from-zone trust to-zone untrust policy pol-1 match application any
set security policies from-zone trust to-zone untrust policy pol-1 then permit

it worksssssssssssssss
You are the besttttttt

My friend

Many thanks

---

@mhariry wrote:

Yes my friend

 

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

set security policies from-zone trust to-zone untrust policy pol-1 match source-address any
set security policies from-zone trust to-zone untrust policy pol-1 match destination-address any
set security policies from-zone trust to-zone untrust policy pol-1 match application any
set security policies from-zone trust to-zone untrust policy pol-1 then permit

---

Hi,

I notice the LAN subnet /16 is and the point-to-point IP 190.168.90.254 is part from that subnet. If the default gateway on the PC is pointing to the switch traffic might be dropped from FW side.

If so change the default gateway on the PC to be the SRX directly instead of the EX switch and it will work.

Thanks,

Mohamed Elhariry

JNCIE-SEC # 159, JNCIE-M/T # 1059