SRX

Hello Everyone,

I am trying to set up a demo environment with a Juniper SRX100 box.

I have it connected to the internet through int fe0/0/0.0 and I can ping any external resources from the SRX - like yahoo for example.

I also have it connected to the intranet through interface fe-0/0/1.0 with an ip of 172.29.1.1/24

I also have a static route defined to 172.28.3.0/24 -> 172.29.1.2

The problem is that I can't ping resources in the 172.28.3.0/24 network from the SRX

Here is a copy of the config for fe0/0/1.0:

root@srx> show interfaces fe-0/0/1.0
  Logical interface fe-0/0/1.0 (Index 70) (SNMP ifIndex 517)
    Description: To_Intranet
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Input packets : 46474
    Output packets: 995
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp
    ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
    ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
    rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
    ntp sip r2cp
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 172.29.1/24, Local: 172.29.1.1, Broadcast: 172.29.1.255

Here is a copy of the ping:

root@SRX> ping bypass-routing interface fe-0/0/1.0 172.28.3.1
PING 172.28.3.1 (172.28.3.1): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
^C

Here is a copy of the ping to an interface in the same subnet:

root@SRX> ping bypass-routing interface fe-0/0/1.0 172.29.1.2
PING 172.29.1.2 (172.29.1.2): 56 data bytes
64 bytes from 172.29.1.2: icmp_seq=0 ttl=255 time=2.811 ms
64 bytes from 172.29.1.2: icmp_seq=1 ttl=255 time=2.007 ms
64 bytes from 172.29.1.2: icmp_seq=2 ttl=255 time=2.356 ms
^C

0.0.0.0/0          *[Static/5] 1d 01:52:25
                    > to 12.131.166.65 via fe-0/0/0.0
x.x.x.x/27   *[Direct/0] 1d 01:52:25
                    > via fe-0/0/0.0
ip_of_srx/32   *[Local/0] 1d 01:52:28
                      Local via fe-0/0/0.0
172.28.3.0/24      *[Static/5] 01:05:47
                    > to 172.29.1.2 via fe-0/0/1.0
172.29.1.0/24      *[Direct/0] 1d 01:52:23
                    > via fe-0/0/1.0
172.29.1.1/32      *[Local/0] 1d 01:52:28
                      Local via fe-0/0/1.0
192.168.1.1/32     *[Local/0] 1d 01:52:37
                      Reject

I am not in control of the physical connections and the topology of this environment, I was just told to configure a static route 172.28.3.0/24  ->  172.29.1.2 and everything should work. Before I ask the IT dept whether they gave me the correct info, I want to make sure that everything is configured correctly on my SRX, because I haven't done anything with Juniper before and I am learning everything as I go...

Any suggestions?

Hi, since you are not directly connected to the subnet 172.28.3.0/24, you should not use the "bypass routing" option when pinging, in order to use the (static) routing information to reach that subnet; so you should try to just type ">ping 172.28.3.1".

it's still not getting a response...

Any other ideas?

I decided to go ahead and contact IT and see if there might be anything in the network topology which is blocking my ping and it turned out that they had to add a rule to allow that.

I guess I am in a real hard position of not knowing enough about Juniper and not knowing enough about the topology of our corporate network....

Hi,

I think your problem is not related to policy or zone or in your SRX .

want is 172.29.1.2 I think it may be Core switch. just make sure this box could ping 172.28.3.0/24 with source 172.29.1.2.

Regads,

Mohamed