SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  No internet behind router (Juniper SRX100)

    Posted 06-01-2015 13:01

    Hello.

     

    I am having issues setting up an Juniper SRX100. I am trying to set up the router so that you can just plug it into an live uplink and then the whole network behind it should be able to access the internet, no matter where you bring the router.

     

    When I use the router, with the default configuration, at home, it works fine and I am able to access the internet through the Juniper and then through my own router (look at picture below for a schema of the setup).

     

    The problem comes when I try to bring this Juniper router with me and into the office for which I am setting it up. Then the clients aren't getting access to the internet (they are given IPs). Does anybody know what the difference between the two networks could be and how it could be resolved?

     

    Link to image of network layout

     

    Thanks in advance!



  • 2.  RE: No internet behind router (Juniper SRX100)
    Best Answer

     
    Posted 06-01-2015 13:26

    Can be a lot of things. Can you share your config with us ?

     

    Can you cend some icmp from a client behind the srx to just 8.8.8.8 ? If that works I'm guessing your dns delegated by your local srx dhcp is wrong.

     

    Just a little guess 🙂



  • 3.  RE: No internet behind router (Juniper SRX100)

    Posted 06-01-2015 13:42

    I am at home now so I cannot test your ICMP/DNS theory since the issue was only there at the office. I will try that tomorrow.

     

    Below is the config (it is pretty much the default configuration wizard):

     

    ## Last changed: 2015-06-01 22:58:19 CEST
version 11.2R4.3;
system {
    host-name srx100b;
    time-zone Europe/Copenhagen;
    root-authentication {
        encrypted-password "$1$EGzp.PqP$zgzLGDehNwe0M6yXLGfo71";
    }
    name-server {
        8.8.8.8;
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.10.1;
            }
            pool 192.168.10.0/24 {
                address-range low 192.168.10.2 high 192.168.10.9;
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.10.1/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

     



  • 4.  RE: No internet behind router (Juniper SRX100)

    Posted 06-02-2015 03:12

    I have changed the subnet to 192.168.10.0/24 and also made some DNS changes (think they were wrong when I had problems yesterday) and this works fine this far. Thanks.