SRX

Hello

I've got problem, after add routing-instances to my  configuration i have access to my srx240 only throught console port.

Internet working but problem is with ping.I can not  ping from LAN network and snmp  doesn't work to. I suppose problem is with routing-instances. Can someone explain me what is wrong.

system {

    services {
        ssh;
        web-management {
            https {
                system-generated-certificate;
                interface ge-0/0/3.0;
            }
        }
    }

interfaces {

    ge-0/0/3 {
        description LAN;
        unit 0 {
            family inet {
               filter {
                    input FILTR;

                }
                address 10.107.1.5/16;
            }
        }
    }

    }
    ge-0/0/7 {
	description ISP2;
        unit 0 {
            family inet {
               
                address xx.xx.xx.4/xx;
            }
        }
    }

    ge-0/0/12 {
        description DMZ;
        unit 0 {
            family inet {
                address 192.168.1.5/24;
            }
        }
    }

    ge-0/0/14 {
        description ISP1;
        unit 0 {
            family inet {
               
                address xx.xxx.xx.7/xx;
            }
        }
    }

    st0 {
        unit 0 {
            family inet;
        }
    }
}
snmp {
    community zenoss {
        authorization read-only;
        clients {
            xx.xx.xx.4/32;
       
        }
    }
    routing-instance-access;
    health-monitor {
        interval 300;
        rising-threshold 90;
        falling-threshold 80;
    }
}





 interface-routes {
    rib-group inet TAB;
}
static {
    route 0.0.0.0/0 next-hop xx.xxx.xx.5;
    route 10.0.0.0/8 next-hop 10.0.0.1;
}
rib-groups {
    TAB {
        import-rib [ ISP1.inet.0 ISP2.inet.0 inet.0 ];
    }
}

protocols {
    stp;
}
security {

    nat {
        source {
            rule-set lanNATout {
                from zone trust;
                to zone untrust;
                rule rule1 {
                    match {
                        source-address 10.0.0.0/8;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        
              rule-set ConfNATisp2 {
                from zone trust;
                to zone ISP2;
                rule rul2 {
                    match {
                        source-address 10.109.1.30/32;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

        proxy-arp {
            interface ge-0/0/14.0 {
                address {
                    xx.xx.xx.8/32 to xx.xx.xx.10/32;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address local-net 10.0.0.0/8;
               
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/3.0;
            }
        }
		
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/14.0;
            }
        }
  
     
        security-zone ISP2 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/7.0;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy ALLOWOUT {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
     
     
      
            
        from-zone trust to-zone ISP2 {
            policy ALLOW-TRAFFIC {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
		
    alg {
        dns disable;
        ftp disable;
        msrpc disable;
        sunrpc disable;
        real disable;
        rsh disable;
        rtsp disable;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
}
filter FILTR{
    term 1 {
        from {
            source-address {
                10.109.1.30/32;
            }
        }
        then {
            routing-instance ISP2;
        }
    }
    term 2 {
        from {
            source-address {
                10.0.0.0/8;
            }
        }
        then {
            routing-instance ISP1;
        }
    }
    term default {
        then accept;
    }
}
routing-instances {

ISP1 {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop xx.xxx.xx.5;
            route 10.0.0.0/8 next-hop 10.0.0.1;
        }
    }
}
ISP2 {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop xx.xx.xx.3;
        }
    }
}

As I read this, all traffic inbound to ge-0/0/3 goes to routing instance ISP1. ISP1 has a route pointing 10./8 to 10.0.0.1.

Packet filters get processed very early, so the packet enters the box, gets pushed to ISP1 VR, then we do route/zone lookups and other processing (from the new VR, which says destination is 10.0.0.1, which is not on this box... where/what is it?). Try adding exceptions at the start of the FLTR packet filter so that traffic that you want to stay local (SNMP, PING) doesn't get dropped into ISP1 VR and sent to 10.0.0.1 (which has probably been seeing some strange traffic since you started testing this).

Hi

The Juniper dual-WAN config is not good enough. For instance, ISP1 resides in inet.0 table and all other interfaces are in non-default routing instances. This means that management, DHCP, ICMP and other self traffic will not work as expected.

The normal config is to put ISP1 and ISP2 into non-default routing instances and leave all internal interfaces in default routing instance. For management traffic, use destination NAT and point the traffic onto the internal interface in the default routing instance (or loopback interface).

The example working config is attached. Note that I have DHCP server running in inet.0.

Attachment(s)

dual-WAN.txt   8 KB 1 version

i check your config but it doesn't work,  can someone tell me why i can't ping my firewall from ma LAN but i can ping my LAN from firewall ? this is very strange for my. mabey some links to manual ? I don't won't change my configuration i want fix problem with ping only

Hi All,

You need to change the firewall filter configuration to permit the host-inbound ping and snmp.

Apply this firewall filter instead of what is applied now.

filter FILTR{

    term permit {
        from {
            destination-address {
                10.107.1.5/32;
            }
        }
        then {
            accept;
        }
    }
    term 1 {
        from {
            source-address {
                10.109.1.30/32;
            }
        }
        then {
            routing-instance ISP2;
        }
    }
    term 2 {
        from {
            source-address {
                10.0.0.0/8;
            }
        }
        then {
            routing-instance ISP1;
        }
    }
    term default {
        then accept;
    }
}

Regards,

Visitor

THANK YOU, I didn't now that there is a difference to which term is first, is there any manuals to explain this ?

I'm sure there's extensive information, but this should suffice, it's for routing policies but it's basically the same for firewall filters in general:
http://www.juniper.net/techpubs/en_US/junos10.1/topics/concept/policy-routing-policies-chain-evaluation-method.html

Here's some more information on terms:

http://www.juniper.net/techpubs/en_US/junos10.2/topics/concept/policy-firewall-filter-lists-overview.html
http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-collections/config-guide-policy/policy-configuring-match-conditions-in-firewall-filter-terms.html

A more global rule :

filter FILTR{

    term permit {
        from {
            protocol icmp;
        }
        then {
            accept;
        }
    }
    term 1 {
        from {
            source-address {
                10.109.1.30/32;
            }
        }
        then {
            routing-instance ISP2;
        }
    }
    term 2 {
        from {
            source-address {
                10.0.0.0/8;
            }
        }
        then {
            routing-instance ISP1;
        }
    }
    term default {
        then accept;
    }
}

Regards