SRX

I am very new and unfamilar with setting up firewalls and Juniper. The problem I am having is that no matter I try, I can not get my SRX100h device configured to ping the gateway and get out to the internet. I really hope someone can tell me where the problem resides.

The firewall is connected to a Cisco 2950 switch, and the Cisco switch is connected to a router that belongs to our ISP. It goes out to the internet from there. All computers hooked up to this network now have to have a static address assigned to them. If I take my computer and set it up with a static IP, and then a static gateway of 63.54.121.93, I can get out to the internet without an issue by plugging it into this 2950 switch. When I place the srx in between though, I cannot get out. I try pinging that gateway address from the srx box and I get no response back. 

I have included my configuration from the srx. The top half is the output from the show interfaces all command and the bottom half is the output from the show configuration command. I split them up with a distinct break between them. 

Here is an explanation for my IP addresses:

63.54.121.96 - address I assigned to get to the webgui of the srx (address I punch into the web browser to get to the gui).

63.54.121.97 - address of the FE 0/0/0.0 port

63.54.121.93 - address of the gateway it needs to get to.

63.54.121.98 - address of my test computer I have hooked up to port FE 0/0/1

Could someone please review my configuration and tell me what is wrong here? I really appreciate it. As a side note I have trust-to-untrust and untrust-to-trust open for any just to see if I can get out, for the time being.

Thanks

Attachment(s)

putty1_mod.txt   25 KB 1 version

One thing I think I should add is that I disabled all NAT and I believe I disabled all DHCP. I want it all static and such. If this is wrong, please let me know. Thanks again 🙂

Hi,

Are you getting Ping timed out or host unrechable  when you ping the gateway?

can you ping the SRX router ?

Thanks

I can ping the SRX from my test computer and also it can ping itself. I can also ping the FE 0/0/0.0 address from the SRX also. I believe that there is just no ping response when I try to ping the gateway. I am going to double check though and let you know asap. 

running the command

show route forwarding-table

does that bring anything back ?

I just checked and pinging the gateway (from the SRX) does not come back with any replies; just all failed pings. I did try to ping the ports and everything else, and they come back successful (except the DNS IPs I put in). 

I did enter the command you wanted me to try and it did come up with a lot of information. I included the log sheet as an attachment to this reply. Let me know what you think of it, and if there is anything else you would like me to try.

Thanks

Attachment(s)

Putty_forward_table_output_mod.txt   5 KB 1 version

One thing I noticed is that your subnetting doesn't seem quite right, the config of the INET connected port:

 fe-0/0/0 {
        unit 0 {
            family inet {
                address 63.54.121.97/32;
            }
        }
    }

That's setup as a /32, meaning there are no other IPs in the network, which isn't corrent.  I'm not sure what this should be, a /29 maybe?  Do you know what the subnet mask for the network is?  (Sine it worked for your test computer, use that same subnet on the SRX)

try 63.54.121.97/24

what subnet mask is it 255.255.255.0 ?

B2 - Thanks for catching that. It makes sense that this shouldn't be a /32 network.

B2 and cmia: I have been using a /29 subnet (255.255.255.248) since there is only a handful of open IPs to use on that network. 

I will try changing that over to a /29 to see if that takes care of it. I will let you know what the outcome is. I appreciate you guys helping me out :). 

I see as well that you have address 63.54.121.96/29 assigned to a VLAN layer 3 interface, you may run into a problem having two separate interfaces on the same layer 3 network, it would probably be a good idea to redesign your laye 3 setup.

Your interface config is wrong:    address 63.54.121.97/32 change the /32 into the public subnet mask please ....

edit interfaces fe-0/0/0

replace pattern 63.54.121.97/32 with    address 63.54.121.97/XX

top

commit

Hey guys,

I changed the FE 0/0/0 address from 63.54.121.97/32 to /29, but I was still unable to ping my gateway address of 63.54.121.93.

B2,

I am going to dig into my vlan setup and change that around to test. Do you have any suggestions on what I should change it to? 

Thanks

If its an issue with configuration the more settings the harder to diagnose!

Why don't you save the configuration zerorise the router and then setup just one vlan and the gateway on one untrusted port with correct dns and enable http and ping services ?

I am about to look at your config and see, but why not place the SRX between the outer and the switch?

Hello,

I hope you are doing great, based on the configuration and information you provided I think you have something like this:

Trust----SRX----Untrust ------(CiscoSW)-----ISP_GW

From the information on the TXT file that you provided:

interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 63.54.121.97/32;
            }
        }
    }

When the SRX it is going to perfom the ARP entry lookup the device can not receive the information about the ISP_GW.

The static route should achieve what you want.

For the Zones:

You already have a default setting for the host-inbound-traffic, based on the way that junos work, that configuration will be applied to all the zones with no specific configuration, so for the vlan.0 it is not required that you have that configured, and also for the interface fe-0/0/0.0 it will do the same since you are configuring the same twice, you can delete that part of the configuration, it wont change anything, it will just make your configuration look better.

As you can see on your output:

Physical interface: fe-0/0/0, Enabled, Physical link is Down
  Interface index: 134, SNMP ifIndex: 509
  Link-level type: Ethernet, MTU: 1514, Link-mode: Half-duplex, Speed: 10m,
  BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
  Source filtering: Disabled, Flow control: Enabled
  Device flags   : Present Running Down
  Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 08:81:f4:b9:22:d3, Hardware address: 08:81:f4:b9:22:d3
  Last flapped   : 2013-05-30 16:53:49 CDT (00:12:47 ago)
  Input rate     : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)
  Active alarms  : LINK
  Active defects : LINK
  Interface transmit statistics: Disabled

Try to confirm if the switch have any kind of configuration about the speed/duplex/auto-negotiation. most of the time the Cisco gear may have some issues negotiating those parameters.

A couple of steps that you can follow to troubleshoot this will be, access the switch that you have and try to confirm if the mac-adress of the SRX it is present on the mac-address table of the switch, the mac address will be 08:81:f4:b9:22:d3,

If you can confirm that the mac address it is present, try to confirm the port configuration and status with the information I provided you.

In order to avoid reaching your ISP you can try to verify if the SRX can see the ARP entrys for the other hosts on that network.

From the SRX you can use a show ARP in order to verify if you can see the layer 2 information of the other devices.

Now from the computer you are using on the untrust network try to run a arp -a  so you will receive a list of the devices, if you dont see the SRX in there, connect the computer to the port on the SRX and try to confirm if you can ping it from there.

This will be only in order to confirm if the problem could be with the switch that you have in there.

At this point if you see that the information it is on the switch contact the juniper support, you can do more troubleshooting but most likely you will need jtac involved.

You can find more information about this problem here:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB22315

That it is related to a GE port, but you can see that the same logic applies.

If there is anything else I can do for you, it would be my pleasure.

I hope this will be helpful.

Regards,

Luis Sandi

Good Job! I just looked at the config and that was the first thing I saw. So he should change the cable ( I would) and probabley set the link interface to defaults. This should have been caught very quickly.

root@our_test_firewall> root@our_test_firewall> show interfaces all      
Physical interface: fe-0/0/0, Enabled, Physical link is Down
Interface index: 134, SNMP ifIndex: 509
Link-level type: Ethernet, MTU: 1514, Link-mode: Half-duplex, Speed: 10m, - This seems to be the configuration on all the fe-* links!

Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)

Wow, a lot of great posts with some very informative information! You guys are really great. Since I wasn't at work over the weekend so I couldn't test it out. I will be testing out the proposed solution today and I will let you know the outcome. Again, you guys have been great, I will definitely give credit where it is due. 

Thanks

Hello,

I would like to confirm if the problem was solved or if you need some help.

Regards,

Luis Sandi

Thank you Luis. I got it working with your suggestions. I appreciate the help. Take care.