Hello,
I hope you are doing great, based on the configuration and information you provided I think you have something like this:
Trust----SRX----Untrust ------(CiscoSW)-----ISP_GW
From the information on the TXT file that you provided:
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address 63.54.121.97/32;
}
}
}
When the SRX it is going to perfom the ARP entry lookup the device can not receive the information about the ISP_GW.
The static route should achieve what you want.
For the Zones:
You already have a default setting for the host-inbound-traffic, based on the way that junos work, that configuration will be applied to all the zones with no specific configuration, so for the vlan.0 it is not required that you have that configured, and also for the interface fe-0/0/0.0 it will do the same since you are configuring the same twice, you can delete that part of the configuration, it wont change anything, it will just make your configuration look better.
As you can see on your output:
Physical interface: fe-0/0/0, Enabled, Physical link is Down
Interface index: 134, SNMP ifIndex: 509
Link-level type: Ethernet, MTU: 1514, Link-mode: Half-duplex, Speed: 10m,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled
Device flags : Present Running Down
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
CoS queues : 8 supported, 8 maximum usable queues
Current address: 08:81:f4:b9:22:d3, Hardware address: 08:81:f4:b9:22:d3
Last flapped : 2013-05-30 16:53:49 CDT (00:12:47 ago)
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Active alarms : LINK
Active defects : LINK
Interface transmit statistics: Disabled
Try to confirm if the switch have any kind of configuration about the speed/duplex/auto-negotiation. most of the time the Cisco gear may have some issues negotiating those parameters.
A couple of steps that you can follow to troubleshoot this will be, access the switch that you have and try to confirm if the mac-adress of the SRX it is present on the mac-address table of the switch, the mac address will be 08:81:f4:b9:22:d3,
If you can confirm that the mac address it is present, try to confirm the port configuration and status with the information I provided you.
In order to avoid reaching your ISP you can try to verify if the SRX can see the ARP entrys for the other hosts on that network.
From the SRX you can use a show ARP in order to verify if you can see the layer 2 information of the other devices.
Now from the computer you are using on the untrust network try to run a arp -a so you will receive a list of the devices, if you dont see the SRX in there, connect the computer to the port on the SRX and try to confirm if you can ping it from there.
This will be only in order to confirm if the problem could be with the switch that you have in there.
At this point if you see that the information it is on the switch contact the juniper support, you can do more troubleshooting but most likely you will need jtac involved.
You can find more information about this problem here:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB22315
That it is related to a GE port, but you can see that the same logic applies.
If there is anything else I can do for you, it would be my pleasure.
I hope this will be helpful.
Regards,
Luis Sandi