SRX

Hi All,

 

I just create a cluster for SRX100H and created also 3 reth inerfaces (Untrust,LAN,WIFI). Basically, I didn't configure any vlans on the SRX since the switches I'm using are all unmanaged So I decided to create different reth interfaces instead. Untrust = 1.1.1.1/24, LAN = 192.168.1.1/24, WIFI = 192.168.10.1/25, these are my subnets for those reth interfaces. Nat and security policies are also in place for these subnets/interfaces. On the firewall when doing a ping to outside(internet), From LAN interface as source and pubic dns (8.8.8.8) as a destination, the ping can reach outside. But from WIFI to Untrust, it cannot reach the public dns.  I'm not quite sure what I'm missing on this configuration. I have attached here also the configuration for your reference.

 

 

Hope someone can point me to the right direction on resolving the issue i'm facing with.

 

 

Thanks in advance.

 

Dennis

I had a quick look and I saw that you miss one thing on the source nat policy of your wifi zone.

 

You have now:

 

rule wifi-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }

 

That should be

 

match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }

Hi Marc,

 

I tried to add the Nat part but still the same result, it cannot reach the internet. Below is the result once I added the suggested solution;

 

root@XXX-FIW001> show security flow session destination-prefix 8.8.8.8 source-prefix 192.168.10.1
Session ID: 395032, Policy name: self-traffic-policy/1, State: Active, Timeout: 34, Valid
In: 192.168.10.1/27 --> 8.8.8.8/28343;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/28343 --> 192.168.10.1/27;icmp, If: reth0.0, Pkts: 0, Bytes: 0

Session ID: 402555, Policy name: self-traffic-policy/1, State: Active, Timeout: 26, Valid
In: 192.168.10.1/18 --> 8.8.8.8/28343;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/28343 --> 192.168.10.1/18;icmp, If: reth0.0, Pkts: 0, Bytes: 0

Session ID: 405674, Policy name: self-traffic-policy/1, State: Active, Timeout: 18, Valid
In: 192.168.10.1/11 --> 8.8.8.8/28343;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/28343 --> 192.168.10.1/11;icmp, If: reth0.0, Pkts: 0, Bytes: 0

 

 

I'm not quite sure why I'm seeing a policy name: self-traffic-policy, I'm not quite sure also what is this.

 

 

 

Dennis

Hi Dennis,

 

You need to create source nat for Junos-Host zone.

 

Below KB explains the same.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB26372

 

Regards,

rparthi

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

I have used the config below in the past. Works like a charm!

 

source {
    address-persistent;
    rule-set interface-nat {
        from zone NET-XXX-LAN;
        to zone internet;
        rule rule1 {
            match {
                source-address 10.31.2.0/24;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
    rule-set NET-XXX-WIFI-GUEST {
        from zone NET-XXX-WIFI-GUEST;
        to zone internet;
        rule Nat-Rule-NET-XXX {
            match {
                source-address 10.31.3.128/25;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
    rule-set NET-XXX-WIFI {
        from zone NET-XXX-WIFI;
        to zone internet;
        rule Nat-Rule-NET-XXX {
            match {
                source-address 10.31.3.0/25;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}

rparthi, that's a great KB.  I didn't realize that a policy had to be set up from the junos-host zone, but it does make sense. 

 

dennisr78, the 'self-traffic-policy' is a hidden default sytem policy that is set up for all traffic originating to or terminating on the routing engine itself.  rparthi's suggestion should take care of your problem with pinging from the device itself.

Hi All,


Thank you very much for taking the time to help me look up into this issue I'm facing with. I will try this out once I get back from holiday.


Again, Thank you very much for your help.


Sincerely,


Dennis

Hi All,

 

 

I would like to sincerely thanks the people who help me in-order to resolve the issue I'm facing with. I'm glad that on this forum, there are actually people who are willing to share their knowledge and expertise for those new comers like me.

 

Again, my sincere thanks to you all!!!

 

 

Kudos to everyone!!

 

 

Dennis