SRX

I have this config working on fe-0/0/0 (WAN) with static IP.

The fe-0/0/1 (LAN) issues DHCP to the clients, and works fine.

 

I have tried several ways to setup the fe-0/0/0 port to work DHCP from our test cable modem, with no luck.

Connecting my laptop to the cable modem issues a IP address.

 

Looking at the DHCP services shows it is not running, what have I done that will not allow it to run.

 

admin@VPNLOANER01> show dhcp statistics
warning: dhcp-service subsystem not running - not needed by configuration.

admin@VPNLOANER01> show dhcp client statistics
warning: dhcp-service subsystem not running - not needed by configuration.

admin@VPNLOANER01> show dhcp server statistics
warning: dhcp-service subsystem not running - not needed by configuration.

 

set version 12.1X44-D35.5
set system host-name VPNLOANER01
set system time-zone GMT
set system root-authentication encrypted-password "CLEANED"
set system name-server 10.10.10.10
set system name-server 10.20.10.10
set system name-server 65.32.1.65
set system name-server 65.32.1.70
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-resolution no-resolve-on-input
set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication encrypted-password "CLEANED"
set system services ssh
set system services telnet
set system services web-management http interface fe-0/0/1.0
set system services web-management https system-generated-certificate
set system services web-management https interface fe-0/0/1.0
set system services web-management https interface fe-0/0/0.0
set system services web-management session idle-timeout 60
set system services dhcp pool 192.168.201.0/24 address-range low 192.168.201.50
set system services dhcp pool 192.168.201.0/24 address-range high 192.168.201.249
set system services dhcp pool 192.168.201.0/24 name-server 10.10.10.10
set system services dhcp pool 192.168.201.0/24 name-server 10.20.10.10
set system services dhcp pool 192.168.201.0/24 router 192.168.201.1
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server us.ntp.pool.org
set interfaces fe-0/0/0 unit 0 family inet dhcp
set interfaces fe-0/0/1 unit 0 family inet address 192.168.201.1/24
set interfaces st0 unit 0 family inet address 192.168.200.201/24
set routing-options static route 0.0.0.0/0 next-hop 75.112.50.125
set routing-options static route 10.0.0.0/8 next-hop 192.168.200.1
set protocols stp
set security ike policy ike-hs-vpn-policy mode aggressive
set security ike policy ike-hs-vpn-policy proposal-set standard
set security ike policy ike-hs-vpn-policy pre-shared-key ascii-text "CLEANED"
set security ike gateway ike-hs-gw ike-policy ike-hs-vpn-policy
set security ike gateway ike-hs-gw address 75.112.50.126
set security ike gateway ike-hs-gw local-identity hostname vpnloaner01
set security ike gateway ike-hs-gw external-interface fe-0/0/0
set security ipsec policy hs-ipsec-policy perfect-forward-secrecy keys group1
set security ipsec policy hs-ipsec-policy proposal-set standard
set security ipsec vpn vpn-loaner5 bind-interface st0.0
set security ipsec vpn vpn-loaner5 ike gateway ike-hs-gw
set security ipsec vpn vpn-loaner5 ike ipsec-policy hs-ipsec-policy
set security ipsec vpn vpn-loaner5 establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set nsw_srcnat from zone Internal
set security nat source rule-set nsw_srcnat to zone Internet
set security nat source rule-set nsw_srcnat rule nsw-src-interface match source-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface match destination-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface then source-nat interface
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet match source-address
any
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet match destination-
address any
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet match application any
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet then permit
set security policies from-zone Internet to-zone Internal policy Inbound-Traffic match source-address any
set security policies from-zone Internet to-zone Internal policy Inbound-Traffic match destination-address
any
set security policies from-zone Internet to-zone Internal policy Inbound-Traffic match application junos-
https
set security policies from-zone Internet to-zone Internal policy Inbound-Traffic then permit
set security policies from-zone Internal to-zone vpn policy Internal-to-vpn match source-address internal-net
set security policies from-zone Internal to-zone vpn policy Internal-to-vpn match destination-address net-10
set security policies from-zone Internal to-zone vpn policy Internal-to-vpn match application any
set security policies from-zone Internal to-zone vpn policy Internal-to-vpn then permit
set security policies from-zone vpn to-zone Internal policy vpn-to-Internal match source-address net-10
set security policies from-zone vpn to-zone Internal policy vpn-to-Internal match destination-address
internal-net
set security policies from-zone vpn to-zone Internal policy vpn-to-Internal match application any
set security policies from-zone vpn to-zone Internal policy vpn-to-Internal then permit
set security zones security-zone Internal address-book address internal-net 192.168.201.0/24
set security zones security-zone Internal interfaces fe-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone Internal interfaces fe-0/0/1.0 host-inbound-traffic system-services dhcp
set security zones security-zone Internal interfaces fe-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone Internal interfaces fe-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone Internal interfaces fe-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone Internal interfaces fe-0/0/1.0 host-inbound-traffic system-services telnet
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone vpn address-book address net-10 10.0.0.0/8
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn host-inbound-traffic protocols all
set security zones security-zone vpn interfaces st0.0

Hey,

try to run this command :
> restart dhcp gracefully


if didn't work , show me the out put of this two commands "show system
service dhcp" and show log messages | match dhcp


-------------------------------------
[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]

Thanks, see the following, I was able to get a IP on my laptop, but nothing on the WAN side.

I let the cable moden stay unplugged from power for 3 minutes, so it looses the mac of what was connected, and issues a new IP.

 

 

--- JUNOS 12.1X44-D35.5 built 2014-05-19 21:36:43 UTC
admin@VPNLOANER01> restart dhcp gracefully
Dynamic Host Configuration Protocol process started, pid 1521

admin@VPNLOANER01> show system services dhcp global
Global settings:
BOOTP lease length infinite

DHCP lease times:
Default lease time 1 day
Minimum lease time 1 minute
Maximum lease time infinite

DHCP options:
Name: name-server, Value: [ 10.10.10.10, 10.20.10.10, 65.32.1.65, 65.32.1.70, 208.67.222.222, 208.67.220.220 ]

admin@VPNLOANER01> show system services dhcp statistics
Packets dropped:
Total 0

Messages received:
BOOTREQUEST 0
DHCPDECLINE 0
DHCPDISCOVER 0
DHCPINFORM 0
DHCPRELEASE 0
DHCPREQUEST 0

Messages sent:
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0

admin@VPNLOANER01> show system services dhcp binding
IP address Hardware address Type Lease expires at
192.168.201.50 ec:f4:bb:5e:57:e2 dynamic 2015-07-21 03:10:10 GMT

admin@VPNLOANER01> show system services dhcp client

Logical Interface name fe-0/0/0.0
Hardware address f0:1c:2d:d3:e8:c0
Client status discover
Address obtained 0.0.0.0
Update server disabled

admin@VPNLOANER01> show log message |match dhcp

admin@VPNLOANER01> ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- 4.2.2.2 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

admin@VPNLOANER01> ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- 10.10.10.10 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

I've looked again at your configuration .
your DHCP ((192.168.201.0/24)) is configured and related to "internal" zone .
your fe0/0/0 is related to the untrust zone "internel" .

if i understand you well , you mean that when you connect the modem to the fe0/0/0 interface , the modem does not provide the fe0/0/0 any ip . am i right ?

regarding the output you get "warning: dhcp-service subsystem not running - not needed by configuration" >> I need you to know the difference here between dhcpd and jdhcpd:
When you configure statements under system / services / dhcp you are using dhcpd and will need to use:

show system services dhcp server binding
restart dhcp

When you configure statements under system / services / dhcp-local-server you are affecting jdhcpd and need to use:

show dhcp server binding
restart dhcp-service

---- update me please if there is any progress .

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]

The internal is on the LAN fe-0/0/1

The External is on the WAN fe-0/0/0

 

The internal is for the laptops connected to the SRX and is getting the correct ip sisued from the pool.

 

The exterrnal should be getting an IP from the cable modem, but is not.

I know it works, because if I setup a D-link router on the same cable modem it gets an external IP.

 

So for the external interrface, which commands to use.?

 

thanks

You need to allow dhcp on fe-0/0/0

set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp

Also

del routing-options static route 0.0.0.0 next-hop 75.112.50.125

smicker,

 

That finally got me a IP, I really feel bad about the routing options, but was cluesless on setting the security zone.

 

How can I set routing-options static route 0.0.0.0 next-hop to the fe-0/0/0 interface.?

 

I tried a few commands but was rejected., see below. I am able to ping but cannot load http or https,

Do I need to also aloow that on the fe-0/0/0 interface.?

 

[edit routing-options static route 0.0.0.0/32]
'next-hop fe-0/0/0.0'
RT: bad next-hop fe-0/0/0.0 -- next-hop fe-0/0/0.0 is not point-to-point
error: configuration check-out failed

 

admin@VPNLOANER01# run ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 56 data bytes
64 bytes from 4.2.2.2: icmp_seq=0 ttl=56 time=44.507 ms
64 bytes from 4.2.2.2: icmp_seq=1 ttl=56 time=42.560 ms
64 bytes from 4.2.2.2: icmp_seq=2 ttl=56 time=25.022 ms
^C
--- 4.2.2.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 25.022/37.363/44.507/8.763 ms

Your provider should be providing you a defaut route via dhcp, no?

 

With dhcp working what does 

 

show route 0

return?

 

This tells me you are getting a functioning default route from your provider:

admin@VPNLOANER01# run ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 56 data bytes
64 bytes from 4.2.2.2: icmp_seq=0 ttl=56 time=44.507 ms
64 bytes from 4.2.2.2: icmp_seq=1 ttl=56 time=42.560 ms
64 bytes from 4.2.2.2: icmp_seq=2 ttl=56 time=25.022 ms
^C
--- 4.2.2.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 25.022/37.363/44.507/8.763 ms

 

I am concerned for the bold statement, as that is the gateway for our corporate service on this VPN solution.

As of now the VPN tunnel is not setup at corporate for this one SRX, it is setup for four other SRX's.

I guess what I am looking for is a way to make the fe-0/0/0 the default route for all 0.0.0.0 traffic.

 

The 10.0.0.0/8 traffic will route down the VPN.

 

Still tried to ping 4.2.2.2 with success , but any http or https traffic does not load.

 

set routing-options static route 0.0.0.0/0 next-hop 75.112.50.225
set routing-options static route 10.0.0.0/8 next-hop 192.168.200.1

 

 

admin@VPNLOANER01> show route 0

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Access-internal/12] 00:00:17
> to 72.238.184.1 via fe-0/0/0.0

My guess is that, assuming your VPN tunnel is in fact up, your DNS servers at 10.10.10.10 and 10.20.10.10 have no routes back to your data subnet 192.168.200.0/24. You can check the tunnel's status with

 

show interfaces st0.0 terse

show security ike security-associations

show security ipsec security-associations

 

---

starlog wrote:

 

I guess what I am looking for is a way to make the fe-0/0/0 the default route for all 0.0.0.0 traffic.