SRX

Hello,

 

I am having problems routing out to the internet throught a SRX 210 running 11.2. It is behind a SSG5 that is connected to my ISP with a PPPoE connection.

 

root@DMZ_SRX> show configuration
## Last commit: 2011-09-01 18:02:10 EDT by root
version 11.2R1.10;
system {
    host-name DMZ_SRX;
    time-zone America/New_York;
    root-authentication {
        encrypted-password "$1$HpOwhg2h$6RhijYgUw.BYhWJ8BT2dj1"; ## SECRET-DATA
    }
    name-server {
        205.152.144.23;
        205.152.132.23;
    }
    static-host-mapping {
        localhost inet 127.0.0.1;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    interface-range interfaces-trust {
        member ge-0/0/1;
        member fe-0/0/2;
        member fe-0/0/3;
        member fe-0/0/4;
        member fe-0/0/5;
        member fe-0/0/6;
        member fe-0/0/7;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 172.16.1.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/24 next-hop 172.16.1.2;
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

 

 

root@DMZ_SRX> show route all

inet.0: 6 destinations, 6 routes (4 active, 0 holddown, 2 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/24          [Static/5] 00:33:16
                    > to 172.16.1.2 via ge-0/0/0.0
127.0.0.1/32        [Direct/0] 02:36:21
                    > via lo0.0
172.16.1.0/24      *[Direct/0] 01:38:59
                    > via ge-0/0/0.0
172.16.1.1/32      *[Local/0] 01:38:59
                      Local via ge-0/0/0.0
192.168.1.0/24     *[Direct/0] 02:35:32
                    > via vlan.0
192.168.1.1/32     *[Local/0] 02:35:46
                      Local via vlan.0

__juniper_private1__.inet.0: 6 destinations, 8 routes (3 active, 0 holddown, 4 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.1/32        *[Direct/0] 02:36:21
                    > via lo0.16385
10.0.0.6/32        *[Local/0] 02:35:35
                      Local via sp-0/0/0.16383
10.0.0.16/32       *[Direct/0] 02:36:21
                    > via lo0.16385
                    [Direct/0] 02:35:34
                    > via sp-0/0/0.16383
128.0.0.1/32        [Direct/0] 02:36:21
                    > via lo0.16385
128.0.0.6/32        [Local/0] 02:35:35
                      Local via sp-0/0/0.16383
128.0.1.16/32       [Direct/0] 02:35:34
                    > via sp-0/0/0.16383
                    [Direct/0] 02:36:21
                    > via lo0.16385

__juniper_private2__.inet.0: 1 destinations, 1 routes (0 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

127.0.0.1/32        [Direct/0] 02:36:22
                    > via lo0.16384

root@DMZ_SRX>

 

Has anyone ever seen this type of problem before. Thanks for the help!

 

shouldnt your default route be 0.0.0.0/0 not  0.0.0.0/24

Thanks for the reply! I made that change but no joy. When I try to ping my WAN ip I get "No route to host" Any ideas on what that means?

Can you ping the ssg interface (172.16.1.2) from the srx, and/or a host behind the srx?

My gut tells me you can ping out if you use an IP, but have an issue when using a hostname. I think the problem is with your dns configuration. You have dhcp propagating settings from ge-0/0/0, which will set dns IF it receives it's settings through dhcp also. As this interface is statically configured, I think you need to specify your dns settings under the dhcp configuration stanza so your hosts that receive an ip via dhcp have proper values for dns.

Also, confirm your default rout is 0/0, instead of 0/24

strange, "no route to host" indicates that even the gateway is inaccessible ...

 

can you check your laptop ip config please ...

 

regards

Please make the following change time being... 

 

security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;

                            ping ;
                        }

can also first ping your own interface before pinging to the remote interface.

 

No route to host means your physical should checked first.

 

Please verify your physical connectivity first.

 

HTH...

If you want to verify a route then try "> sh route forward destination" ... and if is a network beyond a next-hop, you may use "resolve" ... set route X.X.X.X next-hop Y.Y.Y.Y resolve.