Hello all,
I am fairly new to JunOS and I am having a possible routing issue with an SRX device.
I have a small group of users at a branch office that are behing a SRX100 and are having some issues when connecting to the newly deployed SSL MAG device. They can get to the VPN and sign in with no problem. I have WSAM set to launch automatically and is configured to allow connections to a company intranet page through a browser. However, when the users open a new tab and attempt to browse to this page they receive a page cannot be found or link broken error. When the SRX is out of the picture the users have no problem opening the page. So it apeears that the SRX is not routing that particular traffic through the WSAM connection but I am not sure how this traffic should be routed. I have included my config below. Please note that in order to rule out any possible policy conflicts I currently have my inbound and outbound policies open.
Thanks in advance for any assistance on this.
Cole
version 11.4R8.4;
system {
host-name SRX;
domain-name;
root-authentication {
encrypted-password "$1$e3jLSXNt$bVRHQJUbF6x8YkHByd/AN/"; ## SECRET-DATA
}
name-server {
" ip address";
" ip address";
}
login {
user jrgiadmin {
uid 2001;
class super-user;
authentication {
encrypted-password "$1$dAok9NAm$Xr2iX4i3koeB1pZBNwsUo1"; ## SECRET-DATA
}
}
}
services {
ssh;
xnm-clear-text;
web-management {
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
maximum-lease-time 86400;
default-lease-time 86400;
name-server {
"ip address";
}
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.100 high 192.168.1.200;
}
propagate-settings fe-0/0/7.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
description "Connection to Internet";
unit 0 {
family inet {
address "ip address";
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop "gateway";
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool Internale {
routing-instance {
default;
}
address 192.168.1.0/24;
}
rule-set vpn {
from zone untrust;
rule r1 {
match {
destination-address "SRX IP";
}
then {
destination-nat pool Internale;
}
}
}
}
proxy-arp {
interface fe-0/0/7.0 {
address {
"gateway";
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust_to_trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address Internal 192.168.1.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
fe-0/0/3.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}