SRX

I'm having an issue with what I think should be a simple VLAN. I am trying to config vlan-uc320wan 10.1.2.1/30 on fe-0/0/7.The device plugged into fe-0/0/7 is essentially a router and set to 10.1.2.2/30 with the gateway set as 10.1.2.1/30 and needs to access the internet for SIP. The issue is 10.1.2.2/30 in't getting outside access and neither the SRX or device 10.1.2.2/30 are able to ping the other device in the vlan.

Could someone have a look at the config and point me in the right direction? Thank you

## Last changed: 2012-11-29 07:39:57 WST
version 11.2R4.3;
groups {
    wiz_PPPoE_0 {
        system {
            services {
                dhcp {
                    propagate-ppp-settings pp0.0;
                }
            }
        }
        interfaces {
            pp0 {
                unit 0 {
                    description IInet;
                    ppp-options {
                        chap {
                            default-chap-secret "$9$ovGH.Tz6AuOP5F/9Cu0LxN-s4UjH";
                            local-name XXXXXXX;
                            no-rfc2486;
                            passive;
                        }
                        pap {
                            local-name XXXXXXX;
                            no-rfc2486;
                            local-password "$9$ovGH.Tz6AuOP5F/9Cu0LxN-s4UjH";
                            passive;
                        }
                    }
                    pppoe-options {
                        underlying-interface fe-0/0/0.0;
                    }
                    family inet {
                        negotiate-address;
                    }
                }
            }
            fe-0/0/0 {
                unit 0 {
                    encapsulation ppp-over-ether;
                }
            }
        }
        routing-options {
            static {
                route 0.0.0.0/0 {
                    qualified-next-hop pp0.0 {
                        metric 1;
                    }
                }
            }
        }
        security {
            zones {
                security-zone untrust {
                    interfaces {
                        pp0.0;
                    }
                }
            }
        }
    }
}
apply-groups wiz_PPPoE_0;
system {
    host-name ABC-gw01;
    domain-name ABC.com.au;
    time-zone Australia;
    root-authentication {
        encrypted-password "$1$e/4sx.CS$1LuRFsgkSD0TRfWs9fyP.1";
    }
    name-server {
        192.168.0.10;
        192.168.0.11;
    }
    login {
        user ABC {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$BdT9UdbK$VXJwDGQYw9ATb5kLbDunl0";
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 192.168.0.10;
    }
}
interfaces {
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            description "UC320 WAN Port";
            family ethernet-switching {
                vlan {
                    members vlan-uc320wan;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
        unit 4 {
            family inet {
                address 10.1.2.1/30;
            }
        }
    }
}
protocols {
    stp;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool HTTPS {
                address 192.168.0.10/32 port 443;
            }
            pool 2X {
                address 192.168.0.113/32 port 2080;
            }
            pool SMTP {
                address 192.168.0.10/32 port 25;
            }
            rule-set SBS365 {
                from zone untrust;
                rule HTTPS {
                    match {
                        destination-address 203.59.xxx.xxx/32;
                        destination-port 443;
                    }
                    then {
                        destination-nat pool HTTPS;
                    }
                }
                rule 2X {
                    match {
                        destination-address 203.59.xxx.xxx/32;
                        destination-port 2080;
                    }
                    then {
                        destination-nat pool 2X;
                    }
                }
                rule SMTP {
                    match {
                        destination-address 203.59.xxx.xxx/32;
                    }
                    then {
                        destination-nat pool SMTP;
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy SBS2011 {
                match {
                    source-address any;
                    destination-address SBS365;
                    application [ junos-https junos-smtp ];
                }
                then {
                    permit;
                }
            }
            policy 2X {
                match {
                    source-address any;
                    destination-address ABC-PC01;
                    application 2X;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address SBS365 192.168.0.10/32;
                address ABC-PC01 192.168.0.113/32;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
    }
}
applications {
    application 2X {
        protocol tcp;
        source-port 2080;
        destination-port 2080;
    }
}
ethernet-switching-options {
    voip {
        interface fe-0/0/6.0 {
            vlan vlan-voip;
        }
        interface fe-0/0/1.0 {
            vlan vlan-voip;
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
    vlan-uc320wan {
        vlan-id 4;
        l3-interface vlan.4;
    }
    vlan-voip {
        vlan-id 100;
    }
}

Hi,

Just quick look into your configuration not deeply u r putting vlan.0 in trusted zone will vlan.4 which contain 10.1.2.1/30 not assigned to any zone. try to install vlan.4 interface under trust zone

Mohamed Elhariry

JNCIE-M/T # 1059, CCNP & CCIP

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution". Kudos are always appreciated!

thanks for the quick reply and it has improved resolving the issue - I can now resolve and ping FQDN from the device 10.1.2.2 but am still having issues with getting SIP connections through. Is there something else I need to configure  to allow any traffic from the vlan.4 out

Hi

As the SRX does not have a local IP address for each subnet, you will need to add a route to the router that connects to the SRX and the other 10.1.2.2 networks.  Otherwise packets can be send to the SRX, and then the internet, but the return packets will not have a route back.

Hi,

The SIP ALG is enabled by default on juniper SRX

# run show security alg status | match sip
  SIP      : Enabled

That's what I can find about SIP problems

1- try persistent-nat

nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;

                                  persistent-nat {
                                        permit any-remote-host;
                                  }

                             }
                        }
                    }
                }
            }
        }

2- check the following links might help

http://kb.juniper.net/InfoCenter/index?page=content&id=KB23286&cat=m_series&actp=LIST

http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/alg-security-sip-unknown-message-type-understanding.html

http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/alg-security-sip-unknown-message-type-allowing-cli.html

Regards,

Mohamed Elhariry

thanks for the replies after assigning the Vlan to the trust zone, there were some issues with the Nat on the SIP device which needed to be resolved.