Hello everyone,
I've tried my hardest to get this working but, I can't quite seem to put my thumb on what's going on here. I recently setup my vlans to work through my ex2200 (ge-0/0/1) which now work great but, I can no longer access the web configuration page from any of the vlans. Thank you for your time.
SRX210 Configuration:
version 11.1R2.3;
system {
host-name digi-srx-1;
domain-name digi-pets.com;
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
management-url admin;
http;
https {
system-generated-certificate;
}
}
dhcp {
pool 10.0.16.0/20 {
address-range low 10.0.16.10 high 10.0.16.254;
router {
10.0.16.1;
}
server-identifier 10.0.16.1;
}
pool 10.0.32.0/20 {
address-range low 10.0.32.10 high 10.0.32.254;
router {
10.0.32.1;
}
server-identifier 10.0.32.1;
}
pool 10.0.0.1/20 {
address-range low 10.0.0.10 high 10.0.0.254;
router {
10.0.0.1;
}
server-identifier 10.0.0.1;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
vlan-tagging;
unit 16 {
description Servers;
vlan-id 16;
family inet {
address 10.0.16.1/20;
}
}
unit 32 {
description Dev;
vlan-id 32;
family inet {
address 10.0.32.1/20;
}
}
unit 100 {
description vlan-trust;
vlan-id 100;
family inet {
address 10.0.0.1/20;
}
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set dev-to-untrust {
from zone dev-zone;
to zone untrust;
rule dev-source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dnat-pool-1 {
address 10.0.17.10/20;
}
rule-set dst-nat {
from zone untrust;
rule r1 {
match {
destination-address 24.78.143.203/22;
}
then {
destination-nat pool dnat-pool-1;
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
24.78.143.203/22;
}
}
interface ge-0/0/1.32 {
address {
10.0.33.10/32 to 10.0.33.254/32;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone dev-zone to-zone untrust {
policy dev-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone servers-zone to-zone dev-zone {
policy ssh-to-dev {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone dev-zone to-zone servers-zone {
policy ssh-to-servers {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone servers-zone {
policy untrust-to-servers {
match {
source-address any;
destination-address any;
application junos-http;
}
then {
permit;
}
}
}
from-zone untrust to-zone servers {
policy dst-nat {
match {
source-address any;
destination-address webserver;
application junos-http;
}
then {
permit;
}
}
}
from-zone untrust to-zone dev-zone {
policy dyn-vpn-policy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn dyn-vpn;
}
}
}
}
}
from-zone untrust to-zone trust {
policy dyn-vpn-policy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn dyn-vpn;
}
}
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
http;
https;
}
}
interfaces {
ge-0/0/1.100 {
host-inbound-traffic {
system-services {
ping;
dhcp;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
ike;
https;
ping;
}
}
}
}
}
security-zone dev-zone {
host-inbound-traffic {
system-services {
http;
https;
}
}
interfaces {
ge-0/0/1.32 {
host-inbound-traffic {
system-services {
ping;
dhcp;
}
}
}
}
}
security-zone servers-zone {
interfaces {
ge-0/0/1.16 {
host-inbound-traffic {
system-services {
ping;
dhcp;
}
}
}
}
}
security-zone servers {
address-book {
address webserver 10.0.17.10/32;
}
}
}
}