SRX Services Gateway
Reply
Contributor
VBentley
Posts: 10
Registered: ‎05-20-2010
0

SRX210 over ADSL no outside access

Hey folks,

 

I have an SRX210 with an ADSL PIM, I have the following configuration file. It manages to establish the PPPoE session with Windstream just fine, however I have no outside access, I figured routing everything to pp0.0 would be the way to go, however I am not seeing anything when I try to ping an outside resource.

 

I can also see the Windstream routes in the routing table of the device in J-Web, so I am quite stumped.

 

 

## Last changed: 2010-05-21 07:28:43 UTC
version 10.0R1.8;
system {
    host-name HOME_SRX;
    root-authentication {
        encrypted-password "encryptedpass";
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    interface-range interfaces-trust {
        member ge-0/0/1;
        member fe-0/0/2;
        member fe-0/0/3;
        member fe-0/0/4;
        member fe-0/0/5;
        member fe-0/0/6;
        member fe-0/0/7;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    at-1/0/0 {
        encapsulation ethernet-over-atm;
        atm-options {
            vpi 0;
        }
        dsl-options {
            operating-mode auto;
        }
        unit 0 {
            encapsulation ppp-over-ether-over-atm-llc;
            vci 0.35;
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
    pp0 {
        traceoptions {
            flag all;
        }
        unit 0 {
            point-to-point;
            ppp-options {
                chap {
                    default-chap-secret "encryptedpass";
                    local-name timlmorris;
                    passive;
                }
                pap {
                    default-password "encryptedpass";
                    local-name timlmorris;
                    local-password "encryptedpass";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface at-1/0/0.0;
                auto-reconnect 5;
                client;
            }
            family inet {
                negotiate-address;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop pp0.0;
            metric 0;
        }
    }
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                at-1/0/0.0;
                pp0.0;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

 

 

Contributor
VBentley
Posts: 10
Registered: ‎05-20-2010
0

Re: SRX210 over ADSL no outside access

I still cant figure out if this is a route issue or not. Should I be looking at proxy-arp? I don't think that that would limit my internet access entirely. As you can see, trust->untrust is wide open. Any help is appreciated!

Contributor
manishja
Posts: 13
Registered: ‎08-31-2010
0

Re: SRX210 over ADSL no outside access

Can you try following things also.

 

1.  set security nat source rule from interface instead of zone

 

security {
nat {
source {
rule-set trust-to-untrust {
from <INTERFACE>;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}

2. Also Add the policy from untrust to trust zone as well.
Trusted Contributor
piccolo78
Posts: 108
Registered: ‎09-13-2009
0

Re: SRX210 over ADSL no outside access

Hi,

 

i have also a SRX210-HM with the ADSL PIM Modul running with a Italian ISP.

From the SRX210HM i can ping to public hosts , also from the client...

 

But:

Only 2-3 Internetsites are working, for example www.google.de, www.bechtle.de, going to www.heise.de or even goint to www.juniper.net the clients tries to connect, but then nothing happens..

 

SNAT is based on zone and translation is working fine...

Connecting the srx210 direct to a adsl router, witch establish the ppp-over-ether-over-atm session everything is working fine...

 

regards

-PIccolo
cy
Contributor
cy
Posts: 76
Registered: ‎09-28-2010
0

Re: SRX210 over ADSL no outside access

piccolo:
have you tried to set the tcp-mss option? (mss = maximum segmentation size)

 

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-s...

(bottom of the page)

 

set security flow tcp-mss all-tcp 1400 (set it to <MTU minus 40> instead of 1400, might solve your problem.)

 

40 because IP and TCP headers are 20byte each. (so segments + headers = MTU)

 

BTW: if someone finds out if you can set this option per connection (like set it if using the adsl pim module, and deactivate it when using an external modem) please tell me:smileywink:

--

You can also find me on Freenode IRC in #juniper, my handle is "cy[]"
Trusted Contributor
piccolo78
Posts: 108
Registered: ‎09-13-2009
0

Re: SRX210 over ADSL no outside access

Hi,

 

for the first time i tought there may be a mtu size problem.

have already set this option, but without any luck.

 

Regards

 

-PIccolo
Visitor
Highrisesector
Posts: 4
Registered: ‎02-22-2010
0

Re: SRX210 over ADSL no outside access

Hello,

 

I had a similar problem. But just forgot which Junos Release, but after Upgrading to Junos 10.1R3... fixed my problem. This Release worked fine for me. Now I'm running 10.2R2... on my SRX210 with an ADSL Interface and it works, too.

 

 

Trusted Contributor
piccolo78
Posts: 108
Registered: ‎09-13-2009
0

Re: SRX210 over ADSL no outside access

Hi,

 

i know / or i thoght that i have tested it , after reveiving my adsl pim ... but i can `remember the JunOs version , i`m getting old :smileysad:

 

will try with the 10.4 and inform you about the news...

 

For some reasons i have to put my ips router between...

and also put a sr100 as the srx210 is to noisy...

 

 

Thanks

 

 

-PIccolo
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: SRX210 over ADSL no outside access

Are you still running 10.0R1 JUNOS version? If so I recall there was an issue with pp0 interface, but don't recall the details. I have very similar configuration with SRX210 with ADSL mPIM connecting to AT&T and working well. This was with 10.1R3 and now 10.2R3. If you are still running 10.0R1 I would highly recommend upgrading your JUNOS image to pick up all latest fixes.

 

-Richard

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.