Hi all,
Over last few months I've gradually built up my knowledge on SRX, and the attached config served my needs with only a few minor niggles (like dhcp client not working on ISP interface). However my ISP just changed the subnet mask length for my internet connection on ge-0/0/0.0 from a /30 to /27. No change to my IP, or gateway address, so I obviously updated the address configured on ge-0/0/0.0 to the /27 mask but I can no longer ping the gateway, or internet from the SRX or from any connected hosts, and I also have no internet service. Connecting a laptop to the ISP Ethernet socket with dhcp configured works perfectly, and the laptop receives all the same IP settings that I've configured statically.
Help really appreciated, completely stumped here...
## Last changed: 2016-07-10 21:15:10 BST
version 12.1X46-D50.4;
system {
host-name srx2;
domain-name int.home.local;
time-zone Europe/London;
root-authentication {
encrypted-password ""; ## SECRET-DATA
}
name-server {
8.8.8.8;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
web-management {
management-url jweb;
http {
interface [ vlan.1 vlan.2 ];
}
https {
system-generated-certificate;
interface [ vlan.1 vlan.2 vlan.11 ];
}
session {
idle-timeout 300;
}
}
dhcp {
pool 172.16.10.0/27 {
address-range low 172.16.10.3 high 172.16.10.28;
default-lease-time 36000;
domain-name wifi.gtfo.net;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
172.16.10.1;
}
propagate-settings vlan.3;
}
pool 172.16.0.0/24 {
address-range low 172.16.0.50 high 172.16.0.150;
domain-name int.home.local;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
172.16.0.1;
}
}
static-binding 3c:97:0e:b1:c2:bf {
fixed-address {
172.16.0.50;
}
host-name THETA;
}
static-binding 80:fa:5b:12:01:bf {
fixed-address {
172.16.0.55;
}
}
static-binding 00:b5:6d:02:a8:e5 {
fixed-address {
172.16.10.5;
}
host-name UKPK1K1GT;
}
static-binding 68:05:ca:04:e9:a6 {
fixed-address {
172.16.0.98;
}
host-name BURTHA;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
archival {
configuration {
transfer-on-commit;
archive-sites {
"ftp://junos@172.16.0.98:/Juniper" password ""; ## SECRET-DATA
}
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server uk.pool.ntp.org;
}
}
chassis {
aggregated-devices {
ethernet {
device-count 2;
}
}
}
interfaces {
ge-0/0/0 {
description "ISP Link";
gigether-options {
auto-negotiation;
}
unit 0 {
family inet {
address 144.14.94.130/27;
}
}
}
ge-0/0/1 {
description "Wifi Router";
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
vlan {
members vlan-WiFi;
}
}
}
}
ge-0/0/2 {
description "uplink to C3750G";
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members Private;
}
}
}
}
ge-0/0/3 {
description Burtha;
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members Private;
}
}
}
}
ge-0/0/4 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/5 {
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/6 {
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/7 {
gigether-options {
802.3ad ae0;
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/13 {
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-vSAN;
}
}
}
}
ge-0/0/14 {
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-vSAN;
}
}
}
}
ge-0/0/15 {
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-vSAN;
}
}
}
}
ae0 {
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
st0 {
unit 0 {
description "VPN to PHV";
family inet {
address 10.99.99.2/30;
}
}
}
vlan {
unit 3 {
family inet {
address 172.16.10.1/27;
}
}
unit 4 {
family inet {
address 192.168.1.1/24;
}
}
unit 11 {
description Private;
family inet {
address 172.16.0.1/24;
}
}
unit 141 {
description vSAN;
}
}
}
routing-options {
static {
route 10.0.0.0/24 next-hop st0.0;
route 0.0.0.0/0 next-hop 144.14.94.129;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface vlan.4;
interface vlan.3;
interface vlan.2;
interface st0.0 {
interface-type p2p;
neighbor 10.99.99.1;
}
interface vlan.11;
}
}
stp;
}
security {
ike {
proposal IKE-PROP {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IKE-POL {
mode main;
proposals IKE-PROP;
pre-shared-key ascii-text ""; ## SECRET-DATA
}
gateway IKE-GW {
ike-policy IKE-POL;
address 212.159.107.159;
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal IPSEC-PROP {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IPSEC-POL {
perfect-forward-secrecy {
keys group14;
}
proposals IPSEC-PROP;
}
vpn IPSEC-VPN {
bind-interface st0.0;
vpn-monitor;
ike {
gateway IKE-GW;
ipsec-policy IPSEC-POL;
}
establish-tunnels immediately;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone [ Trusted WiFi ];
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool Xi-ut {
address 172.16.0.55/32 port 17141;
}
pool Xi-ADC-tcp {
address 172.16.0.55/32 port 56667;
}
pool Xi-ADC-udp {
address 172.16.0.55/32 port 56668;
}
pool Xi-ADC-tls {
address 172.16.0.55/32 port 56669;
}
pool Burtha-Tms {
address 172.16.0.98/32 port 59564;
}
rule-set Internet-to-Trusted {
from zone Internet;
rule Xi-ut {
match {
destination-address 144.14.94.130/32;
destination-port 17141;
}
then {
destination-nat {
pool {
Xi-ut;
}
}
}
}
rule Xi-ADC-tcp {
match {
destination-address 144.14.94.130/32;
destination-port 56667;
}
then {
destination-nat {
pool {
Xi-ADC-tcp;
}
}
}
}
rule Xi-ADC-udp {
match {
destination-address 144.14.94.130/32;
destination-port 56668;
}
then {
destination-nat {
pool {
Xi-ADC-udp;
}
}
}
}
rule Xi-ADC-tls {
match {
destination-address 144.14.94.130/32;
destination-port 56669;
}
then {
destination-nat {
pool {
Xi-ADC-tls;
}
}
}
}
rule Burtha-Tms {
match {
destination-address 144.14.94.130/32;
destination-port 59564;
}
then {
destination-nat {
pool {
Burtha-Tms;
}
}
}
}
}
}
}
policies {
from-zone Trusted to-zone Internet {
policy All_Trusted_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Trusted to-zone WiFi {
policy Trusted_WiFi_HTTP {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone WiFi to-zone Internet {
policy All_WiFi_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Trusted to-zone Trusted {
policy Trusted_IVR {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone WiFi to-zone Trusted {
policy Wifi_to_Trusted {
match {
source-address UKPK1K1GT;
destination-address [ THETA XI ];
application synergy;
}
then {
permit;
}
}
}
from-zone Internet to-zone Trusted {
policy Internet_to_XI {
match {
source-address any;
destination-address XI;
application [ adc txi ];
}
then {
permit;
}
}
policy Internet_to_BURTHA {
match {
source-address any;
destination-address BURTHA;
application txi;
}
then {
permit;
}
}
}
from-zone Trusted to-zone VPN {
policy Trusted_to_VPN {
match {
source-address DSQ-Trusted;
destination-address PHV-Trusted;
application any;
}
then {
permit;
}
}
}
from-zone VPN to-zone Trusted {
policy VPN_to_Trusted {
match {
source-address PHV-Trusted;
destination-address DSQ-Trusted;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone Internet {
policy Junos-Ping {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone Internet {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
ping;
dhcp;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
ike;
}
}
}
}
}
security-zone Trusted {
address-book {
address THETA 172.16.0.50/32;
address XI 172.16.0.55/32;
address PHV-Trusted 10.0.0.0/24;
address DSQ-Trusted-Private 172.16.0.0/24;
address DSQ-Trusted-VsphereMgmt 192.168.1.0/24;
address BURTHA 172.16.0.98/32;
address-set DSQ-Trusted {
address DSQ-Trusted-Private;
address DSQ-Trusted-VsphereMgmt;
}
}
interfaces {
ge-0/0/13.0;
ge-0/0/14.0;
ge-0/0/15.0;
vlan.4 {
host-inbound-traffic {
system-services {
ping;
}
}
}
ge-0/0/2.0;
ge-0/0/3.0;
vlan.11 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
dhcp;
dns;
}
}
}
}
}
security-zone WiFi {
address-book {
address UKPK1K1GT 172.16.10.5/32;
}
interfaces {
vlan.3 {
host-inbound-traffic {
system-services {
dhcp;
ping;
}
}
}
}
}
security-zone VPN {
address-book {
address PHV-Trusted 10.0.0.0/24;
address DSQ-Trusted-Private 172.16.0.0/24;
address DSQ-Trusted-VsphereMgmt 192.168.1.0/24;
address-set DSQ-Trusted {
address DSQ-Trusted-Private;
address DSQ-Trusted-VsphereMgmt;
}
}
interfaces {
st0.0;
}
}
}
}
applications {
application synergy {
protocol tcp;
destination-port 24800;
}
application adc-tcp {
protocol tcp;
destination-port 56667;
}
application adc-udp {
protocol udp;
destination-port 56668;
}
application adc-tls {
protocol tcp;
destination-port 56669;
}
application txi-tcp {
protocol tcp;
destination-port 17141;
}
application txi-udp {
protocol udp;
destination-port 17141;
}
application tms-tcp {
protocol tcp;
destination-port 59564;
}
application tms-udp {
protocol udp;
destination-port 59564;
}
application-set adc {
application adc-tcp;
application adc-udp;
application adc-tls;
}
application-set txi {
application txi-tcp;
application txi-udp;
}
application-set tms {
application tms-tcp;
application tms-udp;
}
}
vlans {
Private {
description Internal;
vlan-id 11;
l3-interface vlan.11;
}
vlan-WiFi {
description "Wifi Clients";
vlan-id 3;
l3-interface vlan.3;
}
vlan-vSAN {
description "VMware Kernel Traffic";
vlan-id 4;
interface {
ge-0/0/13.0;
ge-0/0/14.0;
ge-0/0/15.0;
}
l3-interface vlan.4;
}
}