SRX

-hi-

I have configure my srx240, I cannot remote from outside using SSH or Web management. I can access with SSH,Telnet and web management from inside only.   could any one help me to solve this configuration?  this is my srx configuration. thk for help.  -urgently-

Attachment(s)

srx240.txt   9 KB 1 version

Hi

Regarding your configuration (specially your zones), what do you mean with inside and outside ?

Which zone are you coming in from?  If you are coming in from the untrust zone, then based on your configuration, you will not be able to manage from untrust.  You don't have host-inbound-traffic system services set for http.  Add http to your host-inbound-traffic system-services for the untrust zone, or whichever zone you are coming in from, then try it again.

-hi-

thank you for your helping solution.  Now, I can solving my problem. 

-hi-

the inside and outside which I mean is trusted and untrusted.  Thanks.

If by "outside" you mean "untrust", then to echo and add on to what oldtimer said:

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic https

You'll also need to add the ge-0/0/0.0 interface to the system services:

set system services web-management http interface ge-0/0/0.0
set system services web-management https interface ge-0/0/0.0

-kr

-hi-

specially thank for keithr, your configuration is helpfull  for me to solving my problem. 

Does this command work only on specific versions of JUNOS? I recently received an SRX and am trying to configure the same for allowing remote SSH access. When I use the guide below, I receive a syntax error on ssh.

The commands are just missing the bolded part:

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https

Yeah, I'm not sure how that got left out of my snippets since I copied/pasted from a live configuration file.

Weird...

Hmm...thank you for the response.

I made the changes, no error, and did a commit; it still is not working.

Should there be anything else needed or should that work as-is?

zanyterp,

If you post your config we can take a look and see what might be missing.

How do I get that? Is that described in a doc somewhere (that can't be found/easily locatable...or is it there if you know what you are looking for and since the outline of docs is so different from what i am used to [SA] it is so-easy-it's-hard)?

I really apologize; i know this should be basic stuff, but i can't find any useful documentation to figure stuff out like this (how to get the config or do any type of configuration or explanation of what the options are).

I know how to get the config to display on my screen over SSH locally, but not sure how to export it/get it off the device (through JWEB or SSH).

Thanks keithr!

Think most are just copy pasting off their ssh-client, while you can ftp/scp the config as a whole it just takes more time imo.

The spots to look at for this particular issue would be [edit system services], [edit security zones].

Either way, if you head to [edit] and run save nameforconfig it will create a textfile in the directory of the user you're logged in with. It also takes a path as argument if you'd like to save it for instance to /var/tmp: save /var/tmp/nameforconfig.

Here's a great thread for config locations:

http://forums.juniper.net/t5/Junos/What-are-the-config-files-and-where-are-they-located-on-a-JUNOS/td-p/14552
 

Also, the sticked SRX Getting Started KB should help

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15694

cool, thank you.

i will check out those links when i have access to my srx tonight at home......

I may have outsmarted myself.

I just tried from work and i can login successfully while i couldn't last night connecting to the same name (at home on the same link). is it possible that there is a rule somewhere that is denying that connection (local -> inet -> ge-0/0/0.0) so testing remote access against the external name & ip is invalid?

Attachment(s)

nyx.txt   8 KB 1 version

If you're connecting from inside your LAN, you must connect to the internal IP / (DNS name, if you have one internally) of the SRX.

If you try to connect from your LAN to the external SRX IP, the traffic is going to be coming into the device on an interface other than what the SRX is expecting.  Given that this is a security device, it's going to toss out the traffic that it thinks is odd.

So, if you want to SSH/HTTPS to your SRX from your LAN, you need to connect to 192.186.1.1, your vlan.0 interface.

If you want to SSH/HTTPS to your SRX from the WAN (via the Internat), you need to connect to whatever the IP is of your ge-0/0/0.0 interface which you get via DHCP.  Are you running any kind of dynamic DNS service to map your DHCP address to a public hostname?

Does that clear it up?

that does clear it up, thank you....sorry for not realizing that until i was typing this morning and tested.

when i tested from work i was wondering if it might be that.

i do have dyndns-based updates being done from a computer on the trust-side of the SRX (doesn't look like I can have the SRX do it).

local ssh has worked from the moment i set it up; however, i wanted remote so i could try and make changes externally for testing purposes.

---

@zanyterp wrote:

i do have dyndns-based updates being done from a computer on the trust-side of the SRX (doesn't look like I can have the SRX do it).

---

Native Junos support is supposedly coming back (it used to be there...) but I haven't seen a real ETA for when to expect that.

In the meantime...  depending on how froggy you're feeling... 

http://forums.juniper.net/t5/Junos-Automation-Scripting/Script-for-DDNS/td-p/56004

Thank you for the dyndns tip...i'll take a look and decide how brave i'm feeling. 🙂

is there a log that would/should show me why the access was dropped when trying to connect as if external but from internal? i would expect there its, but i dont see a place for logs.