05-26-2012 01:23 PM - edited 05-28-2012 10:55 AM
Struggling - actually fully in the weeds - attempting to get this replacement firewall to work. I
'll attach the new SSG5 .cfg file and the one from the existing 5GT which works fine. I have been preening this file compared to the 5GT, using gateway addresses, etc. and I am aware of interface naming changes, etc., to no avail.
I need fresh eyes on this, please. I'm connecting to a 6MB DSL line from DSL Extreme, if that matters.
The issue: when connected fully to my LAN, or even singularly via ethernet 0/2, I cannot get "out". DNS fails, clearly it isn't happening. I have defaulted this device multiple times, using the Wizard as well as manual entry.
Solved! Go to Solution.
05-27-2012 12:42 AM
As you mentioned the DNS fails, I could see the following difference in DNS config:
set interface trust dhcp server option dns2 220.127.116.11
set interface trust dhcp server option dns3 18.104.22.168
The above two DNS IPs are missing from SSG 5's DHCP config. So please try including these as well.
Few other things that you could test are :
1. Try pinging gateway from the firewall.
2. Try pining DNS server IPs you see on the LAN Machines to verify the connectivity.
Sarab [ JNCIS-FWV , JNCIA-SEC , CCIP , CCSA ]
[If it helped please mark it as "Accepted Solution". Kudos will be appreciated too.]
05-27-2012 01:38 AM
I don't see any routes defined, but you have defined a gateway on the untrust interface. Check if there is a route to 0.0.0.0 in your destination routing table. If there isn't, just add it as described here:
05-27-2012 08:59 AM
There is a route according the the web GUI, please see attached. I just took another snap of the .cfg.
I cannot ping anything outsiude of my LAN with the new SSG 5 in place. I drop the 5GT back in and it all works.
05-27-2012 09:10 AM
I attach the most recent .cfg.
What am I missing? Other than the change in symantics between the two firewalls (no longer using trust and untrust in the actual configuration files) these are not grossly different.
I am running the latest version of the OS....ssG5ssG22.214.171.124r11.0
Is there some exotic order these commands must use in order to make it wwork?
I see a route defined in the web GUI that is exactly a duplicate of the existing 5GT.
05-27-2012 09:36 AM
05-27-2012 09:55 AM
OK, I did what you requested and no, I cannot ping the ISP's gateway from a telnet session on the SSG5.
With the 5GT in place, it pings properly.
As I am dealing with an ISP, I have no access to their system admins to request an ARP cache flush. Are you telling me this is the only solution?
05-27-2012 10:37 AM
Looking at the screenshot of the routing table I noticed the the default route (0.0.0.0) isn't active. Also the routes on the untrust interface are inactive. Are you sure the ethernet0/0 interface is up?
05-27-2012 10:41 AM
Yes, I took those shots with the device offline.
When connected they are all up.
I am pretty sure the issue is as the Juniper employee said - my ISP (like many) caches MAC addresses.
So I must wait out the DHCP lease (60 minutes) and then, as the MAXC will be different, I'll get a new lease with a new IP.
Right now, I can conect but as the MAC is different their server will not issue a new DHCP lease.
Stand by. Thank yu for your reply.
05-28-2012 10:54 AM
Thank you sarab for pointing me at my ISP - the issue was indeed their caching of the MAC address.
The firewall is online.
I appreciate everyone's assistance.