SRX Services Gateway
Highlighted
SRX Services Gateway

Can't ping from SRX to ext host

‎07-06-2014 01:14 AM

INFO:

-SRX210

-EX2200

-Cyclades TS3000 Terminal Server

-AP

 

PROBLEM:

1. From SRX port fe-0/0/6.0 with ip 192.168.160.240 can't ping Cyclades TS3000 ip 192.168.160.10

but if I disconnect ethernet from SRX and connect ethernet cable from Cyclades directly to my laptop. I can ping Cyclades successfully

What's wrong with my config

 

CONFIG:

## Last changed: 2014-07-06 07:28:25 WIT
version 11.4R11.4;
system {
    domain-name poc.local;
    time-zone Asia/Jakarta;
    root-authentication {
        encrypted-password "$1$9.iS0UQ3$hKaNTja2Umkl.ARfqJnmf/"; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    login {
        user admin {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "$1$0BsjUc5q$92QNBCP.6fC0izx6cEkKQ1"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        xnm-clear-text;
        web-management {
            https {
                system-generated-certificate;
                interface vlan.1;
            }
        }
        dhcp {
            pool 192.168.1.0/24 {
                address-range low 192.168.1.101 high 192.168.1.200;
                router {
                    192.168.1.1;
                }
            }
            propagate-settings default;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 64.99.80.30;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/6 {
        unit 0 {
            family inet {
                address 192.168.160.240/24;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                address 192.168.160.241/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
        unit 1;
        unit 10 {
            family inet {
                address 192.168.160.241/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 192.168.160.1;
    }
}
protocols {
    stp;
}
policy-options {
    prefix-list management-hosts {
        192.168.160.0/24;
    }
}
    flow {
        traceoptions {
            file traceoptions.txt;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
                vlan.0;
                lo0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ssh;
                    https;
                    ping;
                    telnet;
                }
            }
            interfaces {
                fe-0/0/7.0;
                fe-0/0/6.0;
            }
        }
        security-zone junos-host {
            apply-groups-except global-ping; ## 'global-ping' is not defined
        }
    }
}
poe {
    interface ge-0/0/0;
    interface ge-0/0/1;
}
vlans {
    INTERNET {
        vlan-id 10;
        l3-interface vlan.10;
    }
    default {
        vlan-id 1;
        interface {
            ge-0/0/0.0;
            ge-0/0/1.0;
        }
        l3-interface vlan.1;
    }
}
5 REPLIES 5
Highlighted
SRX Services Gateway

Re: Can't ping from SRX to ext host

‎07-06-2014 02:30 AM

Hi,

 


I can see u configure subnet 192.168.160.0/24 on interfaces fe-0/0/6, fe-0/0/7, vlan.10

 

subnet 192.168.160.0/24 should be configured on fe-0/0/6 only. once adjust the IPs on the interfaces it should work fine.

 

Regards,

Mohamed Elhariry

2 * JNCIE (SEC # 159, SP # 1059)

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: Can't ping from SRX to ext host

[ Edited ]
‎07-06-2014 09:15 AM

My gateway is 192.168.160.1

I set fe-0/0/7.0 as nic to go to internet through AP

I set fe-0/0/6.0 as nic to connect to my TS3000.

If I understand correctly, you ask me to delete ip in fe-0/0/7.0 and vlan10.

Do you think SRX can still can connect Internet after I delete ip in fe-0/0/7.0 and vlan10.


@mhariry wrote:

Hi,

 


I can see u configure subnet 192.168.160.0/24 on interfaces fe-0/0/6, fe-0/0/7, vlan.10

 

subnet 192.168.160.0/24 should be configured on fe-0/0/6 only. once adjust the IPs on the interfaces it should work fine.

 

Regards,

Mohamed Elhariry

2 * JNCIE (SEC # 159, SP # 1059)


Attachments

Highlighted
SRX Services Gateway

Re: Can't ping from SRX to ext host

‎07-06-2014 10:04 AM

Hi nbctcp,

 

Yes, Fe-0/0/6  interface should have 192.168.160/24 subnet.

 

Remove Ip address from Fe-0/0/7 and vlan.10  confguration .

 

The n fe-0/0/6 should be able to access Internet through Fe-0/0/6

 

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Highlighted
SRX Services Gateway

Re: Can't ping from SRX to ext host

[ Edited ]
‎07-06-2014 06:46 PM

After I delete vlan 10 and fe-0/0/7.0 ip address, and set ip address 192.168.160.240/24 in fe-0/0/6.0.

I can ping TS3000 with ip address 192.168.160.10, but I can't ping gateway anymore.

FYI gateway is connected through fe-0/0/7.0

If possible I want to be able ssh to both SRX210 and TS3000 from my pc that connected to AP through wireless

tq 

Attachments

Highlighted
SRX Services Gateway

Re: Can't ping from SRX to ext host

‎07-07-2014 05:47 AM

Hi nbctcp,

 

 

192.168.160.1 should also reachable via Fe-0/0/6 interface for the internet to work as it is the default gateway address.

 

Connect a L2 switch  to SRX Fe-0/0/6 interface and connect all your devices  in 192.168.160.x range  to it so that all these 192.168.160.X are in same broadcast domain including SRXfe-0/0/6 interface.

 


Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Feedback