SRX

last person joined: 21 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Firewall cant reach gateway

    Posted 02-07-2013 22:03

    Hi, Juniper newbie so hopefully its an easy one.

     

    I cant ping my internet gateway .97 or 4.2.2.2 from the CLI

    I've spent 2 days on this and cant figure it out 😞

    I've created permit rules for everything i can think of just to get it working and I still cant ping.

    Any help would be much appreciated.

     

    I have interface untrust ge-0/0/0.0 set to 2XX.XX.XX.102/29

    It needs to get to the internet using the gateway 2XX.XX.XX.97

    Subnet mask and IP's are definately correct.

     

    ## Last changed: 2013-02-08 16:48:56 EST

    version 12.1R5.5;

    system {

        host-name jun01;

     

        services {

            ssh;

            telnet;

            xnm-clear-text;

            web-management {

                http {

                    interface [ vlan.0 ge-0/0/0.0 ];

                }

                https {

                    system-generated-certificate;

                    interface [ vlan.0 ge-0/0/0.0 ];

                }

            }

        }

      

     

        ntp {

            server 192.168.1.208;

        }

    }

    interfaces {

        ge-0/0/0 {

            unit 0 {

                family inet {

                    address 20X.XX.XX.102/29;

                }

            }

        }

        ge-0/0/1 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

       

       

       

        vlan {

            unit 0 {

                family inet {

                    address 172.23.168.2/23;

                }

            }

        }

    }

    routing-options {

        static {

            route 172.23.170.0/23 next-hop 172.23.168.1;

            route 0.0.0.0/0 next-hop 2XX.XX.XX.97;

        }

    }

    protocols {

        stp;

    }

    security {

        screen {

            ids-option untrust-screen {

                icmp {

                    ping-death;

                }

                ip {

                    source-route-option;

                    tear-drop;

                }

                tcp {

                    syn-flood {

                        alarm-threshold 1024;

                        attack-threshold 200;

                        source-threshold 1024;

                        destination-threshold 2048;

                        timeout 20;

                    }

                    land;

                }

            }

        }

        nat {

            source {

                rule-set trust-to-untrust {

                    from zone trust;

                    to zone untrust;

                    rule source-nat-rule {

                        match {

                            source-address 0.0.0.0/0;

                        }

                        then {

                            source-nat {

                                interface;

                            }

                        }

                    }

                }

            }

        }

        policies {

            from-zone trust to-zone untrust {

                policy trust-to-untrust {

                    match {

                        source-address any;

                        destination-address any;

                        application any;

                    }

                    then {

                        permit;

                    }

                }

            }

            from-zone untrust to-zone untrust {

                policy untrust-to-untrust {

                    match {

                        source-address any;

                        destination-address any;

                        application junos-icmp-all;

                    }

                    then {

                        permit;

                    }

                }

            }

            from-zone untrust to-zone trust {

                policy untrust-to-trust {

                    match {

                        source-address any;

                        destination-address any;

                        application junos-icmp-all;

                    }

                    then {

                        permit;

                    }

                }

            }

            from-zone trust to-zone trust {

                policy trust-to-trust {

                    match {

                        source-address any;

                        destination-address any;

                        application junos-icmp-all;

                    }

                    then {

                        permit;

                    }

                }

            }

        }

        zones {

            security-zone trust {

                host-inbound-traffic {

                    system-services {

                        all;

                    }

                    protocols {

                        all;

                    }

                }

                interfaces {

                    vlan.0;

                }

            }

            security-zone untrust {

                screen untrust-screen;

                host-inbound-traffic {

                    system-services {

                        ping;

                    }

                }

                interfaces {

                    ge-0/0/0.0 {

                        host-inbound-traffic {

                            system-services {

                                dhcp;

                                tftp;

                                all;

                            }

                            protocols {

                                all;

                            }

                        }

                    }

                }

            }

        }

    }

    vlans {

        vlan-trust {

            vlan-id 3;

            l3-interface vlan.0;

        }

    }



  • 2.  RE: Firewall cant reach gateway

    Posted 02-07-2013 22:06

    SHOW ROUTE


    0.0.0.0/0          *[Static/5] 00:27:59
                        > to 20X.XX.XX.97 via ge-0/0/0.0
    172.23.168.0/23    *[Direct/0] 00:43:37
                        > via vlan.0
    172.23.168.2/32    *[Local/0] 00:45:25
                          Local via vlan.0
    172.23.170.0/23    *[Static/5] 00:43:37
                        > to 172.23.168.1 via vlan.0
    20X.XX.XX.96/29    *[Direct/0] 00:48:46
                        > via ge-0/0/0.0
    20X.XX.X.102/32   *[Local/0] 00:48:46
                          Local via ge-0/0/0.0

     



  • 3.  RE: Firewall cant reach gateway

    Posted 02-08-2013 05:08

    Your config is logically correct. There are no visible errors. You have system services all enabled on the untrust zone. Can you ping the untrust I/F from the outside?



  • 4.  RE: Firewall cant reach gateway

    Posted 02-08-2013 14:46
    Thanks for the reply.
    No cannot ping the untrust interface from the outside.
    I think ill have to test the isp router again. Its providing our internet atm using the .98 ip so I'm assuming its working...


  • 5.  RE: Firewall cant reach gateway
    Best Answer

    Posted 02-08-2013 14:53

    Well your config is clean - so I would be looking at layer 1. Could you throw a PC / laptop in front of the FW and ping in / out from it? Just to test real quick 



  • 6.  RE: Firewall cant reach gateway

    Posted 02-10-2013 23:18
    Thanks for your help. Isp had set all the remaining ports on their router on a different vlan and I was blaming myself 🙂