SRX Services Gateway
Highlighted
SRX Services Gateway

Newbie, Need Direction on Basics

‎02-05-2015 08:06 AM

Sorry for post but I am desperate.

We have only used ScreenOS Junipers in the past.  Our sales people talked us into a Junos SRX210H and told us we could use the conversion tool to easily get up and running on the new hardware.  Well the conversion tool failed. I am flying out to replace a firewall tomorrow and I can not get it working.  Sales group forgot to attach a service contract so Juniper Support will not help me.  Spent three days reading KB articles and still can not get it working on simplest of duties.

 

At a minimum, I just need the darn (wish I could elaborate) thing to get on the internet in untrust.  You would think it would be simple.  In ScreenOS, i set a gateway and a policy of trust to untrust with any/any.

 

I am dealing with a factory config.  All I did was set host name and a root password.  Everything else is default.

 

I followed this article for internet access:

http://www.juniper.net/documentation/en_US/junos12.1x47/topics/task/operational/security-branch-devi...

 

If I can just get it on the internet, I can at least put in place of the dying, no longer supported hardware and put VPN's on it when my support licenses come through.  Any assistance would be greatly appreciated.

 

Attached is the config as it stands now.  Using 12.12.12.12 as External IP for device and 12.12.12.13 as gateway for ISP.

leaving internal network at default 192.168.1.0/24.

Attachments

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: Newbie, Need Direction on Basics

‎02-05-2015 09:00 AM

At first glance, I don't see a problem with your configuration, besides the fact that it looks like you are obviously using dummy IPs for the ge-0/0/0.0 "untrust" interface.  What exactly is not working?

 

As a side note, once your support contract becomes valid, I would strongly recommend upgrading to the latest recommended Junos, the exact version of which would be listed here:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21476&smlogin=true

Highlighted
SRX Services Gateway

Re: Newbie, Need Direction on Basics

‎02-05-2015 10:04 AM

Thank you for responding.

 

I connected the firewall port g0/0/0 to internet.

I connected a laptop to port g0/0/1.  It gets a DHCP address of 192.168.1.2 and shows proper gateway and DNS per config file.  it does not show internet access on the laptop connection.

 

Pinging an outside IP address like 8.8.8.8 is unreachable.  A traceroute will show only a single hop to the 192.168.1.1 address for the firewall and then stops.

 

I can manually configure the laptop for the 12.12.12.12 and 12.12.12.13 addresses as IP and Gateway and connect to line I have in g0/0/0 and get internet without an issue so I know the IP and gateway are correct.

 

The device is stopping traffic someplace and I can not figure out where or why.

Highlighted
SRX Services Gateway

Re: Newbie, Need Direction on Basics

‎02-05-2015 10:05 AM

Oh. I did notice the device is behind on updates and I ran into the wall of trying to download and install without contract. I plan to upgrade if I can get this all settled.  Thanks.

Highlighted
SRX Services Gateway

Re: Newbie, Need Direction on Basics

‎02-05-2015 10:12 AM

So your actual IP addresses are in the range of 12.12.12.8/29?  And if you plug your laptop into the upstream connection and configure it with 12.12.12.12/29 as the IP address, you can ping 12.12.12.13?

 

One thing I just noticed is that your DHCP is configured to hand out IP addresses, but it's supposed to also propagate the settings that it receives from ge-0/0/0.0, indicating that ge-0/0/0.0 is supposed to be a DHCP client of the upstream connection.  Therefore, if there are no settings to propagate, there are no DNS servers being set for your DHCP clients and name resolution would not happen. 

Highlighted
SRX Services Gateway

Re: Newbie, Need Direction on Basics

‎02-05-2015 11:26 AM

Sorry, typing fast and need to slow down.

 

In nic settings of the laptop, if I put in the following and I get internet when directly connected to upstream.

Ip Address 12.12.12.12

Sub 255.255.255.0

Gateway 12.12.12.13

DNS 8.8.8.8

 

My ISP does not support DHCP. I have to set the IP and Gateway as static for their connection.

 

Am I misunderstanding the DHCP connection in this firewall?  I wanted it to give out a 192.168.1.? address to each computer connected through the trust (g0/0/1).  When I directly connect the laptop to this port with NIC configured as DHCP, I get the correct 1 dot address (192.168.1.2, first in DHCP range as configured).  Are you thinking the DHCP setup is trying to use that for an external connection upstream as well?

 

With regards to DNS, my site in California (the one I fly to in morning), has a Domain Controller that serves as DNS.  I had planned to replace the google ip (8.8.8.8) with the DC IP address as the DNS server.  Names should resolve then.  In mean time, I do not have a local DNS in my test environment so I am using Google's DNS.  It has worked in past for ScreenOS.  I just need to ping IP's and not names to test.  Would not surprise me if this thing is overly picky and not allowing internet because I have no local DNS server.

 

Make more sense?

 

Again thanks for input thus far.

 

 

Highlighted
SRX Services Gateway

Re: Newbie, Need Direction on Basics

‎02-05-2015 11:52 AM

Okay, I'll go with that.

 

If your IP address is really 12.12.12.12 and your gateway is really 12.12.12.13, with a subnet mask of 255.255.255.0, then your configuration for the ge-0/0/0.0 interface is wrong.  The address should be 12.12.12.12/24, not 12.12.12.12/29.  That said, this would not exactly cause your problem.

 

What I was getting at is you have this configuration for DHCP:

 

        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }

 This configuration is fine for merely handing out IP addresses - it should work.  But the "propagate-settings ge-0/0/0.0" configuration option is basically saying that your DHCP server expects that ge-0/0/0.0 is a DHCP client which receives settings from an upstream DHCP server and those settings should be propagated to your downstream DHCP clients.  Since you have no upstream DHCP server, that configuration is doing nothing and unless you statically configure settings on your client such as DNS servers, your clients will not receive DNS server addresses with their address assignment.

 

Moreover, you have this in your configuration:

 

       security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }

 The 'system-services dhcp' indicates that you are expecting DHCP packets on ge-0/0/0.0.

 

The SRX doesn't care where your DNS is.  The reason I bring all this up is because we often hear users complain, "I can't get on the internet"  or "my internet is broken" or "are you guys down?" when the problem is often that their DNS settings are wrong.  I am trying to narrow down your problem and that is one thing that jumps out at me.

 

The next thing I would do is add the following to your NAT config:

 

    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0; <<<<<<<<
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }

 And see if that works.  I seem to recall the NAT settings requiring a destination, but I could be mis-remembering.

 

Highlighted
SRX Services Gateway

Re: Newbie, Need Direction on Basics

‎02-05-2015 12:33 PM

EVT,

 

I see what you are talking about now and understand what to try next.

 

My boss just pulled the plug on this Juniper due to time limitations.  He has me pulling an SSG20 from another network, configuring it now and taking it with me tomorrow.

 

I am going to try and work on this Juniper again next week when I return to put where we took the SSG20 from.  Who knows, I may also have Juniper support by then.

 

Thank you, thank you very much for your time.  I really appreciated it.

 

Douglas

Feedback