SRX Services Gateway
SRX Services Gateway

SRX: no internet access inside zones

a week ago

Hello everyone,

 

I have a problem that within the zone there is no internet access. I am troubleshooting but I cannot get further. I also cannot see what I am doing wrong in my config. Can you help me with this?. only on the srx there is internet connectivity and i can ping from source adress 10.200.5.8 (public ip for srx) towards public adressen example google.

 

i have attached srx340 and ex3400 configs.

 

issues:

1. There is no internet acces within ot-application reth.1.30 zones (example).

2. I can ping (10.200.5.8) but cannot accessing the j-web management of the switches?, is this a security policy issue?

3. I can ping Idrac adressen of the servers but i cannot access the idrac console web?, is this a security policy issue?

 

 

Thanx.

 

Attachments

10 REPLIES 10
SRX Services Gateway

Re: SRX: no internet access inside zones

[ Edited ]
a week ago

Suli,

 

Lets start troubleshooting from ot-application to Internet first; I checked the config of the SRX and confirmed the following:

 

Topology

 

        "OT-application vlan 30"                "untrust"
---------(reth1.30: 172.22.2.1/24)-SRX-(ge-0/0/7:192.168.150.30/30)----------------INTERNET
                                    |
				    |--(ge-5/0/7:192.168.250.30/30)----------------INTERNET

 

Default route is present

 

routing-options {
    rib inet.0 {
        static {
            route 0.0.0.0/0 next-hop [ 192.168.150.29 192.168.250.29 ];

 

Sec-policy is allowing the traffic

 

from-zone ot-application to-zone untrust {
	policy OT-application-to-Untrust {
		match {
			source-address any;
			destination-address any;
			application any;
		}
		then {
			permit;
		}	

 

Proper NAT is configured for reaching the Internet

 

security {
    nat {
        source {
            rule-set otapplication-to-internet {
                from zone ot-application;
                to zone untrust;
                rule internet-access {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }

 

The config looks correct to me. Can you try pining 8.8.8.8 from a host within ot-application zone and check if there is a session created:

 

> show security flow session source-prefix [PC_Address] destination-prefix 8.8.8.8 protocol icmp

 

If you dont see any session then try running flow traceoptions to confirm if the SRX is dropping the packets:

 

# set security flow traceoptions file TRACE
# set security flow traceoptions flag basic-datapath
# set security flow traceoptions packet-filter TEST source-prefix [PC_Address]
# set security flow traceoptions packet-filter TEST destination-prefix 8.8.8.8
# commit

[try the ping]

> show log TRACE

 

SRX Services Gateway

Re: SRX: no internet access inside zones

a week ago

thank u for responding.

 

Show security flow session:

Session ID: 256206, Policy name: OT-application-to-Untrust/6, State: Active, Timeout: 52, Valid
In: 172.22.2.8/1 --> 8.8.8.8/16557;icmp, Conn Tag: 0x0, If: reth1.30, Pkts: 1, Bytes: 84,
Out: 8.8.8.8/16557 --> 192.168.150.30/55646;icmp, Conn Tag: 0x0, If: ge-0/0/7.1409, Pkts: 0, Bytes: 0,

SRX Services Gateway
Solution
Accepted by topic author Suli
a week ago

Re: SRX: no internet access inside zones

[ Edited ]
a week ago

Suli,

 

Packets are leaving the SRX but not returning back, so this is a problem outside the SRX:

 

Show security flow session:

Session ID: 256206, Policy name: OT-application-to-Untrust/6, State: Active, Timeout: 52, Valid
In: 172.22.2.8/1 --> 8.8.8.8/16557;icmp, Conn Tag: 0x0, If: reth1.30, Pkts: 1, Bytes: 84,
Out: 8.8.8.8/16557 --> 192.168.150.30/55646;icmp, Conn Tag: 0x0, If: ge-0/0/7.1409, Pkts: 0, Bytes: 0,

 

I can also see that source NAT was applied correctly. You might want to check with your ISP.

 

SRX Services Gateway

Re: SRX: no internet access inside zones

a week ago

The switch configuration you shared is from a switch that sits between the SRX and the Internet? If so, please let us know what are the ports conneting to ge-0/0/7 and ge-5/0/7 of the SRX and what is the port connecting to the Internet modem. That way we could quickly check the config on the switch as well.

 

SRX Services Gateway

Re: SRX: no internet access inside zones

a week ago

This is the topology:

 

4xswitches (virtual chasis) > 2xSRX (cluster)> internet

 

SRX:

ge-0/0/7 connecting towards ISP1 vlan 1409

ge-5/0/7 ISP2 vlan 2409

 

10.200.5.81 should be 5.200.5.81.

 

 

on EX switches:

interfaces ge-2/0/46 and ge-0/0/46 are stated as internet, but to make it clear this interface are not direct connected towards ISP. The firewall has reth0.100 as the "internet" interface and the firewall itself has 5.200.5.81 as the IP address. We made this vlan for reaching the firewall on public via 5.200.5.81.

 

reth0 {
description "switch - internet";
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
lacp {
active;
periodic slow;
}
}
unit 100 {
description "public ip-range";
vlan-id 100;
family inet {
address 5.200.5.81/29 {
primary;
preferred;
}

 

 

 

 

SRX Services Gateway

Re: SRX: no internet access inside zones

a week ago

I ll be reporting this to my ISP. thank u

SRX Services Gateway

Re: SRX: no internet access inside zones

a week ago

Suli,

 

Im confused with the flow of the traffic. I understood that the packets sent from a PC within ot-application zone will reach the SRX on reth1.30 and then the SRX will send them to the switch via its ge-0/0/7 or ge-5/0/7 interface. However, Im not sure what should happen next; will the switch send the packets back to the SRX so they are sent via reth0.100 to the Internet?

 

 

SRX Services Gateway

Re: SRX: no internet access inside zones

a week ago

Hello,

 

you can ignore the reth0.100. What important is the packets sent from a PC within ot-application zone will reach the SRX on reth1.30 and then the SRX will send them via its ge-0/0/7 or ge-5/0/7 interface towards ISP. The ge-0/0/7 or ge-5/0/7 are  interfaces on SRX towards ISP.

 

SRX:

ge-0/0/7 {
description "ISP-router-01 - cable ID 3611";
vlan-tagging;
unit 1409 {
vlan-id 1409;
family inet {
address 192.168.150.30/30;
}
}
ge-5/0/7 {
description "ISP.net-router-02 - cable ID 3711";
vlan-tagging;
unit 2409 {
vlan-id 2409;
family inet {
address 192.168.250.30/30;
}

 

routing-options {
rib inet.0 {
static {
route 0.0.0.0/0 next-hop [ 192.168.150.29 192.168.250.29 ];
}
}

SRX Services Gateway

Re: SRX: no internet access inside zones

a week ago

OK good, then you need to check any devices sitting in front of the SRX or with the ISP as you stated.

 

Good luck with that and keep us posted. Please also mark the post as Resolved if you consider so.

 

SRX Services Gateway

Re: SRX: no internet access inside zones

a week ago

Hello,

 

problem is resolved now. What went wrong is, i have configured the NAT with "then source-nat interface", but the outgoing interface has a private IP address so that won't work. So i needed a source-nat pool where i can choose a public IP in mine assigned range as a public NAT address from our network transmission suplier towards ISP.

 

Topology

        "OT-application vlan 30"                "untrust"
---------(reth1.30: 172.22.2.1/24)-SRX-(ge-0/0/7:192.168.150.30/30)----------------INTERNET
                                    |
				    |--(ge-5/0/7:192.168.250.30/30)----------------INTERNET

 

thanks.