Hello I have been working for around a week now with my VPN and it has come down to this: I cannot ping my SRX210 across the internet! I need some help here because I have no idea what is going on since all the KB's I have followed said everything is configured properly. Right now I just want to see a ping response from my external IP but I would like to see my VPN working as well...this is how my network is setup:
development vlan is used for workstation PC's to work from, I want the VPN to be able to access this VPN (10.0.32.0/20)
multiple VPNs for the oracle and apache servers running behind the SRX. (10.0.17.0/20(apache), 10.0.48.0/20(orapub), 10.0.64.0/20(oraprivate))
one VPN which will eventually be used for maintaining the SRX/EX. (10.0.0.1/20)
I have an SRX210 and an EX2200 hooked up, right now I'm having no problems with the VPN's and have internet access etc.
I am trying to ping digi-pets.com (IP is there) from across the internet, to the ge-0/0/0.0 untrust interface. This interface connects directly to the internet via a cable modem.
I have no problem pinging the SRX from the internal network.
I have run a tracert from another ISP and when it gets to the ISP that the VPN is on, it gets to a certain gateway then stops responding, as if it's not getting a response from the SRX.
Here is my SRX210 configuration:
## Last changed: 2011-07-31 17:19:32 UTC
version 11.1R2.3;
system {
host-name digi-srx-1;
domain-name digi-pets.com;
root-authentication {
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
management-url admin;
http;
https {
system-generated-certificate;
}
}
dhcp {
name-server {
10.0.48.5;
}
pool 10.0.16.0/20 {
address-range low 10.0.16.10 high 10.0.16.254;
router {
10.0.16.1;
}
server-identifier 10.0.16.1;
}
pool 10.0.32.0/20 {
address-range low 10.0.32.10 high 10.0.32.254;
router {
10.0.32.1;
}
server-identifier 10.0.32.1;
}
pool 10.0.48.0/20 {
address-range low 10.0.49.10 high 10.0.49.254;
router {
10.0.48.1;
}
server-identifier 10.0.48.1;
}
pool 10.0.0.1/20 {
address-range low 10.0.0.10 high 10.0.0.254;
router {
10.0.0.1;
}
server-identifier 10.0.0.1;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
vlan-tagging;
unit 16 {
description Servers;
vlan-id 16;
family inet {
address 10.0.16.1/20;
}
}
unit 32 {
description Dev;
vlan-id 32;
family inet {
address 10.0.32.1/20;
}
}
unit 48 {
description oraclepublic;
vlan-id 48;
family inet {
address 10.0.48.1/20;
}
}
unit 64 {
description oracleprivate;
vlan-id 64;
family inet {
address 10.0.64.1/20;
}
}
unit 100 {
description vlan-trust;
vlan-id 100;
family inet {
address 10.0.0.1/20;
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
}
protocols {
stp;
}
security {
ike {
policy ike_pol_wizard_dyn_vpn {
mode aggressive;
proposal-set compatible;
}
gateway gw_wizard_dyn_vpn {
ike-policy ike_pol_wizard_dyn_vpn;
dynamic {
hostname digi-srx-1;
connections-limit 50;
ike-user-type group-ike-id;
}
external-interface ge-0/0/0.0;
xauth access-profile remote_access_profile;
}
}
ipsec {
policy ipsec_pol_wizard_dyn_vpn {
perfect-forward-secrecy {
keys group2;
}
proposal-set compatible;
}
vpn wizard_dyn_vpn {
ike {
gateway gw_wizard_dyn_vpn;
ipsec-policy ipsec_pol_wizard_dyn_vpn;
}
}
}
dynamic-vpn {
access-profile remote_access_profile;
clients {
wizard-dyn-group {
remote-protected-resources {
10.0.32.0/20;
}
ipsec-vpn wizard_dyn_vpn;
user {
justin;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set dev-to-untrust {
from zone dev-zone;
to zone untrust;
rule dev-source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set orapublic-to-untrust {
from zone orapublic-zone;
to zone untrust;
rule orapublic-source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dnat-pool-1 {
address 10.0.17.10/20;
}
rule-set dst-nat {
from zone untrust;
rule r1 {
match {
destination-address 24.78.131.120/22;
}
then {
destination-nat pool dnat-pool-1;
}
}
}
}
}
policies {
from-zone untrust to-zone servers-zone {
policy dst-nat {
match {
source-address any;
destination-address webserver;
application junos-http;
}
then {
permit;
}
}
}
from-zone dev-zone to-zone untrust {
policy dev-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone servers-zone to-zone dev-zone {
policy ssh-to-dev {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone dev-zone to-zone servers-zone {
policy ssh-to-servers {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone orapublic-zone to-zone dev-zone {
policy orapub-to-dev {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone orapublic-zone to-zone untrust {
policy orapub-to-untrust {
match {
source-address any;
destination-address [ NS2 NS1 ];
application junos-dns-udp;
}
then {
permit;
}
}
}
from-zone dev-zone to-zone orapublic-zone {
policy dev-to-orapub {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone dev-zone {
policy policy_in_wizard_dyn_vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn wizard_dyn_vpn;
}
}
}
}
}
}
zones {
security-zone servers-zone {
address-book {
address webserver 10.0.17.10/32;
address router 10.0.32.1/32;
}
interfaces {
ge-0/0/1.16 {
host-inbound-traffic {
system-services {
ping;
dhcp;
}
}
}
}
}
security-zone dev-zone {
interfaces {
ge-0/0/1.32 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
}
}
}
}
}
security-zone trust {
interfaces {
ge-0/0/1.100 {
host-inbound-traffic {
system-services {
ping;
dhcp;
https;
http;
}
}
}
}
}
security-zone orapublic-zone {
interfaces {
ge-0/0/1.48 {
host-inbound-traffic {
system-services {
ping;
dhcp;
}
}
}
}
}
security-zone oraprivate-zone {
interfaces {
ge-0/0/1.64 {
host-inbound-traffic {
system-services {
ping;
dhcp;
}
}
}
}
}
security-zone untrust {
address-book {
address NS1 208.67.222.222/32;
address NS2 208.67.220.220/32;
}
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
ping;
http;
https;
}
}
}
}
}
}
}
access {
profile remote_access_profile {
client justin {
}
address-assignment {
pool dyn-vpn-address-pool;
}
}
address-assignment {
pool dyn-vpn-address-pool {
family inet {
network 10.0.32.0/20;
xauth-attributes {
primary-dns 10.0.48.5/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile remote_access_profile;
}
}
}
Thank you very much for looking into this post, as this has been driving me crazy!