SRX Services Gateway
SRX Services Gateway

SRX210H access machine on fe-0/0/3 from outside IP

[ Edited ]
05.15.17   |  
‎05-15-2017 09:47 AM

I have a JSRX210H configured with two IP addresses, as in the picture below:

 

disconnect_resp1.png

 

 

On my server, I installed the ESXi 6.5, assigned it a static IP address of 192.168.1.2/24 and plugged into the fe-0/0/3 interface of Juniper.

 

I configured the VLAN ID in ESXI to be equal to 3. Before that, I configured the fe-0/0/03 interface to be in vlan-trust (with the vlan number equal to 3).

 

I would like to access the ESXI machine from outside using the destination NAT (like I did it for my two servers, not included in the picture). The problem is, that ping from 192.168.1.2 to Juniper itself (192.168.1.1) does not work, not mentioning pinging 8.8.8.8. Any ideas what I did wrong?

 

Here's my config:

 

## Last commit: 2017-01-30 17:42:54 UTC by admin
version 10.3R2.11;
system {
    host-name J-SRX210H;
    root-authentication {
        encrypted-password "$1$nh3po3Lr$t4KpvmJHMSWqJAGpaEZym0"; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    login {
        user admin {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "password"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;                 
        web-management {                
            http {                      
                interface [ vlan.0 ge-0/0/0.0 ];
            }                           
            https {                     
                system-generated-certificate;
                interface [ vlan.0 ge-0/0/0.0 ];
            }                           
        }                               
        dhcp {                          
            router {                    
                192.168.1.1;            
            }                           
            pool 192.168.1.0/24 {       
                address-range low 192.168.1.2 high 192.168.1.254;
            }                           
            propagate-settings ge-0/0/0.0;
        }                               
    }                                   
    syslog {                            
        archive size 100k files 3;      
        user * {                        
            any emergency;              
        }                               
        file messages {                 
            any critical;               
            authorization info;         
        }                               
        file interactive-commands {     
            interactive-commands error; 
        }                               
    }                                   
    max-configurations-on-flash 5;      
    max-configuration-rollbacks 5;      
    license {                           
        autoupdate {                    
            url https://ae1.juniper.net/junos/key_retrieval;
        }                               
    }                                   
}                                       
interfaces {                            
    ge-0/0/0 {                          
        unit 0 {                        
            family inet {               
                dhcp;                   
            }                           
        }                               
    }                                   
    ge-0/0/1 {                          
        unit 0 {                        
            family ethernet-switching { 
                port-mode trunk;        
                vlan {                  
                    members [ vlan-trust MANAGEMENT TRUNKSRX ];
                }                       
            }                           
        }                               
    }                                   
    fe-0/0/2 {                          
        unit 0 {                        
            family ethernet-switching { 
                port-mode access;       
                vlan {                  
                    members vlan-trust; 
                }                       
            }                           
        }                               
    }                                   
    fe-0/0/3 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members vlan-trust; 
                }                       
            }                           
        }                               
    }                                   
    fe-0/0/4 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members vlan-trust; 
                }                       
            }                           
        }                               
    }                                   
    fe-0/0/5 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members vlan-trust; 
                }                       
            }                           
        }                               
    }                                   
    fe-0/0/6 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members vlan-trust; 
                }                       
            }                           
        }                               
    }                                   
    fe-0/0/7 {                          
        unit 0 {                        
            family ethernet-switching { 
                port-mode access;       
                vlan {                  
                    members vlan-trust; 
                }                       
            }                           
        }                               
    }                                   
    vlan {                              
        unit 0 {                        
            family inet {               
                address 192.168.1.1/24; 
            }                           
        }                               
        unit 2 {                        
            family inet {               
                address u.u.u.u/24;  
            }                           
        }                               
        unit 254 {                      
            family inet {               
                address h.h.h.h/24;
            }                           
        }                               
    }                                   
}                                       
protocols {                             
    stp;                                
}                                       
security {                              
    nat {                               
        source {                        
            rule-set trust-to-untrust { 
                from zone trust;        
                to zone untrust;        
                rule source-nat-rule {  
                    match {             
                        source-address 0.0.0.0/0;
                    }                   
                    then {              
                        source-nat {    
                            interface;  
                        }               
                    }                   
                }                       
            }                           
        }                               
        destination {                   
            pool dell_1 {   
                addresss.s.s.s/32 port 443;
            }                           
            pool dell_2 {   
                address t.t.t.t/32 port 443;
            }                           
            rule-set rs1 {              
                from zone untrust;      
                rule r1 {               
                    match {             
                        destination-address x.x.x.x/32;
                        destination-port 11443;
                    }                   
                    then {              
                        destination-nat pool dell_1;
                    }                   
                }                       
                rule r2 {               
                    match {             
                        destination-address x.x.x.x/32;
                        destination-port 12443;
                    }                   
                    then {              
                        destination-nat pool dell_2;
                    }                   
                }                       
            }                           
        }                               
        proxy-arp {                     
            interface ge-0/0/0.0 {      
                address {               
                    x.x.x.x/32;   
                }                       
            }                           
        }                               
    }                                   
    screen {                            
        ids-option untrust-screen {     
            icmp {                      
                ping-death;             
            }                           
            ip {                        
                source-route-option;    
                tear-drop;              
            }                           
            tcp {                       
                syn-flood {             
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;         
                }                       
                land;                   
            }                           
        }                               
    }                                   
    zones {                             
        security-zone trust {           
            address-book {              
                address esxi1 s.s.s.s/32;
                address esxi2 t.t.t.t/32;
            }                           
            host-inbound-traffic {      
                system-services {       
                    all;                
                }                       
                protocols {             
                    all;                
                }                       
            }                           
            interfaces {                
                vlan.0;                 
                vlan.254;               
                vlan.2;                 
            }                           
        }                               
        security-zone untrust {         
            screen untrust-screen;      
            interfaces {                
                ge-0/0/0.0 {            
                    host-inbound-traffic {
                        system-services {
                            dhcp;       
                            tftp;       
                            ssh;        
                            http;       
                            https;      
                        }               
                    }                   
                }                       
            }                           
        }                               
    }                                   
    policies {                          
        from-zone trust to-zone untrust {
            policy trust-to-untrust {   
                match {                 
                    source-address any; 
                    destination-address any;
                    application any;    
                }                       
                then {                  
                    permit;             
                }                       
            }                           
        }                               
        from-zone trust to-zone trust { 
            policy default-permit {     
                match {                 
                    source-address any; 
                    destination-address any;
                    application any;    
                }                       
                then {                  
                    permit;             
                }                       
            }                           
        }                               
        from-zone untrust to-zone trust {
            policy cloud-access {       
                match {                 
                    source-address any; 
                    destination-address [ esxi1 esxi2 ];
                    application any;    
                }                       
                then {                  
                    permit;             
                }                       
            }                           
        }                               
    }                                   
}                                       
vlans {                                 
    MANAGEMENT {                        
        vlan-id 254;                    
        l3-interface vlan.254;          
    }                                   
    TRUNKSRX {                          
        vlan-id 2;                      
        l3-interface vlan.2;            
    }                                   
    vlan-trust {                        
        vlan-id 3;                      
        l3-interface vlan.0;            
    }                                   
}    

 

 

 

 

 

 

1 REPLY
Highlighted
SRX Services Gateway

Re: SRX210H access machine on fe-0/0/3 from outside IP

05.15.17   |  
‎05-15-2017 03:41 PM

From your description it sounds like you have the ESXi port in tag mode but your configuration on the SRX is in the default untagged mode.  You will need to add the port mode trunk to fe-0/0/3

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home