vSRX
Highlighted
vSRX

vSRX on AWS can not access internet

‎06-13-2018 09:38 PM

I'm according Configuration below url

https://www.juniper.net/documentation/en_US/vsrx/information-products/pathway-pages/security-vsrx-aw...

and  ge-0/0/0.0,ge-0/0/0.1 can not access internet

 

 

[edit]
root@vSRX# show
## Last changed: 2018-06-14 04:31:33 GMT
version 15.1X49-D133;
groups {
aws-default {
system {
root-authentication {
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCBuaurRaoZ3FKo9+MZ99WVXSS+6dUKOeIUjfjq0PCMjoyvwXYKdkk3K+ODDReXoOdDDBKeMe0cOdp6RyX48g258pfkq8DpynKKOpZwTzsqAS9DsYu9Lg8XAcaF5mewHjhIW9gsJ32nhsNa67RVgZfIWdP884uzyiDbXTRx5yIPvMsFIyHLf1hVimU7qTW0XXw6QWkTJiVYEJDn4Z9vvYo/ssBNRm4S7pVjfET7zRDB9dVeW5idskqqIQ8ey7prvDkOx5IwDsGq2w5Hc0HMfyCx1ifujyGfpzh/X40mCG1vZgbdB1Jj/lhZVU04eKxteFw9EnaD+g0KbJuKLPqqWDj5 mum-base-windows"; ## SECRET-DATA
}
services {
ssh {
no-passwords;
}
netconf {
ssh;
}
web-management {
https {
system-generated-certificate;
}
}
}
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.0.254.101/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.254.1;
}
}
}
}
apply-groups aws-default;
system {
host-name vSRX;
time-zone GMT;
root-authentication {
encrypted-password "$5$RGY3LK1p$oZ5xKiM6Z4ks7lqU9b4QPO7aphXadgLuHyn577Uenf/"; ## SECRET-DATA
}
name-server {
8.8.8.8;
8.8.4.4;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
https {
system-generated-certificate;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone Internal {
policy All_Internal_Internal {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
}
protocols {
all;
}
}
}
}
}
security-zone Internet {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp-client;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
dhcp-client;
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.0.254.101/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.254.1;
route 8.8.8.8/32 next-hop 10.0.10.1;
}
}

[edit]

5 REPLIES 5
Highlighted
vSRX

Re: vSRX on AWS can not access internet

‎06-14-2018 02:40 AM

Your default route is pointed out the fxp0 interface.  This is an out of band mgmt interface that will NOT service transit traffic.  So the other interfaces cannot use this path for internet access.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
vSRX

Re: vSRX on AWS can not access internet

‎06-14-2018 04:03 AM

Hi Steve

could you please. explain more detail because. i have try edit default route this  fxp0 interface as you mention but it doesn't work it can't access it so please help.

vSRX

Re: vSRX on AWS can not access internet

‎06-14-2018 08:13 PM

Hi,

 

In most of the cases, you need to have two elastic IPs , one for FXP and another one for the revenue interface. Please check the https://www.juniper.net/documentation/en_US/vsrx/topics/task/multi-task/security-vsrx-aws-cli-config... . Also, you need to segregate the revenue ports from FXP, using the two different routing instance.  In the docuemnt,

set routing-instances aws instance-type virtual-router is used to create a routing instance named as aws.

 

Thanks,

Vikas

Highlighted
vSRX

Re: vSRX on AWS can not access internet

‎06-15-2018 03:04 AM

The procedure linked by Vikas above shows how to implement this on AWS.  The concept is that you can have multiple routing tables on independent virtual routers on the SRX.  The fxp0 out of band interface is in the root or main routing instance just as you have it setup.

 

You create a virtual router and place the transit interfaces here and they get their own routing table and default route.

 

The alternative if you don't want to use routing instances is to point the default route out for the transit interfaces.

Then have only specific routes for the ip addresses you use to manage and connect to fxp0 pointed out the fxp0 interface instead of the default route.

 

this only works as long as those subnets do NOT need to use the connections via the main transit interfaces.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
vSRX

Re: vSRX on AWS can not access internet

a month ago

AzureUser@nlabvsrx# run ping routing-instance TRAFFIC 10.2.0.4
PING 10.2.0.4 (10.2.0.4): 56 data bytes
64 bytes from 10.2.0.4: icmp_seq=0 ttl=64 time=0.038 ms
64 bytes from 10.2.0.4: icmp_seq=1 ttl=64 time=0.048 ms
^C
--- 10.2.0.4 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.038/0.043/0.048/0.005 ms

[edit]
AzureUser@nlabvsrx# run ping routing-instance TRAFFIC 10.3.0.4
PING 10.3.0.4 (10.3.0.4): 56 data bytes
64 bytes from 10.3.0.4: icmp_seq=0 ttl=64 time=0.040 ms
64 bytes from 10.3.0.4: icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from 10.3.0.4: icmp_seq=2 ttl=64 time=0.042 ms
^C
--- 10.3.0.4 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.040/0.044/0.049/0.004 ms

[edit]
AzureUser@nlabvsrx# commit
commit complete

[edit]
AzureUser@nlabvsrx# run show route

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Access-internal/12] 08:06:51, metric 0
> to 10.1.0.1 via fxp0.0
10.1.0.0/24 *[Direct/0] 08:06:52
> via fxp0.0
10.1.0.4/32 *[Local/0] 08:06:52
Local via fxp0.0

TRAFFIC.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.250.0/24 *[Direct/0] 00:00:41
> via st0.1
10.0.250.10/32 *[Local/0] 00:00:41
Local via st0.1
10.2.0.0/24 *[Direct/0] 00:00:41
> via ge-0/0/0.0
10.2.0.4/32 *[Local/0] 00:00:41
Local via ge-0/0/0.0
10.3.0.0/24 *[Direct/0] 00:00:41
> via ge-0/0/1.0
10.3.0.4/32 *[Local/0] 00:00:41
Local via ge-0/0/1.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128 *[INET6/0] 08:07:04
MultiRecv

TRAFFIC.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128 *[INET6/0] 00:00:41
MultiRecv

 

 

AzureUser@nlabvsrx# run ping routing-instance TRAFFIC 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

[edit]
AzureUser@nlabvsrx# run ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=116 time=1.661 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=1.730 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.661/1.696/1.730/0.034 ms

[edit]
AzureUser@nlabvsrx#

Feedback