vSRX
vSRX

vSRX on AWS can not access internet

‎06-13-2018 09:38 PM

I'm according Configuration below url

https://www.juniper.net/documentation/en_US/vsrx/information-products/pathway-pages/security-vsrx-aw...

and  ge-0/0/0.0,ge-0/0/0.1 can not access internet

 

 

[edit]
root@vSRX# show
## Last changed: 2018-06-14 04:31:33 GMT
version 15.1X49-D133;
groups {
aws-default {
system {
root-authentication {
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCBuaurRaoZ3FKo9+MZ99WVXSS+6dUKOeIUjfjq0PCMjoyvwXYKdkk3K+ODDReXoOdDDBKeMe0cOdp6RyX48g258pfkq8DpynKKOpZwTzsqAS9DsYu9Lg8XAcaF5mewHjhIW9gsJ32nhsNa67RVgZfIWdP884uzyiDbXTRx5yIPvMsFIyHLf1hVimU7qTW0XXw6QWkTJiVYEJDn4Z9vvYo/ssBNRm4S7pVjfET7zRDB9dVeW5idskqqIQ8ey7prvDkOx5IwDsGq2w5Hc0HMfyCx1ifujyGfpzh/X40mCG1vZgbdB1Jj/lhZVU04eKxteFw9EnaD+g0KbJuKLPqqWDj5 mum-base-windows"; ## SECRET-DATA
}
services {
ssh {
no-passwords;
}
netconf {
ssh;
}
web-management {
https {
system-generated-certificate;
}
}
}
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.0.254.101/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.254.1;
}
}
}
}
apply-groups aws-default;
system {
host-name vSRX;
time-zone GMT;
root-authentication {
encrypted-password "$5$RGY3LK1p$oZ5xKiM6Z4ks7lqU9b4QPO7aphXadgLuHyn577Uenf/"; ## SECRET-DATA
}
name-server {
8.8.8.8;
8.8.4.4;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
https {
system-generated-certificate;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone Internal {
policy All_Internal_Internal {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
}
protocols {
all;
}
}
}
}
}
security-zone Internet {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp-client;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
dhcp-client;
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.0.254.101/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.254.1;
route 8.8.8.8/32 next-hop 10.0.10.1;
}
}

[edit]

4 REPLIES 4
vSRX

Re: vSRX on AWS can not access internet

‎06-14-2018 02:40 AM

Your default route is pointed out the fxp0 interface.  This is an out of band mgmt interface that will NOT service transit traffic.  So the other interfaces cannot use this path for internet access.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
vSRX

Re: vSRX on AWS can not access internet

‎06-14-2018 04:03 AM

Hi Steve

could you please. explain more detail because. i have try edit default route this  fxp0 interface as you mention but it doesn't work it can't access it so please help.

vSRX

Re: vSRX on AWS can not access internet

‎06-14-2018 08:13 PM

Hi,

 

In most of the cases, you need to have two elastic IPs , one for FXP and another one for the revenue interface. Please check the https://www.juniper.net/documentation/en_US/vsrx/topics/task/multi-task/security-vsrx-aws-cli-config... . Also, you need to segregate the revenue ports from FXP, using the two different routing instance.  In the docuemnt,

set routing-instances aws instance-type virtual-router is used to create a routing instance named as aws.

 

Thanks,

Vikas

vSRX

Re: vSRX on AWS can not access internet

‎06-15-2018 03:04 AM

The procedure linked by Vikas above shows how to implement this on AWS.  The concept is that you can have multiple routing tables on independent virtual routers on the SRX.  The fxp0 out of band interface is in the root or main routing instance just as you have it setup.

 

You create a virtual router and place the transit interfaces here and they get their own routing table and default route.

 

The alternative if you don't want to use routing instances is to point the default route out for the transit interfaces.

Then have only specific routes for the ip addresses you use to manage and connect to fxp0 pointed out the fxp0 interface instead of the default route.

 

this only works as long as those subnets do NOT need to use the connections via the main transit interfaces.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home