Solved

Juniper J Series does not route nor ping

Posted on 2010-11-17
6
1,718 Views
Last Modified: 2012-05-10
Hello,

I just setup out Juniper J2300 series and it look OK but it doesnot route not return pings. I can only log to the web interface 192.168.1.1. I am 192.168.1.10 and cannot ping 192.168.1.1 when connected directly to hte interface

version 9.2R1.10;
system {
    autoinstallation {
        delete-upon-commit;
        traceoptions {
            level verbose;
            flag {
                all;
            }
        }
    }
    host-name XXXX;
    root-authentication {
        encrypted-password ;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description "WAN";
            family inet {
                address xx.xx..74.155/27;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            description " LAN";
            family inet {
                address XX.XX.246.161/28;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            http;
                            https;
                            ssh;
                            telnet;
                            dhcp;
                        }
                    }
                }
                ge-0/0/1.0;
                ge-0/0/2.0;
                lo0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    alg {
        dns disable;
        ftp disable;
        h323 disable;
        mgcp disable;
        msrpc disable;
        sunrpc disable;
        real disable;
        rsh disable;
        rtsp disable;
        sccp disable;
        sip disable;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
    }
    forwarding-options {
        family {
            inet6 {
                mode packet-based;
            }
            iso {
                mode packet-based;
            }
        }
    }
    flow {
        allow-dns-reply;
        tcp-session {
            no-syn-check;
            no-syn-check-in-tunnel;
            no-sequence-check;
        }
    }
}

Thanks
0
Comment
Question by:scubablue
  • 2
  • 2
6 Comments
 
LVL 11

Assisted Solution

by:donmanrobb
donmanrobb earned 500 total points
ID: 34161260
You can't ping 192.168.1.1 because you have only allowed the following protocols through the interface

            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            http;
                            https;
                            ssh;
                            telnet;
                            dhcp;

As for the routing you'll need to add a default route with: set routing-options static route 0/0 next-hop x.x.x.x

Also you'll need to setup NAT to get on the internet.
0
 
LVL 1

Author Comment

by:scubablue
ID: 34165692
Great, I have the non private interfaces routing,

how do I set the NAT on the 192.168.1.0/24 ge0/0/0.0 interface NAT to give it outside access?

Thanks
0
 
LVL 11

Accepted Solution

by:
donmanrobb earned 500 total points
ID: 34166832
Here is a guide that will show you how to configure NAT
http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf
0
 
LVL 1

Author Comment

by:scubablue
ID: 34393356
sounds good
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 34415357
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question