?
Solved

Juniper SSG5-no connectivity.

Posted on 2011-04-29
34
Medium Priority
?
1,100 Views
Last Modified: 2012-05-11
I am trying to set up a new SSG5. I have a /29 IP block.

I have set up several of these in the past, but for some reason, cannot get this one to work.

I cannot ping anything outside. If I set logging on the default allow all trust to untrust policy, I can see the packets attempt to go out, but I never get a response.

Can someone review this config and let me know if they see anything wrong? Thank you very much in advance.

The IP block is 207.191.185.136/29
-cfg.txt
0
Comment
Question by:VLib
  • 19
  • 15
34 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35492651
i dont see the default route in the configuration. Is this a static public ip address?
0
 

Author Comment

by:VLib
ID: 35492701
It is a static public IP address (unless my terminology is off somehow). We have a permanent block of 207.191.185.136 / 29. We were told our gateway is 207.191.185.137.

I had deleted the default route when troubleshooting, as a previous article I found indicated that having a default route in the trust-vr and having a gateway set on the ethernet0/0 interface were redundant and could lead to the issues I'm experiencing. Should I re-add one? I had one before with no success.
0
 

Author Comment

by:VLib
ID: 35492704
Unless, of course, I added the default-route wrong previously.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:VLib
ID: 35492794
I have re-added a default route. Here is the updated config file. Still not working.
-cfg.txt
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35492814
you definitely need the default route pointing to your ISP if ou want to get online.

from the command line, what are the results of the following command?

get route



below is an example from one of my juniper of the route table with the default gateway pointing to the ip address of the ISPs equipment. My default gateway is the first line


*       108          0.0.0.0/0        untrust    76.110.184.1   C    0      1  Root
*        13      10.160.4.0/24          tun.2         0.0.0.0   S   20      1  Root
*        18     10.160.10.0/24          tun.1     10.160.10.1   S   20      1  Root
*         7    76.110.184.0/21        untrust         0.0.0.0   C    0      0  Root
*         4     192.168.1.1/32      wireless1         0.0.0.0   H    0      0  Root
*         9     192.168.0.0/16          tun.1         0.0.0.0   S   20      1  Root
*        17     10.130.10.0/24          tun.3    100.130.10.1   S   20      1  Root
*         6    10.160.60.17/32      wireless2         0.0.0.0   H    0      0  Root
*        14    192.168.16.0/24          tun.2         0.0.0.0   S   20      1  Root
*         5    10.160.60.16/28      wireless2         0.0.0.0   C    0      0  Root
*        21     192.168.7.0/24         tun.10   192.168.7.254   S   20      1  Root
*         3     192.168.1.0/24      wireless1         0.0.0.0   C    0      0  Root
*         2     10.160.60.1/32          trust         0.0.0.0   H    0      0  Root
*         1     10.160.60.0/28          trust         0.0.0.0   C    0      0  Root
*        20     10.100.10.0/24         tun.10   10.100.10.254   S   20      1  Root
*        15    192.168.50.0/24          tun.1         0.0.0.0   S   20      1  Root
*         8   76.110.189.66/32        untrust         0.0.0.0   H    0      0  Root
*        16     172.168.9.0/24          tun.2     172.168.9.1   S   20      1  Root
*        12   192.168.100.0/24          tun.1   192.168.100.1   S   20      1  Root
*        11         10.0.0.0/8          tun.1         0.0.0.0   S   20      1  Root
*        10    204.146.91.0/24          tun.1         0.0.0.0   S   20      1  Root
*        19       10.10.1.0/24          tun.2       10.10.1.1   S   20      1  Root



0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35492824
BTW ethernet0/0 should be in route mode and not NAT mode
0
 

Author Comment

by:VLib
ID: 35492862
Here are the results of get route:


IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route


IPv4 Dest-Routes for <trust-vr> (6 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        18          0.0.0.0/0         eth0/0 207.191.185.137   C    0      1     Root
         19          0.0.0.0/0         eth0/0 207.191.185.137   S   20      1     Root
*         2 207.191.185.136/32         eth0/0         0.0.0.0   H    0      0     Root
*         1 207.191.185.136/29         eth0/0         0.0.0.0   C    0      0     Root
*         4   192.168.10.28/32        bgroup0         0.0.0.0   H    0      0     Root
*         3    192.168.10.0/24        bgroup0         0.0.0.0   C    0      0     Root


Also, I have changed ethernet0/0 to route mode. Still not working. Attached is the current config.
-cfg.txt
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35492954
Are you trimming the config file before uploading it? I see no policies at all.

from what i can tell your LAN is 192.168.10.28/24, it is assigned to bgroup0 in the trust zone. But in the config file you sent there are not trust to untrust policies, or any other policies at all.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35492958
my mistake. i had accidentally deleted half the txt config file. i re donwloaded and see the policy now.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35492975
ok the next step i would do is traffic debugging. heres how

set src-ip <ip-address of pc> dst-ip <ip address on internet>
debug flow basic
clear db

# begin traffic test from computer by pingin <ip address on internet>

undebug all
get db str


you will get a packet by packet breakdown of where the traffic is going, and why it is not making it to its destination.
0
 

Author Comment

by:VLib
ID: 35492990
I apologize, I was definitely not trimming the config file prior to uploading. Attached is the current config again; this is the complete configuration per the Juniper's Update > Config File > Save Config interface (I manually copied the config listed there and pasted to a text file to ensure you got everything).

ssg5-cfg.txt
0
 

Author Comment

by:VLib
ID: 35493032
When I execute the above mentioned src-ip command, I get the following error:


ssg5-serial-> set src-ip 192.168.10.7 dst-ip 8.8.8.8
                            ^---------unknown keyword src-ip
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35493090
what version screen os is on your ssg?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35493092
i see the problem... typo on my part

set ff src-ip .....
0
 

Author Comment

by:VLib
ID: 35493094
6.2.0r5.0 (Firewall+VPN)
0
 

Author Comment

by:VLib
ID: 35493129
I did as you suggested, and pinged Google's 8.8.8.8 (which responds normally). Attached are the results of that interaction.
ping-results.txt
0
 

Author Comment

by:VLib
ID: 35493148
Sorry, to be clear, by "responds normally" I mean that, if the connection were to be working, it would respond to ping requests. It is, of course, not doing so.
0
 

Author Comment

by:VLib
ID: 35493589
Anyone?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35493839
Looking at your debug log and your config. It appears everything on your juniper is setup correctly. At this point i would start looking at the ISP equipment. For example with a computer connected directly with the same static ip are you able to get on the internet?
0
 

Author Comment

by:VLib
ID: 35494025
Yes, we tested that. Computer directly connected could surf. Also, from the Juniper CLI, I can successfully ping the gateway (207.191.185.137) from the ethernet0/0 interface. I very much appreciate the help, this is time-sensitive. Nothing looks unusual in the debug logs?
0
 

Author Comment

by:VLib
ID: 35494078
I just received word that the static IP used by the computer was 207.191.185.138, which is possibly not the Static IP in use by the Juniper. Based on the config, can you confirm the current static IP in use? I have the overall subnet configured, 207.191.185.136/29.
0
 

Author Comment

by:VLib
ID: 35494236
I noticed that, when logging the single, default Trust > Untrust policy (ID 1), when I attempt to ping out, the translated address is 207.191.185.136. While the subnet provided by our ISP is 207.191.185.136/29, a subnet calculator indicates that netmask provides the assignable addresses 207.191.185.137-142 (with 136 not being one of them). The ISP said 207.191.185.137 is the gateway, which leaves us 207.191.185.138-142. Instead of the translated address being 207.191.185.136, I'd like it to be 207.191.185.138 (which is the static IP that the test computer that successfully surfed while directly connected used). How do I set the Juniper so that the default translated address is 207.191.185.138?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35494255
According to the config your juniper is configured with static ip address 207.191.185.136/29 and the gateway is 207.191.185.137

if you use an ip address subnet calculator. you will see that you can not use ip ending in 136 for your juniper since it is the subnet id.

the first usable ip is ending in .137: this goes to the ISP router and is your juniper gateway

The range of ip addresses you can assign are as follows:

207.191.185.138 to 207.191.185.142

Pick any of those as your public and you will be good to go!!!
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35494263
i think you beat me to the punch!!! :)
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35494283
you have to configure the juniper with one of the usable ip addresses. you can not use .136 as a configurable IP
0
 

Author Comment

by:VLib
ID: 35494300
Very nice. I'm confused about how to set that exactly. How do I configure the default address for the interface be .138?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35494318
from the web interface, go to  network >interfaces >ethernet0/0 and select edit all the way on the right.

you can then change the static ip address and then click apply all the way at the bottom of the page
0
 

Author Comment

by:VLib
ID: 35494439
I changed the iP to static (207.191.185.138/32), saved the configuration, rebooted the device, confirmed that the translated outbound address was now 207.191.185.138, and am still not receiving ping replies. Attached is my updated SSG5 config. Coming directly after this is an updated debug log (the one you requested earlier). Thank you again, you are a great help.
new-ssg5-config.txt
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 2000 total points
ID: 35494448
not /32 it has to be /29 to comply with networking standards
0
 

Author Comment

by:VLib
ID: 35494449
Here is the updated debug file. Can you see any reason whatsoever we would not be getting ping replies?
new-debug-log.txt
0
 

Author Comment

by:VLib
ID: 35494471
Ok, I have changed it to 207.191.185.138/29, no management IP. Saved configuration, tested, still no ping replies. Rebooting device now.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35494555
from your console, what are the results of the following commands

get int
get route
get zone
get policy
0
 

Author Comment

by:VLib
ID: 35494842
All requested commands:

ssg5-serial-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN State VSD      
serial0/0      0.0.0.0/0                         Null        N/A               -   D   -  
eth0/0         207.191.185.138/29                Untrust     28c0.dae7.5640    -   U   -  
eth0/1         0.0.0.0/0                         DMZ         28c0.dae7.5645    -   D   -  
bgroup0        192.168.10.28/24                  Trust       28c0.dae7.564b    -   U   -  
  eth0/2       N/A                               N/A         N/A               -   U   -
  eth0/3       N/A                               N/A         N/A               -   D   -
  eth0/4       N/A                               N/A         N/A               -   D   -
  eth0/5       N/A                               N/A         N/A               -   U   -
  eth0/6       N/A                               N/A         N/A               -   U   -
bgroup1        0.0.0.0/0                         Null        28c0.dae7.564c    -   D   -  
bgroup2        0.0.0.0/0                         Null        28c0.dae7.564d    -   D   -  
bgroup3        0.0.0.0/0                         Null        28c0.dae7.564e    -   D   -  
vlan1          0.0.0.0/0                         VLAN        28c0.dae7.564f    1   D   -  
null           0.0.0.0/0                         Null        N/A               -   U   0  


ssg5-serial-> get route


IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route


IPv4 Dest-Routes for <trust-vr> (5 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*         5          0.0.0.0/0         eth0/0 207.191.185.137   S   20      1     Root
*         2 207.191.185.138/32         eth0/0         0.0.0.0   H    0      0     Root
*         1 207.191.185.136/29         eth0/0         0.0.0.0   C    0      0     Root
*         4   192.168.10.28/32        bgroup0         0.0.0.0   H    0      0     Root
*         3    192.168.10.0/24        bgroup0         0.0.0.0   C    0      0     Root


ssg5-serial-> get zone
Total 14 zones created in vsys Root - 8 are policy configurable.
Total policy configurable zones for Root is 8.
------------------------------------------------------------------------
  ID Name                             Type    Attr    VR          Default-IF   VSYS      
   0 Null                             Null    Shared untrust-vr   serial0/0    Root                
   1 Untrust                          Sec(L3) Shared trust-vr     ethernet0/0  Root                
   2 Trust                            Sec(L3)        trust-vr     bgroup0      Root                
   3 DMZ                              Sec(L3)        trust-vr     ethernet0/1  Root                
   4 Self                             Func           trust-vr     self         Root                
   5 MGT                              Func           trust-vr     null         Root                
   6 HA                               Func           trust-vr     null         Root                
  10 Global                           Sec(L3)        trust-vr     null         Root                
  11 V1-Untrust                       Sec(L2) Shared trust-vr     v1-untrust   Root                
  12 V1-Trust                         Sec(L2) Shared trust-vr     v1-trust     Root                
  13 V1-DMZ                           Sec(L2) Shared trust-vr     v1-dmz       Root                
  14 VLAN                             Func    Shared trust-vr     vlan1        Root                
  15 V1-Null                          Sec(L2) Shared trust-vr     l2v          Root                
  16 Untrust-Tun                      Tun            trust-vr     hidden.1     Root                
------------------------------------------------------------------------


------------------------------------------------------------------------
ssg5-serial-> get policy
Total regular policies 1, Default deny, Software based policy search, new policy enabled.
    ID From     To       Src-address  Dst-address  Service              Action State   ASTLCB
     1 Trust    Untrust  Any          Any          ANY                  Permit enabled ---X-X
0
 

Author Comment

by:VLib
ID: 35495129
Does this help?
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 17 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question