We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Juniper SSG5-no connectivity.

VLib
VLib asked
on
Medium Priority
1,125 Views
Last Modified: 2012-05-11
I am trying to set up a new SSG5. I have a /29 IP block.

I have set up several of these in the past, but for some reason, cannot get this one to work.

I cannot ping anything outside. If I set logging on the default allow all trust to untrust policy, I can see the packets attempt to go out, but I never get a response.

Can someone review this config and let me know if they see anything wrong? Thank you very much in advance.

The IP block is 207.191.185.136/29
-cfg.txt
Comment
Watch Question

Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
i dont see the default route in the configuration. Is this a static public ip address?

Author

Commented:
It is a static public IP address (unless my terminology is off somehow). We have a permanent block of 207.191.185.136 / 29. We were told our gateway is 207.191.185.137.

I had deleted the default route when troubleshooting, as a previous article I found indicated that having a default route in the trust-vr and having a gateway set on the ethernet0/0 interface were redundant and could lead to the issues I'm experiencing. Should I re-add one? I had one before with no success.

Author

Commented:
Unless, of course, I added the default-route wrong previously.

Author

Commented:
I have re-added a default route. Here is the updated config file. Still not working.
-cfg.txt
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
you definitely need the default route pointing to your ISP if ou want to get online.

from the command line, what are the results of the following command?

get route



below is an example from one of my juniper of the route table with the default gateway pointing to the ip address of the ISPs equipment. My default gateway is the first line


*       108          0.0.0.0/0        untrust    76.110.184.1   C    0      1  Root
*        13      10.160.4.0/24          tun.2         0.0.0.0   S   20      1  Root
*        18     10.160.10.0/24          tun.1     10.160.10.1   S   20      1  Root
*         7    76.110.184.0/21        untrust         0.0.0.0   C    0      0  Root
*         4     192.168.1.1/32      wireless1         0.0.0.0   H    0      0  Root
*         9     192.168.0.0/16          tun.1         0.0.0.0   S   20      1  Root
*        17     10.130.10.0/24          tun.3    100.130.10.1   S   20      1  Root
*         6    10.160.60.17/32      wireless2         0.0.0.0   H    0      0  Root
*        14    192.168.16.0/24          tun.2         0.0.0.0   S   20      1  Root
*         5    10.160.60.16/28      wireless2         0.0.0.0   C    0      0  Root
*        21     192.168.7.0/24         tun.10   192.168.7.254   S   20      1  Root
*         3     192.168.1.0/24      wireless1         0.0.0.0   C    0      0  Root
*         2     10.160.60.1/32          trust         0.0.0.0   H    0      0  Root
*         1     10.160.60.0/28          trust         0.0.0.0   C    0      0  Root
*        20     10.100.10.0/24         tun.10   10.100.10.254   S   20      1  Root
*        15    192.168.50.0/24          tun.1         0.0.0.0   S   20      1  Root
*         8   76.110.189.66/32        untrust         0.0.0.0   H    0      0  Root
*        16     172.168.9.0/24          tun.2     172.168.9.1   S   20      1  Root
*        12   192.168.100.0/24          tun.1   192.168.100.1   S   20      1  Root
*        11         10.0.0.0/8          tun.1         0.0.0.0   S   20      1  Root
*        10    204.146.91.0/24          tun.1         0.0.0.0   S   20      1  Root
*        19       10.10.1.0/24          tun.2       10.10.1.1   S   20      1  Root



Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
BTW ethernet0/0 should be in route mode and not NAT mode

Author

Commented:
Here are the results of get route:


IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route


IPv4 Dest-Routes for <trust-vr> (6 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        18          0.0.0.0/0         eth0/0 207.191.185.137   C    0      1     Root
         19          0.0.0.0/0         eth0/0 207.191.185.137   S   20      1     Root
*         2 207.191.185.136/32         eth0/0         0.0.0.0   H    0      0     Root
*         1 207.191.185.136/29         eth0/0         0.0.0.0   C    0      0     Root
*         4   192.168.10.28/32        bgroup0         0.0.0.0   H    0      0     Root
*         3    192.168.10.0/24        bgroup0         0.0.0.0   C    0      0     Root


Also, I have changed ethernet0/0 to route mode. Still not working. Attached is the current config.
-cfg.txt
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
Are you trimming the config file before uploading it? I see no policies at all.

from what i can tell your LAN is 192.168.10.28/24, it is assigned to bgroup0 in the trust zone. But in the config file you sent there are not trust to untrust policies, or any other policies at all.
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
my mistake. i had accidentally deleted half the txt config file. i re donwloaded and see the policy now.
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
ok the next step i would do is traffic debugging. heres how

set src-ip <ip-address of pc> dst-ip <ip address on internet>
debug flow basic
clear db

# begin traffic test from computer by pingin <ip address on internet>

undebug all
get db str


you will get a packet by packet breakdown of where the traffic is going, and why it is not making it to its destination.

Author

Commented:
I apologize, I was definitely not trimming the config file prior to uploading. Attached is the current config again; this is the complete configuration per the Juniper's Update > Config File > Save Config interface (I manually copied the config listed there and pasted to a text file to ensure you got everything).

ssg5-cfg.txt

Author

Commented:
When I execute the above mentioned src-ip command, I get the following error:


ssg5-serial-> set src-ip 192.168.10.7 dst-ip 8.8.8.8
                            ^---------unknown keyword src-ip
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
what version screen os is on your ssg?
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
i see the problem... typo on my part

set ff src-ip .....

Author

Commented:
6.2.0r5.0 (Firewall+VPN)

Author

Commented:
I did as you suggested, and pinged Google's 8.8.8.8 (which responds normally). Attached are the results of that interaction.
ping-results.txt

Author

Commented:
Sorry, to be clear, by "responds normally" I mean that, if the connection were to be working, it would respond to ping requests. It is, of course, not doing so.

Author

Commented:
Anyone?
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
Looking at your debug log and your config. It appears everything on your juniper is setup correctly. At this point i would start looking at the ISP equipment. For example with a computer connected directly with the same static ip are you able to get on the internet?

Author

Commented:
Yes, we tested that. Computer directly connected could surf. Also, from the Juniper CLI, I can successfully ping the gateway (207.191.185.137) from the ethernet0/0 interface. I very much appreciate the help, this is time-sensitive. Nothing looks unusual in the debug logs?

Author

Commented:
I just received word that the static IP used by the computer was 207.191.185.138, which is possibly not the Static IP in use by the Juniper. Based on the config, can you confirm the current static IP in use? I have the overall subnet configured, 207.191.185.136/29.

Author

Commented:
I noticed that, when logging the single, default Trust > Untrust policy (ID 1), when I attempt to ping out, the translated address is 207.191.185.136. While the subnet provided by our ISP is 207.191.185.136/29, a subnet calculator indicates that netmask provides the assignable addresses 207.191.185.137-142 (with 136 not being one of them). The ISP said 207.191.185.137 is the gateway, which leaves us 207.191.185.138-142. Instead of the translated address being 207.191.185.136, I'd like it to be 207.191.185.138 (which is the static IP that the test computer that successfully surfed while directly connected used). How do I set the Juniper so that the default translated address is 207.191.185.138?
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
According to the config your juniper is configured with static ip address 207.191.185.136/29 and the gateway is 207.191.185.137

if you use an ip address subnet calculator. you will see that you can not use ip ending in 136 for your juniper since it is the subnet id.

the first usable ip is ending in .137: this goes to the ISP router and is your juniper gateway

The range of ip addresses you can assign are as follows:

207.191.185.138 to 207.191.185.142

Pick any of those as your public and you will be good to go!!!
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
i think you beat me to the punch!!! :)
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
you have to configure the juniper with one of the usable ip addresses. you can not use .136 as a configurable IP

Author

Commented:
Very nice. I'm confused about how to set that exactly. How do I configure the default address for the interface be .138?
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
from the web interface, go to  network >interfaces >ethernet0/0 and select edit all the way on the right.

you can then change the static ip address and then click apply all the way at the bottom of the page

Author

Commented:
I changed the iP to static (207.191.185.138/32), saved the configuration, rebooted the device, confirmed that the translated outbound address was now 207.191.185.138, and am still not receiving ping replies. Attached is my updated SSG5 config. Coming directly after this is an updated debug log (the one you requested earlier). Thank you again, you are a great help.
new-ssg5-config.txt
Systems Admin
CERTIFIED EXPERT
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
Here is the updated debug file. Can you see any reason whatsoever we would not be getting ping replies?
new-debug-log.txt

Author

Commented:
Ok, I have changed it to 207.191.185.138/29, no management IP. Saved configuration, tested, still no ping replies. Rebooting device now.
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
from your console, what are the results of the following commands

get int
get route
get zone
get policy

Author

Commented:
All requested commands:

ssg5-serial-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN State VSD      
serial0/0      0.0.0.0/0                         Null        N/A               -   D   -  
eth0/0         207.191.185.138/29                Untrust     28c0.dae7.5640    -   U   -  
eth0/1         0.0.0.0/0                         DMZ         28c0.dae7.5645    -   D   -  
bgroup0        192.168.10.28/24                  Trust       28c0.dae7.564b    -   U   -  
  eth0/2       N/A                               N/A         N/A               -   U   -
  eth0/3       N/A                               N/A         N/A               -   D   -
  eth0/4       N/A                               N/A         N/A               -   D   -
  eth0/5       N/A                               N/A         N/A               -   U   -
  eth0/6       N/A                               N/A         N/A               -   U   -
bgroup1        0.0.0.0/0                         Null        28c0.dae7.564c    -   D   -  
bgroup2        0.0.0.0/0                         Null        28c0.dae7.564d    -   D   -  
bgroup3        0.0.0.0/0                         Null        28c0.dae7.564e    -   D   -  
vlan1          0.0.0.0/0                         VLAN        28c0.dae7.564f    1   D   -  
null           0.0.0.0/0                         Null        N/A               -   U   0  


ssg5-serial-> get route


IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route


IPv4 Dest-Routes for <trust-vr> (5 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*         5          0.0.0.0/0         eth0/0 207.191.185.137   S   20      1     Root
*         2 207.191.185.138/32         eth0/0         0.0.0.0   H    0      0     Root
*         1 207.191.185.136/29         eth0/0         0.0.0.0   C    0      0     Root
*         4   192.168.10.28/32        bgroup0         0.0.0.0   H    0      0     Root
*         3    192.168.10.0/24        bgroup0         0.0.0.0   C    0      0     Root


ssg5-serial-> get zone
Total 14 zones created in vsys Root - 8 are policy configurable.
Total policy configurable zones for Root is 8.
------------------------------------------------------------------------
  ID Name                             Type    Attr    VR          Default-IF   VSYS      
   0 Null                             Null    Shared untrust-vr   serial0/0    Root                
   1 Untrust                          Sec(L3) Shared trust-vr     ethernet0/0  Root                
   2 Trust                            Sec(L3)        trust-vr     bgroup0      Root                
   3 DMZ                              Sec(L3)        trust-vr     ethernet0/1  Root                
   4 Self                             Func           trust-vr     self         Root                
   5 MGT                              Func           trust-vr     null         Root                
   6 HA                               Func           trust-vr     null         Root                
  10 Global                           Sec(L3)        trust-vr     null         Root                
  11 V1-Untrust                       Sec(L2) Shared trust-vr     v1-untrust   Root                
  12 V1-Trust                         Sec(L2) Shared trust-vr     v1-trust     Root                
  13 V1-DMZ                           Sec(L2) Shared trust-vr     v1-dmz       Root                
  14 VLAN                             Func    Shared trust-vr     vlan1        Root                
  15 V1-Null                          Sec(L2) Shared trust-vr     l2v          Root                
  16 Untrust-Tun                      Tun            trust-vr     hidden.1     Root                
------------------------------------------------------------------------


------------------------------------------------------------------------
ssg5-serial-> get policy
Total regular policies 1, Default deny, Software based policy search, new policy enabled.
    ID From     To       Src-address  Dst-address  Service              Action State   ASTLCB
     1 Trust    Untrust  Any          Any          ANY                  Permit enabled ---X-X

Author

Commented:
Does this help?
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.