Start Free Trial

asked on

Juniper SSG5-no connectivity.

I am trying to set up a new SSG5. I have a /29 IP block.

I have set up several of these in the past, but for some reason, cannot get this one to work.

I cannot ping anything outside. If I set logging on the default allow all trust to untrust policy, I can see the packets attempt to go out, but I never get a response.

Can someone review this config and let me know if they see anything wrong? Thank you very much in advance.

The IP block is 207.191.185.136/29
-cfg.txt

i dont see the default route in the configuration. Is this a static public ip address?

ASKER

It is a static public IP address (unless my terminology is off somehow). We have a permanent block of 207.191.185.136 / 29. We were told our gateway is 207.191.185.137.

I had deleted the default route when troubleshooting, as a previous article I found indicated that having a default route in the trust-vr and having a gateway set on the ethernet0/0 interface were redundant and could lead to the issues I'm experiencing. Should I re-add one? I had one before with no success.

ASKER

Unless, of course, I added the default-route wrong previously.

ASKER

I have re-added a default route. Here is the updated config file. Still not working.
-cfg.txt

you definitely need the default route pointing to your ISP if ou want to get online.

from the command line, what are the results of the following command?

get route

below is an example from one of my juniper of the route table with the default gateway pointing to the ip address of the ISPs equipment. My default gateway is the first line

* 108 0.0.0.0/0 untrust 76.110.184.1 C 0 1 Root
* 13 10.160.4.0/24 tun.2 0.0.0.0 S 20 1 Root
* 18 10.160.10.0/24 tun.1 10.160.10.1 S 20 1 Root
* 7 76.110.184.0/21 untrust 0.0.0.0 C 0 0 Root
* 4 192.168.1.1/32 wireless1 0.0.0.0 H 0 0 Root
* 9 192.168.0.0/16 tun.1 0.0.0.0 S 20 1 Root
* 17 10.130.10.0/24 tun.3 100.130.10.1 S 20 1 Root
* 6 10.160.60.17/32 wireless2 0.0.0.0 H 0 0 Root
* 14 192.168.16.0/24 tun.2 0.0.0.0 S 20 1 Root
* 5 10.160.60.16/28 wireless2 0.0.0.0 C 0 0 Root
* 21 192.168.7.0/24 tun.10 192.168.7.254 S 20 1 Root
* 3 192.168.1.0/24 wireless1 0.0.0.0 C 0 0 Root
* 2 10.160.60.1/32 trust 0.0.0.0 H 0 0 Root
* 1 10.160.60.0/28 trust 0.0.0.0 C 0 0 Root
* 20 10.100.10.0/24 tun.10 10.100.10.254 S 20 1 Root
* 15 192.168.50.0/24 tun.1 0.0.0.0 S 20 1 Root
* 8 76.110.189.66/32 untrust 0.0.0.0 H 0 0 Root
* 16 172.168.9.0/24 tun.2 172.168.9.1 S 20 1 Root
* 12 192.168.100.0/24 tun.1 192.168.100.1 S 20 1 Root
* 11 10.0.0.0/8 tun.1 0.0.0.0 S 20 1 Root
* 10 204.146.91.0/24 tun.1 0.0.0.0 S 20 1 Root
* 19 10.10.1.0/24 tun.2 10.10.1.1 S 20 1 Root

BTW ethernet0/0 should be in route mode and not NAT mode

ASKER

Here are the results of get route:

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route

IPv4 Dest-Routes for <trust-vr> (6 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 18 0.0.0.0/0 eth0/0 207.191.185.137 C 0 1 Root
19 0.0.0.0/0 eth0/0 207.191.185.137 S 20 1 Root
* 2 207.191.185.136/32 eth0/0 0.0.0.0 H 0 0 Root
* 1 207.191.185.136/29 eth0/0 0.0.0.0 C 0 0 Root
* 4 192.168.10.28/32 bgroup0 0.0.0.0 H 0 0 Root
* 3 192.168.10.0/24 bgroup0 0.0.0.0 C 0 0 Root

Also, I have changed ethernet0/0 to route mode. Still not working. Attached is the current config.
-cfg.txt

Are you trimming the config file before uploading it? I see no policies at all.

from what i can tell your LAN is 192.168.10.28/24, it is assigned to bgroup0 in the trust zone. But in the config file you sent there are not trust to untrust policies, or any other policies at all.

my mistake. i had accidentally deleted half the txt config file. i re donwloaded and see the policy now.

ok the next step i would do is traffic debugging. heres how

set src-ip <ip-address of pc> dst-ip <ip address on internet>
debug flow basic
clear db

# begin traffic test from computer by pingin <ip address on internet>

undebug all
get db str

you will get a packet by packet breakdown of where the traffic is going, and why it is not making it to its destination.

ASKER

I apologize, I was definitely not trimming the config file prior to uploading. Attached is the current config again; this is the complete configuration per the Juniper's Update > Config File > Save Config interface (I manually copied the config listed there and pasted to a text file to ensure you got everything).

ssg5-cfg.txt

ASKER

When I execute the above mentioned src-ip command, I get the following error:

ssg5-serial-> set src-ip 192.168.10.7 dst-ip 8.8.8.8
^---------unknown keyword src-ip

what version screen os is on your ssg?

i see the problem... typo on my part

set ff src-ip .....

ASKER

6.2.0r5.0 (Firewall+VPN)

ASKER

I did as you suggested, and pinged Google's 8.8.8.8 (which responds normally). Attached are the results of that interaction.
ping-results.txt

ASKER

Sorry, to be clear, by "responds normally" I mean that, if the connection were to be working, it would respond to ping requests. It is, of course, not doing so.

ASKER

Anyone?

Looking at your debug log and your config. It appears everything on your juniper is setup correctly. At this point i would start looking at the ISP equipment. For example with a computer connected directly with the same static ip are you able to get on the internet?

ASKER

Yes, we tested that. Computer directly connected could surf. Also, from the Juniper CLI, I can successfully ping the gateway (207.191.185.137) from the ethernet0/0 interface. I very much appreciate the help, this is time-sensitive. Nothing looks unusual in the debug logs?

ASKER

I just received word that the static IP used by the computer was 207.191.185.138, which is possibly not the Static IP in use by the Juniper. Based on the config, can you confirm the current static IP in use? I have the overall subnet configured, 207.191.185.136/29.

ASKER

I noticed that, when logging the single, default Trust > Untrust policy (ID 1), when I attempt to ping out, the translated address is 207.191.185.136. While the subnet provided by our ISP is 207.191.185.136/29, a subnet calculator indicates that netmask provides the assignable addresses 207.191.185.137-142 (with 136 not being one of them). The ISP said 207.191.185.137 is the gateway, which leaves us 207.191.185.138-142. Instead of the translated address being 207.191.185.136, I'd like it to be 207.191.185.138 (which is the static IP that the test computer that successfully surfed while directly connected used). How do I set the Juniper so that the default translated address is 207.191.185.138?

According to the config your juniper is configured with static ip address 207.191.185.136/29 and the gateway is 207.191.185.137

if you use an ip address subnet calculator. you will see that you can not use ip ending in 136 for your juniper since it is the subnet id.

the first usable ip is ending in .137: this goes to the ISP router and is your juniper gateway

The range of ip addresses you can assign are as follows:

207.191.185.138 to 207.191.185.142

Pick any of those as your public and you will be good to go!!!

i think you beat me to the punch!!! :)

you have to configure the juniper with one of the usable ip addresses. you can not use .136 as a configurable IP

ASKER

Very nice. I'm confused about how to set that exactly. How do I configure the default address for the interface be .138?

from the web interface, go to network >interfaces >ethernet0/0 and select edit all the way on the right.

you can then change the static ip address and then click apply all the way at the bottom of the page

ASKER

I changed the iP to static (207.191.185.138/32), saved the configuration, rebooted the device, confirmed that the translated outbound address was now 207.191.185.138, and am still not receiving ping replies. Attached is my updated SSG5 config. Coming directly after this is an updated debug log (the one you requested earlier). Thank you again, you are a great help.
new-ssg5-config.txt

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Here is the updated debug file. Can you see any reason whatsoever we would not be getting ping replies?
new-debug-log.txt

ASKER

Ok, I have changed it to 207.191.185.138/29, no management IP. Saved configuration, tested, still no ping replies. Rebooting device now.

from your console, what are the results of the following commands

get int
get route
get zone
get policy

ASKER

All requested commands:

ssg5-serial-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
serial0/0 0.0.0.0/0 Null N/A - D -
eth0/0 207.191.185.138/29 Untrust 28c0.dae7.5640 - U -
eth0/1 0.0.0.0/0 DMZ 28c0.dae7.5645 - D -
bgroup0 192.168.10.28/24 Trust 28c0.dae7.564b - U -
eth0/2 N/A N/A N/A - U -
eth0/3 N/A N/A N/A - D -
eth0/4 N/A N/A N/A - D -
eth0/5 N/A N/A N/A - U -
eth0/6 N/A N/A N/A - U -
bgroup1 0.0.0.0/0 Null 28c0.dae7.564c - D -
bgroup2 0.0.0.0/0 Null 28c0.dae7.564d - D -
bgroup3 0.0.0.0/0 Null 28c0.dae7.564e - D -
vlan1 0.0.0.0/0 VLAN 28c0.dae7.564f 1 D -
null 0.0.0.0/0 Null N/A - U 0

ssg5-serial-> get route

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route

IPv4 Dest-Routes for <trust-vr> (5 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 5 0.0.0.0/0 eth0/0 207.191.185.137 S 20 1 Root
* 2 207.191.185.138/32 eth0/0 0.0.0.0 H 0 0 Root
* 1 207.191.185.136/29 eth0/0 0.0.0.0 C 0 0 Root
* 4 192.168.10.28/32 bgroup0 0.0.0.0 H 0 0 Root
* 3 192.168.10.0/24 bgroup0 0.0.0.0 C 0 0 Root

ssg5-serial-> get zone
Total 14 zones created in vsys Root - 8 are policy configurable.
Total policy configurable zones for Root is 8.
------------------------------------------------------------------------
ID Name Type Attr VR Default-IF VSYS
0 Null Null Shared untrust-vr serial0/0 Root
1 Untrust Sec(L3) Shared trust-vr ethernet0/0 Root
2 Trust Sec(L3) trust-vr bgroup0 Root
3 DMZ Sec(L3) trust-vr ethernet0/1 Root
4 Self Func trust-vr self Root
5 MGT Func trust-vr null Root
6 HA Func trust-vr null Root
10 Global Sec(L3) trust-vr null Root
11 V1-Untrust Sec(L2) Shared trust-vr v1-untrust Root
12 V1-Trust Sec(L2) Shared trust-vr v1-trust Root
13 V1-DMZ Sec(L2) Shared trust-vr v1-dmz Root
14 VLAN Func Shared trust-vr vlan1 Root
15 V1-Null Sec(L2) Shared trust-vr l2v Root
16 Untrust-Tun Tun trust-vr hidden.1 Root
------------------------------------------------------------------------

------------------------------------------------------------------------
ssg5-serial-> get policy
Total regular policies 1, Default deny, Software based policy search, new policy enabled.
ID From To Src-address Dst-address Service Action State ASTLCB
1 Trust Untrust Any Any ANY Permit enabled ---X-X

ASKER

Does this help?