• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1235
  • Last Modified:

No connectivity on Juniper SSG5.

I currently do not have outbound connectivity on my Juniper SSG5. My stated IP block by my ISP is 207.191.185.136 / 29, and my gateway is 207.191.185.137. As suggested, I have performed a debug capture of traffic (ping requests) going from a host inside the network (192.168.10.7) to Google's public DNS server (8.8.8.8). The pings appear to attempt to go out but no response ever comes back.

Attached is my Juniper config file and the results of my capture. Thank you very much in advance for your help.

ssg5-cfg.txt
0
VLib
Asked:
VLib
  • 5
  • 3
1 Solution
 
VLibAuthor Commented:
Here is the capture log:
ping-results.txt
0
 
VLibAuthor Commented:
Hello?
0
 
QlemoC++ DeveloperCommented:
Are you able to ping the gateway? I cannot see the results of the ARP request for it.

The gateway is reachable from outside (I could ping it).
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
VLibAuthor Commented:
How can I test that from the Juniper device? I am too far away from the host to physically hook up another box. Is that something I could do from the Juniper?
0
 
QlemoC++ DeveloperCommented:
Yes, you can do a ping from the SSG CLI. You might need to provide the source interface name ( "from bgroup0" or the like). You can also issue a trace-route (not tracert).
0
 
VLibAuthor Commented:
Yes, pinging from ethernet0/0 to the gateway was successful. Do you happen to see anything wrong with my configuration?
0
 
VLibAuthor Commented:
I noticed that, when logging the single, default Trust > Untrust policy (ID 1), when I attempt to ping out, the translated address is 207.191.185.136. While the subnet provided by our ISP is 207.191.185.136/29, a subnet calculator indicates that netmask provides the assignable addresses 207.191.185.137-142 (with 136 not being one of them). The ISP said 207.191.185.137 is the gateway, which leaves us 207.191.185.138-142. Instead of the translated address being 207.191.185.136, I'd like it to be 207.191.185.138 (which is the static IP that the test computer that successfully surfed while directly connected used). How do I set the Juniper so that the default translated address is 207.191.185.138?
0
 
QlemoC++ DeveloperCommented:
That is the issue, yes. That DIP 2 address is your interface address of eth0/0. Set it to .138 (in the interface IP properties), and you should not have to do anything else to get it work. .136 is the network address ("all zero bits"), and not allowed to be used as an IP address in that /29 network, as the subnet calculator correctly reveals. The same applies to the "all-ones" address of .143 .
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now