Solved

Workstation cannot reach the internet via SRX

Posted on 2014-01-29
13
683 Views
Last Modified: 2014-02-07
Hi Everyone,
 
    I have a workstation that is having issues connecting to the internet via an SRX device. From the SRX device I am able to reach the internet however, when I try to reach the internet from the workstation station I am unable too. Below is ping results from the SRX device. The configs on the SRX device are below. Please advise on what could be the issue?
 
xxxx@Juniper1> show configuration | display set
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 10.1.1.1
set system services dhcp pool 10.1.1.0/24 address-range low 10.1.1.2
set system services dhcp pool 10.1.1.0/24 address-range high 10.1.1.254
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family inet dhcp
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 10.1.1.1/24
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces fe-0/0/7.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
 
xxxx@Juniper1> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=250 time=40.343 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=250 time=36.330 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=250 time=36.137 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=250 time=35.973 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=250 time=37.613 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 35.973/37.279/40.343/1.638 ms
victor@Juniper1>
 
 
Thank you
 
Victor
0
Comment
Question by:vreyesii
  • 7
  • 6
13 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39821347
When you attempt to access the internet from the pc, what does your SRX log show? Does it permit the traffic or drop it?
0
 

Author Comment

by:vreyesii
ID: 39821371
I am new to Juniper devices. How can I capture on the logs what the SRX sees?
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39821444
You need to add:

set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close

After doing so then try viewing the log wit:

show log messages | match RT_FLOW_SESSION
0
 

Author Comment

by:vreyesii
ID: 39822871
When I execute the command I don't see anything see below:

user@Juniper1> show log messages | match RT_FLOW_SESSION
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39822961
Did you add the log commands?
0
 

Author Comment

by:vreyesii
ID: 39822997
Yes I did enter the commands to log the policy see below:

victor@Juniper1> show configuration security policies
from-zone trust to-zone untrust {
    policy trust-to-untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
    }
}
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 26

Expert Comment

by:Soulja
ID: 39825654
Can you even ping the juniper gateway from your computer?  10.1.1.1
0
 

Author Comment

by:vreyesii
ID: 39826332
Yes I can ping the Juniper Gateway at 10.1.1.1
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39826434
Can you post the sh route? Is this your entire config? Where is your default static route to the internet?
0
 

Author Comment

by:vreyesii
ID: 39826785
Here it is:

root@Juniper1> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 04:29:24
                    > to 192.168.1.1 via fe-0/0/0.0
10.1.1.1/32        *[Local/0] 04:29:36
                      Reject
192.168.1.0/24     *[Direct/0] 04:29:24
                    > via fe-0/0/0.0
192.168.1.3/32     *[Local/0] 04:29:24
                      Local via fe-0/0/0.0

root@Juniper1>
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39827062
Okay, so what are these 192.168.1.x . Can you show the route portion of your config?  Where is your default route to your ISP?
0
 

Author Comment

by:vreyesii
ID: 39841565
It's working now. Thank you for your help.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39841948
So what was the issue?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now