Solved

Workstation cannot reach the internet via SRX

Posted on 2014-01-29
13
728 Views
Last Modified: 2014-02-07
Hi Everyone,
 
    I have a workstation that is having issues connecting to the internet via an SRX device. From the SRX device I am able to reach the internet however, when I try to reach the internet from the workstation station I am unable too. Below is ping results from the SRX device. The configs on the SRX device are below. Please advise on what could be the issue?
 
xxxx@Juniper1> show configuration | display set
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 10.1.1.1
set system services dhcp pool 10.1.1.0/24 address-range low 10.1.1.2
set system services dhcp pool 10.1.1.0/24 address-range high 10.1.1.254
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family inet dhcp
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 10.1.1.1/24
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces fe-0/0/7.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
 
xxxx@Juniper1> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=250 time=40.343 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=250 time=36.330 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=250 time=36.137 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=250 time=35.973 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=250 time=37.613 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 35.973/37.279/40.343/1.638 ms
victor@Juniper1>
 
 
Thank you
 
Victor
0
Comment
Question by:vreyesii
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39821347
When you attempt to access the internet from the pc, what does your SRX log show? Does it permit the traffic or drop it?
0
 

Author Comment

by:vreyesii
ID: 39821371
I am new to Juniper devices. How can I capture on the logs what the SRX sees?
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39821444
You need to add:

set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close

After doing so then try viewing the log wit:

show log messages | match RT_FLOW_SESSION
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Author Comment

by:vreyesii
ID: 39822871
When I execute the command I don't see anything see below:

user@Juniper1> show log messages | match RT_FLOW_SESSION
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39822961
Did you add the log commands?
0
 

Author Comment

by:vreyesii
ID: 39822997
Yes I did enter the commands to log the policy see below:

victor@Juniper1> show configuration security policies
from-zone trust to-zone untrust {
    policy trust-to-untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
    }
}
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39825654
Can you even ping the juniper gateway from your computer?  10.1.1.1
0
 

Author Comment

by:vreyesii
ID: 39826332
Yes I can ping the Juniper Gateway at 10.1.1.1
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39826434
Can you post the sh route? Is this your entire config? Where is your default static route to the internet?
0
 

Author Comment

by:vreyesii
ID: 39826785
Here it is:

root@Juniper1> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 04:29:24
                    > to 192.168.1.1 via fe-0/0/0.0
10.1.1.1/32        *[Local/0] 04:29:36
                      Reject
192.168.1.0/24     *[Direct/0] 04:29:24
                    > via fe-0/0/0.0
192.168.1.3/32     *[Local/0] 04:29:24
                      Local via fe-0/0/0.0

root@Juniper1>
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39827062
Okay, so what are these 192.168.1.x . Can you show the route portion of your config?  Where is your default route to your ISP?
0
 

Author Comment

by:vreyesii
ID: 39841565
It's working now. Thank you for your help.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39841948
So what was the issue?
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question