Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Workstation cannot reach the internet via SRX

Posted on 2014-01-29
13
Medium Priority
?
752 Views
Last Modified: 2014-02-07
Hi Everyone,
 
    I have a workstation that is having issues connecting to the internet via an SRX device. From the SRX device I am able to reach the internet however, when I try to reach the internet from the workstation station I am unable too. Below is ping results from the SRX device. The configs on the SRX device are below. Please advise on what could be the issue?
 
xxxx@Juniper1> show configuration | display set
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 10.1.1.1
set system services dhcp pool 10.1.1.0/24 address-range low 10.1.1.2
set system services dhcp pool 10.1.1.0/24 address-range high 10.1.1.254
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family inet dhcp
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 10.1.1.1/24
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces fe-0/0/7.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
 
xxxx@Juniper1> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=250 time=40.343 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=250 time=36.330 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=250 time=36.137 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=250 time=35.973 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=250 time=37.613 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 35.973/37.279/40.343/1.638 ms
victor@Juniper1>
 
 
Thank you
 
Victor
0
Comment
Question by:vreyesii
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39821347
When you attempt to access the internet from the pc, what does your SRX log show? Does it permit the traffic or drop it?
0
 

Author Comment

by:vreyesii
ID: 39821371
I am new to Juniper devices. How can I capture on the logs what the SRX sees?
0
 
LVL 26

Accepted Solution

by:
Soulja earned 2000 total points
ID: 39821444
You need to add:

set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close

After doing so then try viewing the log wit:

show log messages | match RT_FLOW_SESSION
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:vreyesii
ID: 39822871
When I execute the command I don't see anything see below:

user@Juniper1> show log messages | match RT_FLOW_SESSION
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39822961
Did you add the log commands?
0
 

Author Comment

by:vreyesii
ID: 39822997
Yes I did enter the commands to log the policy see below:

victor@Juniper1> show configuration security policies
from-zone trust to-zone untrust {
    policy trust-to-untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
    }
}
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39825654
Can you even ping the juniper gateway from your computer?  10.1.1.1
0
 

Author Comment

by:vreyesii
ID: 39826332
Yes I can ping the Juniper Gateway at 10.1.1.1
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39826434
Can you post the sh route? Is this your entire config? Where is your default static route to the internet?
0
 

Author Comment

by:vreyesii
ID: 39826785
Here it is:

root@Juniper1> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 04:29:24
                    > to 192.168.1.1 via fe-0/0/0.0
10.1.1.1/32        *[Local/0] 04:29:36
                      Reject
192.168.1.0/24     *[Direct/0] 04:29:24
                    > via fe-0/0/0.0
192.168.1.3/32     *[Local/0] 04:29:24
                      Local via fe-0/0/0.0

root@Juniper1>
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39827062
Okay, so what are these 192.168.1.x . Can you show the route portion of your config?  Where is your default route to your ISP?
0
 

Author Comment

by:vreyesii
ID: 39841565
It's working now. Thank you for your help.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39841948
So what was the issue?
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question