Solved

Workstation cannot reach the internet via SRX

Posted on 2014-01-29
13
718 Views
Last Modified: 2014-02-07
Hi Everyone,
 
    I have a workstation that is having issues connecting to the internet via an SRX device. From the SRX device I am able to reach the internet however, when I try to reach the internet from the workstation station I am unable too. Below is ping results from the SRX device. The configs on the SRX device are below. Please advise on what could be the issue?
 
xxxx@Juniper1> show configuration | display set
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 10.1.1.1
set system services dhcp pool 10.1.1.0/24 address-range low 10.1.1.2
set system services dhcp pool 10.1.1.0/24 address-range high 10.1.1.254
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family inet dhcp
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 10.1.1.1/24
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces fe-0/0/7.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
 
xxxx@Juniper1> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=250 time=40.343 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=250 time=36.330 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=250 time=36.137 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=250 time=35.973 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=250 time=37.613 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 35.973/37.279/40.343/1.638 ms
victor@Juniper1>
 
 
Thank you
 
Victor
0
Comment
Question by:vreyesii
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39821347
When you attempt to access the internet from the pc, what does your SRX log show? Does it permit the traffic or drop it?
0
 

Author Comment

by:vreyesii
ID: 39821371
I am new to Juniper devices. How can I capture on the logs what the SRX sees?
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39821444
You need to add:

set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close

After doing so then try viewing the log wit:

show log messages | match RT_FLOW_SESSION
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 

Author Comment

by:vreyesii
ID: 39822871
When I execute the command I don't see anything see below:

user@Juniper1> show log messages | match RT_FLOW_SESSION
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39822961
Did you add the log commands?
0
 

Author Comment

by:vreyesii
ID: 39822997
Yes I did enter the commands to log the policy see below:

victor@Juniper1> show configuration security policies
from-zone trust to-zone untrust {
    policy trust-to-untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
    }
}
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39825654
Can you even ping the juniper gateway from your computer?  10.1.1.1
0
 

Author Comment

by:vreyesii
ID: 39826332
Yes I can ping the Juniper Gateway at 10.1.1.1
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39826434
Can you post the sh route? Is this your entire config? Where is your default static route to the internet?
0
 

Author Comment

by:vreyesii
ID: 39826785
Here it is:

root@Juniper1> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 04:29:24
                    > to 192.168.1.1 via fe-0/0/0.0
10.1.1.1/32        *[Local/0] 04:29:36
                      Reject
192.168.1.0/24     *[Direct/0] 04:29:24
                    > via fe-0/0/0.0
192.168.1.3/32     *[Local/0] 04:29:24
                      Local via fe-0/0/0.0

root@Juniper1>
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39827062
Okay, so what are these 192.168.1.x . Can you show the route portion of your config?  Where is your default route to your ISP?
0
 

Author Comment

by:vreyesii
ID: 39841565
It's working now. Thank you for your help.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39841948
So what was the issue?
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

697 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question