Solved

Workstation cannot reach the internet via SRX

Posted on 2014-01-29
13
712 Views
Last Modified: 2014-02-07
Hi Everyone,
 
    I have a workstation that is having issues connecting to the internet via an SRX device. From the SRX device I am able to reach the internet however, when I try to reach the internet from the workstation station I am unable too. Below is ping results from the SRX device. The configs on the SRX device are below. Please advise on what could be the issue?
 
xxxx@Juniper1> show configuration | display set
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 10.1.1.1
set system services dhcp pool 10.1.1.0/24 address-range low 10.1.1.2
set system services dhcp pool 10.1.1.0/24 address-range high 10.1.1.254
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family inet dhcp
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 10.1.1.1/24
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces fe-0/0/7.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
 
xxxx@Juniper1> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=250 time=40.343 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=250 time=36.330 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=250 time=36.137 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=250 time=35.973 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=250 time=37.613 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 35.973/37.279/40.343/1.638 ms
victor@Juniper1>
 
 
Thank you
 
Victor
0
Comment
Question by:vreyesii
  • 7
  • 6
13 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39821347
When you attempt to access the internet from the pc, what does your SRX log show? Does it permit the traffic or drop it?
0
 

Author Comment

by:vreyesii
ID: 39821371
I am new to Juniper devices. How can I capture on the logs what the SRX sees?
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39821444
You need to add:

set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close

After doing so then try viewing the log wit:

show log messages | match RT_FLOW_SESSION
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:vreyesii
ID: 39822871
When I execute the command I don't see anything see below:

user@Juniper1> show log messages | match RT_FLOW_SESSION
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39822961
Did you add the log commands?
0
 

Author Comment

by:vreyesii
ID: 39822997
Yes I did enter the commands to log the policy see below:

victor@Juniper1> show configuration security policies
from-zone trust to-zone untrust {
    policy trust-to-untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
    }
}
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39825654
Can you even ping the juniper gateway from your computer?  10.1.1.1
0
 

Author Comment

by:vreyesii
ID: 39826332
Yes I can ping the Juniper Gateway at 10.1.1.1
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39826434
Can you post the sh route? Is this your entire config? Where is your default static route to the internet?
0
 

Author Comment

by:vreyesii
ID: 39826785
Here it is:

root@Juniper1> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 04:29:24
                    > to 192.168.1.1 via fe-0/0/0.0
10.1.1.1/32        *[Local/0] 04:29:36
                      Reject
192.168.1.0/24     *[Direct/0] 04:29:24
                    > via fe-0/0/0.0
192.168.1.3/32     *[Local/0] 04:29:24
                      Local via fe-0/0/0.0

root@Juniper1>
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39827062
Okay, so what are these 192.168.1.x . Can you show the route portion of your config?  Where is your default route to your ISP?
0
 

Author Comment

by:vreyesii
ID: 39841565
It's working now. Thank you for your help.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39841948
So what was the issue?
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question