Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: juniper

Config help with an SRX110 & ADSL

  

 
nsp juniper RSS feed   Index | Next | Previous | View Threaded


josh at base-2

Aug 28, 2012, 2:35 AM

Post #1 of 6 (695 views)
Permalink
Config help with an SRX110 & ADSL
Hi guys

I'm having a few issues getting traffic to pass on an SRX110 I'm setting up for a branch office. It may be something simple as this is one of the first times setting up a Juniper device.

I have a default route, source NAT on the egress zone and policies configured but I can't pass traffic through the device, or from the device outbound.

I know on my Cisco router using the same connection I am assigned a default gateway by my ISP.. I can't find a similar option for Juniper.

Could someone eyeball the following and suggest any pointers?

Here is my configuration:

root@<snip>> show configuration
## Last commit: 2012-08-29 05:10:21 NZST by root
version 12.1R3.5;
system {
host-name <snip>
domain-name <snip>.co.nz;
time-zone Pacific/Auckland;
root-authentication {
encrypted-password "$1$4tjZP.Jb$YMyhL1OLzSS7/Rrm0ABO20"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
xnm-clear-text;
web-management {
http {
interface [ vlan.0 vlan.1 vlan.2 ];
}
https {
system-generated-certificate;
interface [ vlan.0 vlan.1 vlan.2 ];
}
}
dhcp {
pool 192.168.10.0/24 {
address-range low 192.168.10.100 high 192.168.10.200;
domain-name <snip>.co.nz;
name-server {
208.67.222.222;
208.67.220.220;
}
domain-search {
<snip>.co.nz;
}
router {
192.168.10.1;
}
}
pool 192.168.11.0/24 {
address-range low 192.168.11.100 high 192.168.11.200;
domain-name <snip>.co.nz;
name-server {
192.168.11.1;
}
domain-search {
<snip>.co.nz;
}
router {
192.168.11.1;
}
}
propagate-settings fe-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/1 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
at-1/0/0 {
description "ADSL Interface";
mtu 1492;
encapsulation atm-pvc;
atm-options {
vpi 0;
}
dsl-options {
operating-mode auto;
}
unit 0 {
description PPPoA;
encapsulation atm-ppp-vc-mux;
vci 0.100;
ppp-options {
pap {
access-profile pppoa-client;
local-name "<snip>";
local-password "<snip>"; ## SECRET-DATA
passive;
}
}
family inet {
negotiate-address;
dhcp;
}
}
}
st0 {
unit 1 {
family inet;
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 1 {
family inet {
address 192.168.11.1/24;
}
}
unit 2 {
family inet {
address 192.168.10.1/24;
}
}
}
}
snmp {
name <snip>;
location "<snip>";
contact "<snip>";
}
routing-options {
static {
route 192.168.50.0/24 next-hop st0.1;
route 192.168.42.0/24 next-hop st0.1;
route 0.0.0.0/0 next-hop at-1/0/0.0;
}
}
protocols {
stp {
disable;
}
}
security {
log {
mode event;
}
ike {
policy ike_pol_COMMS-VPN {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "<snip>"; ## SECRET-DATA
}
gateway gw_COMMS-VPN {
ike-policy ike_pol_COMMS-VPN;
address <snip>;
external-interface at-1/0/0.1;
}
}
ipsec {
proposal COMMS-Secure {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
lifetime-kilobytes 102400;
}
policy ipsec_pol_COMMS-VPN {
perfect-forward-secrecy {
keys group5;
}
proposal-set standard;
}
vpn COMMS-VPN {
bind-interface st0.1;
vpn-monitor;
ike {
gateway gw_COMMS-VPN;
ipsec-policy ipsec_pol_COMMS-VPN;
}
establish-tunnels immediately;
}
}
application-tracking;
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy policy_out_COMMS-VPN {
match {
source-address [ addr_192_168_11_0_24 addr_192_168_10_0_24 ];
destination-address [ addr_192_168_50_0_24 addr_192_168_42_0_24 ];
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy policy_in_COMMS-VPN {
match {
source-address [ addr_192_168_50_0_24 addr_192_168_42_0_24 ];
destination-address [ addr_192_168_11_0_24 addr_192_168_10_0_24 ];
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address addr_192_168_11_0_24 192.168.11.0/24;
address addr_192_168_10_0_24 192.168.10.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
vlan.1;
vlan.2;
}
application-tracking;
}
security-zone untrust {
address-book {
address addr_192_168_50_0_24 192.168.50.0/24;
address addr_192_168_42_0_24 192.168.42.0/24;
}
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
st0.1;
}
application-tracking;
}
}
}
access {
profile pppoa-client {
client "<snip>" pap-password "<snip>"; ## SECRET-DATA
}
}
vlans {
COMMS-LAN {
vlan-id 100;
interface {
fe-0/0/1.0;
fe-0/0/2.0;
fe-0/0/3.0;
fe-0/0/0.0;
}
l3-interface vlan.2;
}
COMMS-VOICE {
vlan-id 200;
interface {
fe-0/0/4.0;
fe-0/0/5.0;
fe-0/0/6.0;
fe-0/0/7.0;
}
l3-interface vlan.1;
}
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}


As you can see, the ADSL PVC comes up and is assigned an address:

root@<snip>> show interfaces at-1/0/0.0
Logical interface at-1/0/0.0 (Index 83) (SNMP ifIndex 536)
Description: PPPoA
Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: ATM-PPP-VCMUX
Input packets : 24
Output packets: 36
Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3
Keepalive: Input: 3 (00:00:06 ago), Output: 6 (00:00:04 ago)
LCP state: Opened
NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured
CHAP state: Closed
PAP state: Success
Security: Zone: Null
Protocol inet, MTU: 1490
Flags: Sendbcast-pkt-to-re, Negotiate-Address
Addresses, Flags: Kernel Is-Preferred Is-Primary
Destination: 23.109.28.9, Local: 127.52.17.79 (## altered)
VCI 0.100
Flags: Active
Total down time: 0 sec, Last down: Never
Input packets : 24
Output packets: 36

Regards,

Josh Farrelly
Senior Project Engineer

P +64 9 630 4095
M +64 21 919 885
E josh [at] base-2

PO Box 24666, Royal Oak, Auckland 1345.
126 Valley Rd, Mt Eden, Auckland 1024.

www.base-2.co.nz




_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


dale.shaw+j-nsp at gmail

Aug 28, 2012, 4:41 AM

Post #2 of 6 (667 views)
Permalink
Re: Config help with an SRX110 & ADSL [In reply to]
[Apologies for top post]

There are a few problems with the config (once you get basic comms up
you'll need to look at your IPsec settings) but I suspect the main problem
is that interface at-1/0/0.0 isn't assigned to a security zone (untrust).

Cheers,
Dale

On Aug 28, 2012 8:10 PM, "Josh Farrelly" <josh [at] base-2> wrote:
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


sfouant at shortestpathfirst

Aug 28, 2012, 6:12 AM

Post #3 of 6 (655 views)
Permalink
Re: Config help with an SRX110 & ADSL [In reply to]
Also, your DHCP propagate setting is referencing fe-0/0/0.0 whereas is should be referencing vlan.0, vlan.1 and vlan.2. Per the docs, the propagate option applies to the logical interface which will receive TCP/IP settings from the external network for propagation to the DHCP pool running on the device. Currently, fe-0/0/0.0 isn't a routing interface and it isn't part of any assigned zone.

HTHs.

Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

Sent from my iPad

On Aug 28, 2012, at 7:41 AM, Dale Shaw <dale.shaw+j-nsp [at] gmail> wrote:

> [Apologies for top post]
>
> There are a few problems with the config (once you get basic comms up
> you'll need to look at your IPsec settings) but I suspect the main problem
> is that interface at-1/0/0.0 isn't assigned to a security zone (untrust).
>
> Cheers,
> Dale
>
> On Aug 28, 2012 8:10 PM, "Josh Farrelly" <josh [at] base-2> wrote:
> _______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


sfouant at shortestpathfirst

Aug 28, 2012, 6:18 AM

Post #4 of 6 (665 views)
Permalink
Re: Config help with an SRX110 & ADSL [In reply to]
Oops, I meant to say that you should replace fe-0/0/0.0 with the at-1/0/0.0 interface under the propagate settings, since at-1/0/0.0 is the one receiving the DHCP parameters from upstream.

Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

Sent from my iPad

On Aug 28, 2012, at 9:12 AM, Stefan Fouant <sfouant [at] shortestpathfirst> wrote:

> Also, your DHCP propagate setting is referencing fe-0/0/0.0 whereas is should be referencing vlan.0, vlan.1 and vlan.2. Per the docs, the propagate option applies to the logical interface which will receive TCP/IP settings from the external network for propagation to the DHCP pool running on the device. Currently, fe-0/0/0.0 isn't a routing interface and it isn't part of any assigned zone.
>
> HTHs.
>
> Stefan Fouant
> JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
> Technical Trainer, Juniper Networks
>
> Follow us on Twitter @JuniperEducate
>
> Sent from my iPad
>
> On Aug 28, 2012, at 7:41 AM, Dale Shaw <dale.shaw+j-nsp [at] gmail> wrote:
>
>> [Apologies for top post]
>>
>> There are a few problems with the config (once you get basic comms up
>> you'll need to look at your IPsec settings) but I suspect the main problem
>> is that interface at-1/0/0.0 isn't assigned to a security zone (untrust).
>>
>> Cheers,
>> Dale
>>
>> On Aug 28, 2012 8:10 PM, "Josh Farrelly" <josh [at] base-2> wrote:
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


josh at base-2

Aug 28, 2012, 2:06 PM

Post #5 of 6 (647 views)
Permalink
Re: Config help with an SRX110 & ADSL [In reply to]
Thanks Dale/Stefan, that's fixed it. Much appreciated.

Regards,

Josh Farrelly
Senior Project Engineer

P +64 9 630 4095
M +64 21 919 885
E josh [at] base-2

PO Box 24666, Royal Oak, Auckland 1345.
126 Valley Rd, Mt Eden, Auckland 1024.

www.base-2.co.nz



-----Original Message-----
From: Stefan Fouant [mailto:sfouant [at] shortestpathfirst]
Sent: Wednesday, 29 August 2012 01:13
To: Dale Shaw
Cc: Josh Farrelly; juniper-nsp [at] puck
Subject: Re: [j-nsp] Config help with an SRX110 & ADSL

Also, your DHCP propagate setting is referencing fe-0/0/0.0 whereas is should be referencing vlan.0, vlan.1 and vlan.2. Per the docs, the propagate option applies to the logical interface which will receive TCP/IP settings from the external network for propagation to the DHCP pool running on the device. Currently, fe-0/0/0.0 isn't a routing interface and it isn't part of any assigned zone.

HTHs.

Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

Sent from my iPad

On Aug 28, 2012, at 7:41 AM, Dale Shaw <dale.shaw+j-nsp [at] gmail> wrote:

> [Apologies for top post]
>
> There are a few problems with the config (once you get basic comms up
> you'll need to look at your IPsec settings) but I suspect the main
> problem is that interface at-1/0/0.0 isn't assigned to a security zone (untrust).
>
> Cheers,
> Dale
>
> On Aug 28, 2012 8:10 PM, "Josh Farrelly" <josh [at] base-2> wrote:
> _______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


malik.atif.saleem at gmail

Aug 28, 2012, 8:22 PM

Post #6 of 6 (646 views)
Permalink
Re: Config help with an SRX110 & ADSL [In reply to]
It would be nice to share the configuration stanza after the fix or
doing the correction from Josh.

Atif

On Wed, Aug 29, 2012 at 2:06 AM, Josh Farrelly <josh [at] base-2> wrote:
> Thanks Dale/Stefan, that's fixed it. Much appreciated.
>
> Regards,
>
> Josh Farrelly
> Senior Project Engineer
>
> P +64 9 630 4095
> M +64 21 919 885
> E josh [at] base-2
>
> PO Box 24666, Royal Oak, Auckland 1345.
> 126 Valley Rd, Mt Eden, Auckland 1024.
>
> www.base-2.co.nz
>
>
>
> -----Original Message-----
> From: Stefan Fouant [mailto:sfouant [at] shortestpathfirst]
> Sent: Wednesday, 29 August 2012 01:13
> To: Dale Shaw
> Cc: Josh Farrelly; juniper-nsp [at] puck
> Subject: Re: [j-nsp] Config help with an SRX110 & ADSL
>
> Also, your DHCP propagate setting is referencing fe-0/0/0.0 whereas is should be referencing vlan.0, vlan.1 and vlan.2. Per the docs, the propagate option applies to the logical interface which will receive TCP/IP settings from the external network for propagation to the DHCP pool running on the device. Currently, fe-0/0/0.0 isn't a routing interface and it isn't part of any assigned zone.
>
> HTHs.
>
> Stefan Fouant
> JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
> Technical Trainer, Juniper Networks
>
> Follow us on Twitter @JuniperEducate
>
> Sent from my iPad
>
> On Aug 28, 2012, at 7:41 AM, Dale Shaw <dale.shaw+j-nsp [at] gmail> wrote:
>
>> [Apologies for top post]
>>
>> There are a few problems with the config (once you get basic comms up
>> you'll need to look at your IPsec settings) but I suspect the main
>> problem is that interface at-1/0/0.0 isn't assigned to a security zone (untrust).
>>
>> Cheers,
>> Dale
>>
>> On Aug 28, 2012 8:10 PM, "Josh Farrelly" <josh [at] base-2> wrote:
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp



--
Atif

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

nsp juniper RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.