[j-nsp] Config help with an SRX110 & ADSL
Josh Farrelly
josh at base-2.co.nz
Tue Aug 28 05:35:46 EDT 2012
Hi guys
I'm having a few issues getting traffic to pass on an SRX110 I'm setting up for a branch office. It may be something simple as this is one of the first times setting up a Juniper device.
I have a default route, source NAT on the egress zone and policies configured but I can't pass traffic through the device, or from the device outbound.
I know on my Cisco router using the same connection I am assigned a default gateway by my ISP.. I can't find a similar option for Juniper.
Could someone eyeball the following and suggest any pointers?
Here is my configuration:
root@<snip>> show configuration
## Last commit: 2012-08-29 05:10:21 NZST by root
version 12.1R3.5;
system {
host-name <snip>
domain-name <snip>.co.nz;
time-zone Pacific/Auckland;
root-authentication {
encrypted-password "$1$4tjZP.Jb$YMyhL1OLzSS7/Rrm0ABO20"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
xnm-clear-text;
web-management {
http {
interface [ vlan.0 vlan.1 vlan.2 ];
}
https {
system-generated-certificate;
interface [ vlan.0 vlan.1 vlan.2 ];
}
}
dhcp {
pool 192.168.10.0/24 {
address-range low 192.168.10.100 high 192.168.10.200;
domain-name <snip>.co.nz;
name-server {
208.67.222.222;
208.67.220.220;
}
domain-search {
<snip>.co.nz;
}
router {
192.168.10.1;
}
}
pool 192.168.11.0/24 {
address-range low 192.168.11.100 high 192.168.11.200;
domain-name <snip>.co.nz;
name-server {
192.168.11.1;
}
domain-search {
<snip>.co.nz;
}
router {
192.168.11.1;
}
}
propagate-settings fe-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/1 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
at-1/0/0 {
description "ADSL Interface";
mtu 1492;
encapsulation atm-pvc;
atm-options {
vpi 0;
}
dsl-options {
operating-mode auto;
}
unit 0 {
description PPPoA;
encapsulation atm-ppp-vc-mux;
vci 0.100;
ppp-options {
pap {
access-profile pppoa-client;
local-name "<snip>";
local-password "<snip>"; ## SECRET-DATA
passive;
}
}
family inet {
negotiate-address;
dhcp;
}
}
}
st0 {
unit 1 {
family inet;
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 1 {
family inet {
address 192.168.11.1/24;
}
}
unit 2 {
family inet {
address 192.168.10.1/24;
}
}
}
}
snmp {
name <snip>;
location "<snip>";
contact "<snip>";
}
routing-options {
static {
route 192.168.50.0/24 next-hop st0.1;
route 192.168.42.0/24 next-hop st0.1;
route 0.0.0.0/0 next-hop at-1/0/0.0;
}
}
protocols {
stp {
disable;
}
}
security {
log {
mode event;
}
ike {
policy ike_pol_COMMS-VPN {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "<snip>"; ## SECRET-DATA
}
gateway gw_COMMS-VPN {
ike-policy ike_pol_COMMS-VPN;
address <snip>;
external-interface at-1/0/0.1;
}
}
ipsec {
proposal COMMS-Secure {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
lifetime-kilobytes 102400;
}
policy ipsec_pol_COMMS-VPN {
perfect-forward-secrecy {
keys group5;
}
proposal-set standard;
}
vpn COMMS-VPN {
bind-interface st0.1;
vpn-monitor;
ike {
gateway gw_COMMS-VPN;
ipsec-policy ipsec_pol_COMMS-VPN;
}
establish-tunnels immediately;
}
}
application-tracking;
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy policy_out_COMMS-VPN {
match {
source-address [ addr_192_168_11_0_24 addr_192_168_10_0_24 ];
destination-address [ addr_192_168_50_0_24 addr_192_168_42_0_24 ];
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy policy_in_COMMS-VPN {
match {
source-address [ addr_192_168_50_0_24 addr_192_168_42_0_24 ];
destination-address [ addr_192_168_11_0_24 addr_192_168_10_0_24 ];
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address addr_192_168_11_0_24 192.168.11.0/24;
address addr_192_168_10_0_24 192.168.10.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
vlan.1;
vlan.2;
}
application-tracking;
}
security-zone untrust {
address-book {
address addr_192_168_50_0_24 192.168.50.0/24;
address addr_192_168_42_0_24 192.168.42.0/24;
}
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
st0.1;
}
application-tracking;
}
}
}
access {
profile pppoa-client {
client "<snip>" pap-password "<snip>"; ## SECRET-DATA
}
}
vlans {
COMMS-LAN {
vlan-id 100;
interface {
fe-0/0/1.0;
fe-0/0/2.0;
fe-0/0/3.0;
fe-0/0/0.0;
}
l3-interface vlan.2;
}
COMMS-VOICE {
vlan-id 200;
interface {
fe-0/0/4.0;
fe-0/0/5.0;
fe-0/0/6.0;
fe-0/0/7.0;
}
l3-interface vlan.1;
}
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
As you can see, the ADSL PVC comes up and is assigned an address:
root@<snip>> show interfaces at-1/0/0.0
Logical interface at-1/0/0.0 (Index 83) (SNMP ifIndex 536)
Description: PPPoA
Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: ATM-PPP-VCMUX
Input packets : 24
Output packets: 36
Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3
Keepalive: Input: 3 (00:00:06 ago), Output: 6 (00:00:04 ago)
LCP state: Opened
NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured
CHAP state: Closed
PAP state: Success
Security: Zone: Null
Protocol inet, MTU: 1490
Flags: Sendbcast-pkt-to-re, Negotiate-Address
Addresses, Flags: Kernel Is-Preferred Is-Primary
Destination: 23.109.28.9, Local: 127.52.17.79 (## altered)
VCI 0.100
Flags: Active
Total down time: 0 sec, Last down: Never
Input packets : 24
Output packets: 36
Regards,
Josh Farrelly
Senior Project Engineer
P +64 9 630 4095
M +64 21 919 885
E josh at base-2.co.nz
PO Box 24666, Royal Oak, Auckland 1345.
126 Valley Rd, Mt Eden, Auckland 1024.
www.base-2.co.nz
More information about the juniper-nsp
mailing list