[j-nsp] Problem to ping a node on internet

roland DROUAL roland.droual at paris.iufm.fr
Mon Jun 11 13:55:12 EDT 2012


Hello the List,

I have a problem to ping a node on internet.
 From INSIDE network, I can ping a node on DMZ network.
 From DMZ     network, I can ping a node on INSIDE network
 From the SRX650 ,      I can ping a node on INSIDE network, and a node 
on DMZ network.
 From the SRX650 ,      I can ping a node on internet, via OUTSIDE 
interface.
For example, I can ping 23.45.160.170
(PS: 23.45.160.170 = www.cisco.com     :-)    I'm a little nostalgic )

But ....
 From a node on INSIDE network, or a node from DMZ network, I can't ping 
a node on internet; I can ping the OUTSIDE interface on SRX650 
(195.221.125.206), but I can't ping the next-hop (195.221.125.205) for 
the default route.

Can you help me ?
Thanks for your help

Roland DROUAL

This is my config:
===================================
toto at AS-SRX650-01# run show configuration

...

     reth0 {
         description "TRUNK vers INTER-SITES et OUTSIDE";
         vlan-tagging;
         redundant-ether-options {
             redundancy-group 1;
         }
         unit 201 {
             vlan-id 201;
             family inet {
                 address 10.1.3.1/29;
             }
         }
         unit 955 {
             vlan-id 955;
             family inet {
                 address 195.221.125.206/30;
             }
         }
     }
     reth1 {
         description "vers INSIDE";
         vlan-tagging;
         redundant-ether-options {
             redundancy-group 1;
         }
         unit 100 {
             vlan-id 100;
             family inet {
                 address 10.1.4.2/29;
             }
         }
     }
     reth2 {
         description "802.1Q vers DMZ1";
         vlan-tagging;
         redundant-ether-options {
             redundancy-group 1;
         }
         unit 10 {
             vlan-id 10;
             family inet {
                 address 193.48.41.193/29;
             }
         }
     }
}
routing-options {
     static {
         route 10.96.0.0/11 next-hop 10.1.4.1;
         route 10.192.0.0/11 next-hop 10.1.3.2;
         route 0.0.0.0/0 next-hop 195.221.125.205;
     }
}
security {
     nat {
         source {
             address-persistent;
         }
     }
     policies {
         from-zone OUTSIDE to-zone DMZ {
             policy allow-test {
                 match {
                     source-address any;
                     destination-address any;
                     application any;
                 }
                 then {
                     permit;
                 }
             }
         }
         from-zone DMZ to-zone OUTSIDE {
             policy allow-test {
                 match {
                     source-address any;
                     destination-address any;
                     application any;
                 }
                 then {
                     permit;
                 }
             }
         }
         from-zone INSIDE to-zone DMZ {
             policy allow-test {
                 match {
                     source-address any;
                     destination-address any;
                     application any;
                 }
                 then {
                     permit;
                 }
             }
         }
         from-zone DMZ to-zone INSIDE {
             policy allow-test {
                 match {
                     source-address any;
                     destination-address any;
                     application any;
                 }
                 then {
                     permit;
                 }
             }
         }
         from-zone INSIDE to-zone OUTSIDE {
             policy allow-test {
                 match {
                     source-address any;
                     destination-address any;
                     application any;
                 }
                 then {
                     permit;
                 }
             }
         }
         from-zone OUTSIDE to-zone INSIDE {
             policy allow-test {
                 match {
                     source-address any;
                     destination-address any;
                     application any;
                 }
                 then {
                     permit;
                 }
             }
         }
     }
     zones {
         security-zone OUTSIDE {
             host-inbound-traffic {
                 system-services {
                     all;
                 }
                 protocols {
                     all;
                 }
             }
             interfaces {
                 reth0.955;
             }
         }
         security-zone INSIDE {
             host-inbound-traffic {
                 system-services {
                     all;
                 }
                 protocols {
                     all;
                 }
             }
             interfaces {
                 reth1.100;
             }
         }
         security-zone DMZ {
             host-inbound-traffic {
                 system-services {
                     all;
                 }
                 protocols {
                     all;
                 }
             }
             interfaces {
                 reth2.10;
             }
         }
     }
}

{primary:node0}[edit]
toto at AS-SRX650-01#





More information about the juniper-nsp mailing list