[j-nsp] Problem to ping a node on internet
roland DROUAL
roland.droual at paris.iufm.fr
Mon Jun 11 13:55:12 EDT 2012
Hello the List,
I have a problem to ping a node on internet.
From INSIDE network, I can ping a node on DMZ network.
From DMZ network, I can ping a node on INSIDE network
From the SRX650 , I can ping a node on INSIDE network, and a node
on DMZ network.
From the SRX650 , I can ping a node on internet, via OUTSIDE
interface.
For example, I can ping 23.45.160.170
(PS: 23.45.160.170 = www.cisco.com :-) I'm a little nostalgic )
But ....
From a node on INSIDE network, or a node from DMZ network, I can't ping
a node on internet; I can ping the OUTSIDE interface on SRX650
(195.221.125.206), but I can't ping the next-hop (195.221.125.205) for
the default route.
Can you help me ?
Thanks for your help
Roland DROUAL
This is my config:
===================================
toto at AS-SRX650-01# run show configuration
...
reth0 {
description "TRUNK vers INTER-SITES et OUTSIDE";
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 201 {
vlan-id 201;
family inet {
address 10.1.3.1/29;
}
}
unit 955 {
vlan-id 955;
family inet {
address 195.221.125.206/30;
}
}
}
reth1 {
description "vers INSIDE";
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 100 {
vlan-id 100;
family inet {
address 10.1.4.2/29;
}
}
}
reth2 {
description "802.1Q vers DMZ1";
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 10 {
vlan-id 10;
family inet {
address 193.48.41.193/29;
}
}
}
}
routing-options {
static {
route 10.96.0.0/11 next-hop 10.1.4.1;
route 10.192.0.0/11 next-hop 10.1.3.2;
route 0.0.0.0/0 next-hop 195.221.125.205;
}
}
security {
nat {
source {
address-persistent;
}
}
policies {
from-zone OUTSIDE to-zone DMZ {
policy allow-test {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone DMZ to-zone OUTSIDE {
policy allow-test {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone INSIDE to-zone DMZ {
policy allow-test {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone DMZ to-zone INSIDE {
policy allow-test {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone INSIDE to-zone OUTSIDE {
policy allow-test {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone OUTSIDE to-zone INSIDE {
policy allow-test {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone OUTSIDE {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth0.955;
}
}
security-zone INSIDE {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth1.100;
}
}
security-zone DMZ {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth2.10;
}
}
}
}
{primary:node0}[edit]
toto at AS-SRX650-01#
More information about the juniper-nsp
mailing list