[j-nsp] {Disarmed} Re: Problem to ping a node on internet

Roland Droual roland.droual at paris.iufm.fr
Mon Jun 11 17:40:02 EDT 2012 

oh ! I'm very tired. 
You are in right. I forgot the source nat rules, for my inside IPs @ (private @) 
I will config them tomorrow morning. 
But I can't understand why , from a node on the DMZ (193.48.41.194, a public @) I can't ping a node on internet. 
In fact, in a first time, I began to ping nodes on internet from the DMZ. 
The range 193.48.41.194/29 doesn't need source nat rule. 
Maybe this range is not routed by my provider. I must verify that ... but I don't think it's the good answer. 
I think I forgot something else in the SRX configuration. 

Roland DROUAL 


----- Mail Original ----- 
De: "Marco Nesler" <satunz at gmail.com> 
À: "roland droual" <roland.droual at paris.iufm.fr> 
Envoyé: Lundi 11 Juin 2012 21h57:04 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne 
Objet: {Disarmed} Re: [j-nsp] Problem to ping a node on internet 

can't see any nat rule, based on your config it seems you are triyng to reach the outside world with a private ip address.. 


2012/6/11 roland DROUAL < roland.droual at paris.iufm.fr > 


Hello the List, 

I have a problem to ping a node on internet. 
From INSIDE network, I can ping a node on DMZ network. 
From DMZ network, I can ping a node on INSIDE network 
>From the SRX650 , I can ping a node on INSIDE network, and a node on DMZ network. 
>From the SRX650 , I can ping a node on internet, via OUTSIDE interface. 
For example, I can ping 23.45.160.170 
(PS: 23.45.160.170 = www.cisco.com :-) I'm a little nostalgic ) 

But .... 
>From a node on INSIDE network, or a node from DMZ network, I can't ping a node on internet; I can ping the OUTSIDE interface on SRX650 (195.221.125.206), but I can't ping the next-hop (195.221.125.205) for the default route. 

Can you help me ? 
Thanks for your help 

Roland DROUAL 

This is my config: 
============================== ===== 
toto at AS-SRX650-01# run show configuration 

... 

reth0 { 
description "TRUNK vers INTER-SITES et OUTSIDE"; 
vlan-tagging; 
redundant-ether-options { 
redundancy-group 1; 
} 
unit 201 { 
vlan-id 201; 
family inet { 
address MailScanner warning: numerical links are often malicious: 10.1.3.1/29 ; 
} 
} 
unit 955 { 
vlan-id 955; 
family inet { 
address MailScanner warning: numerical links are often malicious: 195.221.125.206/30 ; 
} 
} 
} 
reth1 { 
description "vers INSIDE"; 
vlan-tagging; 
redundant-ether-options { 
redundancy-group 1; 
} 
unit 100 { 
vlan-id 100; 
family inet { 
address MailScanner warning: numerical links are often malicious: 10.1.4.2/29 ; 
} 
} 
} 
reth2 { 
description "802.1Q vers DMZ1"; 
vlan-tagging; 
redundant-ether-options { 
redundancy-group 1; 
} 
unit 10 { 
vlan-id 10; 
family inet { 
address MailScanner warning: numerical links are often malicious: 193.48.41.193/29 ; 
} 
} 
} 
} 
routing-options { 
static { 
route MailScanner warning: numerical links are often malicious: 10.96.0.0/11 next-hop 10.1.4.1; 
route MailScanner warning: numerical links are often malicious: 10.192.0.0/11 next-hop 10.1.3.2; 
route MailScanner warning: numerical links are often malicious: 0.0.0.0/0 next-hop 195.221.125.205; 
} 
} 
security { 
nat { 
source { 
address-persistent; 
} 
} 
policies { 
from-zone OUTSIDE to-zone DMZ { 
policy allow-test { 
match { 
source-address any; 
destination-address any; 
application any; 
} 
then { 
permit; 
} 
} 
} 
from-zone DMZ to-zone OUTSIDE { 
policy allow-test { 
match { 
source-address any; 
destination-address any; 
application any; 
} 
then { 
permit; 
} 
} 
} 
from-zone INSIDE to-zone DMZ { 
policy allow-test { 
match { 
source-address any; 
destination-address any; 
application any; 
} 
then { 
permit; 
} 
} 
} 
from-zone DMZ to-zone INSIDE { 
policy allow-test { 
match { 
source-address any; 
destination-address any; 
application any; 
} 
then { 
permit; 
} 
} 
} 
from-zone INSIDE to-zone OUTSIDE { 
policy allow-test { 
match { 
source-address any; 
destination-address any; 
application any; 
} 
then { 
permit; 
} 
} 
} 
from-zone OUTSIDE to-zone INSIDE { 
policy allow-test { 
match { 
source-address any; 
destination-address any; 
application any; 
} 
then { 
permit; 
} 
} 
} 
} 
zones { 
security-zone OUTSIDE { 
host-inbound-traffic { 
system-services { 
all; 
} 
protocols { 
all; 
} 
} 
interfaces { 
reth0.955; 
} 
} 
security-zone INSIDE { 
host-inbound-traffic { 
system-services { 
all; 
} 
protocols { 
all; 
} 
} 
interfaces { 
reth1.100; 
} 
} 
security-zone DMZ { 
host-inbound-traffic { 
system-services { 
all; 
} 
protocols { 
all; 
} 
} 
interfaces { 
reth2.10; 
} 
} 
} 
} 

{primary:node0}[edit] 
toto at AS-SRX650-01# 



______________________________ _________________ 
juniper-nsp mailing list juniper-nsp at puck.nether.net 
https://puck.nether.net/ mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list