[j-nsp] Problem to ping a node on internet
Atif Saleem
malik.atif.saleem at gmail.com
Tue Jun 12 22:06:16 EDT 2012
Just wondering, you don't have any "host-outbound-traffic" on any of
the zones (maybe needed on OUTSIDE). Experts can confirm what exactly
is needed.
Best,
Atif Saleem
On Mon, Jun 11, 2012 at 10:55 PM, roland DROUAL
<roland.droual at paris.iufm.fr> wrote:
> Hello the List,
>
> I have a problem to ping a node on internet.
> From INSIDE network, I can ping a node on DMZ network.
> From DMZ network, I can ping a node on INSIDE network
> From the SRX650 , I can ping a node on INSIDE network, and a node on
> DMZ network.
> From the SRX650 , I can ping a node on internet, via OUTSIDE interface.
> For example, I can ping 23.45.160.170
> (PS: 23.45.160.170 = www.cisco.com :-) I'm a little nostalgic )
>
> But ....
> From a node on INSIDE network, or a node from DMZ network, I can't ping a
> node on internet; I can ping the OUTSIDE interface on SRX650
> (195.221.125.206), but I can't ping the next-hop (195.221.125.205) for the
> default route.
>
> Can you help me ?
> Thanks for your help
>
> Roland DROUAL
>
> This is my config:
> ===================================
> toto at AS-SRX650-01# run show configuration
>
> ...
>
> reth0 {
> description "TRUNK vers INTER-SITES et OUTSIDE";
> vlan-tagging;
> redundant-ether-options {
> redundancy-group 1;
> }
> unit 201 {
> vlan-id 201;
> family inet {
> address 10.1.3.1/29;
> }
> }
> unit 955 {
> vlan-id 955;
> family inet {
> address 195.221.125.206/30;
> }
> }
> }
> reth1 {
> description "vers INSIDE";
> vlan-tagging;
> redundant-ether-options {
> redundancy-group 1;
> }
> unit 100 {
> vlan-id 100;
> family inet {
> address 10.1.4.2/29;
> }
> }
> }
> reth2 {
> description "802.1Q vers DMZ1";
> vlan-tagging;
> redundant-ether-options {
> redundancy-group 1;
> }
> unit 10 {
> vlan-id 10;
> family inet {
> address 193.48.41.193/29;
> }
> }
> }
> }
> routing-options {
> static {
> route 10.96.0.0/11 next-hop 10.1.4.1;
> route 10.192.0.0/11 next-hop 10.1.3.2;
> route 0.0.0.0/0 next-hop 195.221.125.205;
> }
> }
> security {
> nat {
> source {
> address-persistent;
> }
> }
> policies {
> from-zone OUTSIDE to-zone DMZ {
> policy allow-test {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone DMZ to-zone OUTSIDE {
> policy allow-test {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone INSIDE to-zone DMZ {
> policy allow-test {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone DMZ to-zone INSIDE {
> policy allow-test {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone INSIDE to-zone OUTSIDE {
> policy allow-test {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone OUTSIDE to-zone INSIDE {
> policy allow-test {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> }
> zones {
> security-zone OUTSIDE {
> host-inbound-traffic {
> system-services {
> all;
> }
> protocols {
> all;
> }
> }
> interfaces {
> reth0.955;
> }
> }
> security-zone INSIDE {
> host-inbound-traffic {
> system-services {
> all;
> }
> protocols {
> all;
> }
> }
> interfaces {
> reth1.100;
> }
> }
> security-zone DMZ {
> host-inbound-traffic {
> system-services {
> all;
> }
> protocols {
> all;
> }
> }
> interfaces {
> reth2.10;
> }
> }
> }
> }
>
> {primary:node0}[edit]
> toto at AS-SRX650-01#
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Atif
More information about the juniper-nsp
mailing list