Cannot access internet from clients behind Juniper Firewall SRX300

我怕爱的太早我们不能终老 提交于 2019-12-11 17:08:08

问题


I configured my srx300 device but I cannot access internet from clients behind device. I don't know what is incorrect in my config. I'm not experienced in this. Hope for helps!

Here is my config:

version 15.1X49-D45;
system {
    host-name SRX300;
    time-zone GMT+7;
    root-authentication {
        encrypted-password "$5$dHbwv06Q$dmi.4XlI3.GcZh3wdgahFDXS2IS3xtatYP0JHQSVCP2"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
        10.59.3.11;
        10.59.1.3;
        8.8.8.8;
        4.2.2.2;
    }
    name-resolution {
        no-resolve-on-input;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface ge-0/0/1.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/1.0;
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            pool 10.1.1.0/24 {
                address-range low 10.1.1.192 high 10.1.1.250;
                name-server {
                    8.8.8.8;
                    4.2.2.2;
                }
                router {
                    10.1.1.1;
                }
            }
        }                               
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }                           
        }
    }
    nat {
        source {
            rule-set NAT_Outside {
                from zone [ DMZ Inside ];
                to zone Outside;
                rule src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool WEBSERVER {
                address 10.2.2.200/32 port 80;
            }
            rule-set WEB_NAT {
                from zone Outside;
                rule Rule_Web_NAT {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 100.100.100.100/32;
                        destination-port {
                            80;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                WEBSERVER;
                            }
                        }
                    }
                }
            }
        }
    }                                   
    policies {
        from-zone Inside to-zone Outside {
            policy Inside_Outside {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Inside to-zone DMZ {
            policy Web_Inside_DMZ {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-http junos-https ];
                }
                then {
                    permit;
                }
            }
        }
        from-zone Outside to-zone DMZ {
            policy Web_Outside_DMZ {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-http junos-https ];
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Admin {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }                           
            interfaces {
                ge-0/0/5.0;
            }
        }
        security-zone Inside {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }
            }
        }
        security-zone DMZ {
            interfaces {
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }
            }
        }
        security-zone Outside {
            interfaces {
                pp0.0;
                ge-0/0/0.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {                          
        mac aa:bb:cc:dd:ee:ff;
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.1.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 10.2.2.1/24;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                address 20.0.0.1/24;
            }
        }
    }
    pp0 {
        traceoptions {
            flag all;
        }
        unit 0 {
            point-to-point;
            ppp-options {
                pap {
                    default-password "$9$wXsoGmPQF39DiT369B1dbsYJDf5FCpB1RNd"; ## SECRET-DATA
                    local-name phamhuuthu-pppoe;
                    local-password "$9$JfZi.3nCtpBP59p0Byr4aZGkP6/t1Eyre24"; ## SECRET-DATA
                    passive;
                }
            }
            pppoe-options {
                underlying-interface ge-0/0/0.0;
                client;
            }
            no-keepalives;              
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop pp0.0;
    }
}

回答1:


I had similar issue and it got resolved by setting up the DNS in correct way. I can see there is no DNS services configured on your device. You may use any local DNS server you have or google DNS server will do.

An example where ge-0/0/1.0 (Inside) can access internet. You may add another interface on services / dns / dns-proxy to allow further devices on other interfaces. Choose or add all name-servers to forwarders list.

services {
    dns {
        dns-proxy {
            interface {
                ge-0/0/1.0;                    
            }
            default-domain * {
                forwarders {
                    8.8.8.8;
                    8.8.4.4;
                }
            }
        }
    }    
}

Next make sure that devices on the inside zone has set DNS server set (on network configuration) as juniper interface, i.e. ge-0/0/1/0 IP which is 10.1.1.1 in your case.

Hope this helps.



来源:https://stackoverflow.com/questions/56930662/cannot-access-internet-from-clients-behind-juniper-firewall-srx300

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!