问题
I configured my srx300 device but I cannot access internet from clients behind device. I don't know what is incorrect in my config. I'm not experienced in this. Hope for helps!
Here is my config:
version 15.1X49-D45;
system {
host-name SRX300;
time-zone GMT+7;
root-authentication {
encrypted-password "$5$dHbwv06Q$dmi.4XlI3.GcZh3wdgahFDXS2IS3xtatYP0JHQSVCP2"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
10.59.3.11;
10.59.1.3;
8.8.8.8;
4.2.2.2;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/1.0;
}
https {
system-generated-certificate;
interface ge-0/0/1.0;
}
session {
idle-timeout 60;
}
}
dhcp {
pool 10.1.1.0/24 {
address-range low 10.1.1.192 high 10.1.1.250;
name-server {
8.8.8.8;
4.2.2.2;
}
router {
10.1.1.1;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set NAT_Outside {
from zone [ DMZ Inside ];
to zone Outside;
rule src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool WEBSERVER {
address 10.2.2.200/32 port 80;
}
rule-set WEB_NAT {
from zone Outside;
rule Rule_Web_NAT {
match {
source-address 0.0.0.0/0;
destination-address 100.100.100.100/32;
destination-port {
80;
}
}
then {
destination-nat {
pool {
WEBSERVER;
}
}
}
}
}
}
}
policies {
from-zone Inside to-zone Outside {
policy Inside_Outside {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Inside to-zone DMZ {
policy Web_Inside_DMZ {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit;
}
}
}
from-zone Outside to-zone DMZ {
policy Web_Outside_DMZ {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit;
}
}
}
}
zones {
security-zone Admin {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/5.0;
}
}
security-zone Inside {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
ssh;
telnet;
}
}
}
}
}
security-zone DMZ {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
telnet;
}
}
}
}
}
security-zone Outside {
interfaces {
pp0.0;
ge-0/0/0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
mac aa:bb:cc:dd:ee:ff;
unit 0 {
encapsulation ppp-over-ether;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.1.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.2.2.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 20.0.0.1/24;
}
}
}
pp0 {
traceoptions {
flag all;
}
unit 0 {
point-to-point;
ppp-options {
pap {
default-password "$9$wXsoGmPQF39DiT369B1dbsYJDf5FCpB1RNd"; ## SECRET-DATA
local-name phamhuuthu-pppoe;
local-password "$9$JfZi.3nCtpBP59p0Byr4aZGkP6/t1Eyre24"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
client;
}
no-keepalives;
family inet {
mtu 1492;
negotiate-address;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
回答1:
I had similar issue and it got resolved by setting up the DNS in correct way. I can see there is no DNS services configured on your device. You may use any local DNS server you have or google DNS server will do.
An example where ge-0/0/1.0 (Inside) can access internet. You may add another interface on services / dns / dns-proxy to allow further devices on other interfaces. Choose or add all name-servers to forwarders list.
services {
dns {
dns-proxy {
interface {
ge-0/0/1.0;
}
default-domain * {
forwarders {
8.8.8.8;
8.8.4.4;
}
}
}
}
}
Next make sure that devices on the inside zone has set DNS server set (on network configuration) as juniper interface, i.e. ge-0/0/1/0 IP which is 10.1.1.1 in your case.
Hope this helps.
来源:https://stackoverflow.com/questions/56930662/cannot-access-internet-from-clients-behind-juniper-firewall-srx300