Hi guys I'm having a few issues getting traffic to pass on an SRX110 I'm setting up for a branch office. It may be something simple as this is one of the first times setting up a Juniper device.
I have a default route, source NAT on the egress zone and policies configured but I can't pass traffic through the device, or from the device outbound. I know on my Cisco router using the same connection I am assigned a default gateway by my ISP.. I can't find a similar option for Juniper. Could someone eyeball the following and suggest any pointers? Here is my configuration: root@<snip>> show configuration ## Last commit: 2012-08-29 05:10:21 NZST by root version 12.1R3.5; system { host-name <snip> domain-name <snip>.co.nz; time-zone Pacific/Auckland; root-authentication { encrypted-password "$1$4tjZP.Jb$YMyhL1OLzSS7/Rrm0ABO20"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; } services { ssh; xnm-clear-text; web-management { http { interface [ vlan.0 vlan.1 vlan.2 ]; } https { system-generated-certificate; interface [ vlan.0 vlan.1 vlan.2 ]; } } dhcp { pool 192.168.10.0/24 { address-range low 192.168.10.100 high 192.168.10.200; domain-name <snip>.co.nz; name-server { 208.67.222.222; 208.67.220.220; } domain-search { <snip>.co.nz; } router { 192.168.10.1; } } pool 192.168.11.0/24 { address-range low 192.168.11.100 high 192.168.11.200; domain-name <snip>.co.nz; name-server { 192.168.11.1; } domain-search { <snip>.co.nz; } router { 192.168.11.1; } } propagate-settings fe-0/0/0.0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { fe-0/0/0 { unit 0 { family ethernet-switching; } } fe-0/0/1 { unit 0 { family ethernet-switching; } } fe-0/0/2 { unit 0 { family ethernet-switching; } } fe-0/0/3 { unit 0 { family ethernet-switching; } } fe-0/0/4 { unit 0 { family ethernet-switching; } } fe-0/0/5 { unit 0 { family ethernet-switching; } } fe-0/0/6 { unit 0 { family ethernet-switching; } } fe-0/0/7 { unit 0 { family ethernet-switching; } } at-1/0/0 { description "ADSL Interface"; mtu 1492; encapsulation atm-pvc; atm-options { vpi 0; } dsl-options { operating-mode auto; } unit 0 { description PPPoA; encapsulation atm-ppp-vc-mux; vci 0.100; ppp-options { pap { access-profile pppoa-client; local-name "<snip>"; local-password "<snip>"; ## SECRET-DATA passive; } } family inet { negotiate-address; dhcp; } } } st0 { unit 1 { family inet; } } vlan { unit 0 { family inet { address 192.168.1.1/24; } } unit 1 { family inet { address 192.168.11.1/24; } } unit 2 { family inet { address 192.168.10.1/24; } } } } snmp { name <snip>; location "<snip>"; contact "<snip>"; } routing-options { static { route 192.168.50.0/24 next-hop st0.1; route 192.168.42.0/24 next-hop st0.1; route 0.0.0.0/0 next-hop at-1/0/0.0; } } protocols { stp { disable; } } security { log { mode event; } ike { policy ike_pol_COMMS-VPN { mode aggressive; proposal-set standard; pre-shared-key ascii-text "<snip>"; ## SECRET-DATA } gateway gw_COMMS-VPN { ike-policy ike_pol_COMMS-VPN; address <snip>; external-interface at-1/0/0.1; } } ipsec { proposal COMMS-Secure { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-256-cbc; lifetime-seconds 3600; lifetime-kilobytes 102400; } policy ipsec_pol_COMMS-VPN { perfect-forward-secrecy { keys group5; } proposal-set standard; } vpn COMMS-VPN { bind-interface st0.1; vpn-monitor; ike { gateway gw_COMMS-VPN; ipsec-policy ipsec_pol_COMMS-VPN; } establish-tunnels immediately; } } application-tracking; screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } policy policy_out_COMMS-VPN { match { source-address [ addr_192_168_11_0_24 addr_192_168_10_0_24 ]; destination-address [ addr_192_168_50_0_24 addr_192_168_42_0_24 ]; application any; } then { permit; } } } from-zone untrust to-zone trust { policy policy_in_COMMS-VPN { match { source-address [ addr_192_168_50_0_24 addr_192_168_42_0_24 ]; destination-address [ addr_192_168_11_0_24 addr_192_168_10_0_24 ]; application any; } then { permit; } } } } zones { security-zone trust { address-book { address addr_192_168_11_0_24 192.168.11.0/24; address addr_192_168_10_0_24 192.168.10.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; vlan.1; vlan.2; } application-tracking; } security-zone untrust { address-book { address addr_192_168_50_0_24 192.168.50.0/24; address addr_192_168_42_0_24 192.168.42.0/24; } screen untrust-screen; host-inbound-traffic { system-services { ike; } } interfaces { st0.1; } application-tracking; } } } access { profile pppoa-client { client "<snip>" pap-password "<snip>"; ## SECRET-DATA } } vlans { COMMS-LAN { vlan-id 100; interface { fe-0/0/1.0; fe-0/0/2.0; fe-0/0/3.0; fe-0/0/0.0; } l3-interface vlan.2; } COMMS-VOICE { vlan-id 200; interface { fe-0/0/4.0; fe-0/0/5.0; fe-0/0/6.0; fe-0/0/7.0; } l3-interface vlan.1; } vlan-trust { vlan-id 3; l3-interface vlan.0; } } As you can see, the ADSL PVC comes up and is assigned an address: root@<snip>> show interfaces at-1/0/0.0 Logical interface at-1/0/0.0 (Index 83) (SNMP ifIndex 536) Description: PPPoA Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: ATM-PPP-VCMUX Input packets : 24 Output packets: 36 Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3 Keepalive: Input: 3 (00:00:06 ago), Output: 6 (00:00:04 ago) LCP state: Opened NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured CHAP state: Closed PAP state: Success Security: Zone: Null Protocol inet, MTU: 1490 Flags: Sendbcast-pkt-to-re, Negotiate-Address Addresses, Flags: Kernel Is-Preferred Is-Primary Destination: 23.109.28.9, Local: 127.52.17.79 (## altered) VCI 0.100 Flags: Active Total down time: 0 sec, Last down: Never Input packets : 24 Output packets: 36 Regards, Josh Farrelly Senior Project Engineer P +64 9 630 4095 M +64 21 919 885 E j...@base-2.co.nz PO Box 24666, Royal Oak, Auckland 1345. 126 Valley Rd, Mt Eden, Auckland 1024. www.base-2.co.nz _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp