NAT's CONFIGURATION IS NOT WORKING srx210



  • Hi everybody

    I trying to configure a JUNIPER srx 210 firewall and I’m stuck on one problem. I can’t access the internet from lan interface network vlan.11. I think that I’m missing something, I can ping everything from the srx but nothing from lan interface network vlan.11 using the comand:
    ping 8.8.8.8 interface vlan.11

    I think my NAT configuration is not working.
    Thanks in advance

    My configuration:

    Last changed: 2016-06-06 03:21:06 UTC

    version 12.1X46-D45.4;
    system {
    host-name FW_SRX_210;
    time-zone America/LaPaz;
    root-authentication {
    encrypted-password “***"; ## SECRET-DATA
    }
    name-server {
    208.67.222.222;
    208.67.220.220;
    }
    login {
    user adminsw {
    uid 2000;
    class super-user;
    authentication {
    encrypted-password "
    ”; ## SECRET-DATA
    }
    }
    }
    services {
    ssh;
    xnm-clear-text;
    web-management {
    https {
    system-generated-certificate;
    }
    }
    dhcp {
    pool 192.168.7.0/24 {
    address-range low 192.168.7.61 high 192.168.7.150;
    domain-name ende.bo;
    name-server {
    10.10.0.17;
    10.10.0.32;
    10.10.0.10;
    }
    wins-server {
    10.10.0.17;
    10.10.0.32;
    }
    router {
    192.168.7.1;
    }
    next-server 10.170.10.2;
    }
    pool 192.168.8.0/24 {
    address-range low 192.168.8.60 high 192.168.8.80;
    domain-name ende.bo;
    name-server {
    10.10.0.17;
    10.10.0.32;
    10.10.0.10;
    }
    wins-server {
    10.10.0.17;
    10.10.0.32;
    }
    router {
    192.168.8.1;
    }
    }

    }
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive-commands {
    interactive-commands error;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    ntp {
    server 176.58.109.199;
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    dhcp;
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    family ethernet-switching {
    port-mode trunk;
    vlan {
    members [ VLAN_RED_LAN_DATOS_ default VLAN_ADM_ANT VLAN_TELEFONOS_CISCO VLAN_RED_PLANTA_SOLAR ];
    }
    }
    }
    }
    fe-0/0/2 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members VAN_TELEFONOS_IP_;
    }
    }
    }
    }
    fe-0/0/3 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members VLAN_RED_LAN_DATOS_;
    }
    }
    }
    }
    fe-0/0/4 {
    unit 0 {
    family ethernet-switching;
    }
    }
    fe-0/0/5 {
    unit 0 {
    family inet {
    address 10.xxx.xxx.10/29;
    }
    }
    }
    fe-0/0/6 {
    unit 0 {
    /internet CONECCTION/
    family inet {
    address 181.xxx.xxx.18/29;
    }
    }
    }
    fe-0/0/7 {
    unit 0 {

    family inet {
    address 10.xxx.xxx.114/29;
    }
    }
    }
    st0 {
    unit 1 {
    family inet {
    mtu 1500;
    address 10.172.4.24/24;
    }
    family inet6;
    }
    unit 2 {
    family inet {
    mtu 1500;
    address 10.172.9.7/24;
    }
    family inet6;
    }
    }
    vlan {
    unit 1 {
    family inet {
    address 10.150.7.1/24;
    }
    }
    unit 3 {
    family inet {
    address 10.150.17.1/24;
    }
    }
    unit 10 {
    family inet {
    address 192.168.7.1/24;
    }
    }
    unit 11 {
    family inet {
    address 192.168.8.1/24;
    }
    }
    unit 20 {
    family inet {
    address 10.110.7.1/24;
    }
    }
    unit 140 {
    family inet {
    address 192.168.207.1/24;
    }
    }
    unit 150 {
    family inet {
    address 10.50.7.1/24;
    }
    }
    unit 490 {
    family inet {
    address 10.249.7.1/24;
    }
    }
    }
    }
    routing-options {
    static {
    route 10.xxx.xxx.0/29 next-hop 10.xxx.xxx.113;
    route 10.xxx.xxx.0/29 next-hop 10.xxx.xxx.9;
    route 0.0.0.0/0 next-hop 181.xxx.xxx.17;
    }
    }
    protocols {
    ospf {
    area 0.0.0.0 {
    network-summary-export export-ospf;
    network-summary-import import-ospf;
    interface vlan.1;
    interface vlan.10;
    interface vlan.20;
    interface vlan.150;
    interface vlan.140;
    interface st0.1 {
    interface-type p2p;
    metric 10;
    }
    interface st0.2 {
    interface-type p2p;
    metric 20;
    }
    interface vlan.3;
    interface vlan.490;
    interface vlan.11;
    }
    }
    stp;
    }
    policy-options {
    policy-statement export-ospf {
    term export-ospf {
    from protocol direct;
    then accept;
    }
    }
    policy-statement import-ospf {
    term import-ospf {
    from protocol ospf;
    then accept;
    }
    }
    }
    security {
    ike {
    proposal phase1 {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 28800;
    }
    policy ike-policy {
    mode main;
    proposals phase1;
    pre-shared-key ascii-text "*********";
    }
    gateway ike-gw {
    ike-policy ike-policy;
    address 10.
    .
    .3;
    external-interface fe-0/0/7.0;
    }

    }
    ipsec {
    proposal phase2 {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
    }
    policy ipsec-policy {
    perfect-forward-secrecy {
    keys group2;
    }
    proposals phase2;
    }
    vpn ipsec- {
    bind-interface st0.1;
    vpn-monitor {
    optimized;
    }
    ike {
    gateway ike-gw;
    ipsec-policy ipsec-policy;
    }
    establish-tunnels immediately;
    }
    }
    alg {
    sip disable;
    }
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set planta-solar-to-untrust {
    from zone trust;
    to zone untrust;
    rule red-planta-solar {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    }
    policies {
    from-zone trust to-zone untrust {
    policy trust-to-untrust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    vlan.11 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone untrust {
    screen untrust-screen;
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    fe-0/0/7.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    fe-0/0/5.0;
    fe-0/0/6.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone ZONA_ADM {
    address-book {
    address RED_LAN_ADM_ 10.150.7.0/24;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    vlan.1 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    vlan.3;
    }
    }
    security-zone ZONA_TELF_IP_ {
    address-book {
    address RED_TELF_IP_ 10.110.7.0/24;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    vlan.20 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone ZONA_RED_CAM_ {
    address-book {
    address RED_LAN_CAMARAS_IP 10.50.7.0/24;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    vlan.150 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone ZONA_RED_DATOS_ {
    address-book {
    address RED_LAN_ 192.168.7.0/24;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    vlan.10 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone ZONA_BIOMETRICOS_ {
    address-book {
    address RED_BIOMETRICOS_ 192.168.207.0/24;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    vlan.140 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone VPN_OSFP {

    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    st0.1 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    st0.2 {
    host-inbound-traffic {
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone ZONA_TELF_IP_CISCO {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    vlan.490 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone ZONA_RED_PLANTA_SOLAR {

    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }

    }
    }
    vlans {
    VAN_TELEFONOS_IP_ {
    vlan-id 20;
    l3-interface vlan.20;
    }
    VLAN_ADM_ANT {
    vlan-id 3;
    l3-interface vlan.3;
    }
    VLAN_BIOMETRICO_ {
    vlan-id 140;
    l3-interface vlan.140;
    }
    VLAN_RED_CAMARAS_ {
    vlan-id 150;
    l3-interface vlan.150;
    }
    VLAN_RED_LAN_DATOS_ {
    vlan-id 10;
    l3-interface vlan.10;
    }
    VLAN_RED_PLANTA_SOLAR {
    vlan-id 11;
    l3-interface vlan.11;
    }
    VLAN_TELEFONOS_CISCO {
    description “TELEFONOS CISCO”;
    vlan-id 490;
    interface {
    ge-0/0/1.0;
    }
    l3-interface vlan.490;
    }
    default {
    l3-interface vlan.1;
    }
    }

    Any idea how I can fix it?

    Thanks

    Ed.


 

25
Online

38.4k
Users

12.7k
Topics

44.5k
Posts