Author Topic: NAT's CONFIGURATION IS NOT WORKING srx210  (Read 1093 times)

nosdefe

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
NAT's CONFIGURATION IS NOT WORKING srx210
« on: June 06, 2016, 12:10:22 pm »
Hi everybody

I trying to configure a JUNIPER srx 210 firewall and I'm stuck on one problem. I can't access the internet from lan interface network vlan.11. I think that I'm missing something, I can ping everything from the srx but nothing from lan interface network vlan.11 using the comand:
ping 8.8.8.8 interface vlan.11

I think my NAT configuration is not working.
Thanks in advance

My configuration:

## Last changed: 2016-06-06 03:21:06 UTC
version 12.1X46-D45.4;
system {
host-name FW_SRX_210;
time-zone America/LaPaz;
root-authentication {
encrypted-password "*********************"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user adminsw {
uid 2000;
class super-user;
authentication {
encrypted-password "******************"; ## SECRET-DATA
}
}
}
services {
ssh;
xnm-clear-text;
web-management {
https {
system-generated-certificate;
}
}
dhcp {
pool 192.168.7.0/24 {
address-range low 192.168.7.61 high 192.168.7.150;
domain-name ende.bo;
name-server {
10.10.0.17;
10.10.0.32;
10.10.0.10;
}
wins-server {
10.10.0.17;
10.10.0.32;
}
router {
192.168.7.1;
}
next-server 10.170.10.2;
}
pool 192.168.8.0/24 {
address-range low 192.168.8.60 high 192.168.8.80;
domain-name ende.bo;
name-server {
10.10.0.17;
10.10.0.32;
10.10.0.10;
}
wins-server {
10.10.0.17;
10.10.0.32;
}
router {
192.168.8.1;
}
}

}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 176.58.109.199;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VLAN_RED_LAN_DATOS_ default VLAN_ADM_ANT VLAN_TELEFONOS_CISCO VLAN_RED_PLANTA_SOLAR ];
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members VAN_TELEFONOS_IP_;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members VLAN_RED_LAN_DATOS_;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/5 {
unit 0 {
family inet {
address 10.xxx.xxx.10/29;
}
}
}
fe-0/0/6 {
unit 0 {
/*internet CONECCTION*/
family inet {
address 181.xxx.xxx.18/29;
}
}
}
fe-0/0/7 {
unit 0 {

family inet {
address 10.xxx.xxx.114/29;
}
}
}
st0 {
unit 1 {
family inet {
mtu 1500;
address 10.172.4.24/24;
}
family inet6;
}
unit 2 {
family inet {
mtu 1500;
address 10.172.9.7/24;
}
family inet6;
}
}
vlan {
unit 1 {
family inet {
address 10.150.7.1/24;
}
}
unit 3 {
family inet {
address 10.150.17.1/24;
}
}
unit 10 {
family inet {
address 192.168.7.1/24;
}
}
unit 11 {
family inet {
address 192.168.8.1/24;
}
}
unit 20 {
family inet {
address 10.110.7.1/24;
}
}
unit 140 {
family inet {
address 192.168.207.1/24;
}
}
unit 150 {
family inet {
address 10.50.7.1/24;
}
}
unit 490 {
family inet {
address 10.249.7.1/24;
}
}
}
}
routing-options {
static {
route 10.xxx.xxx.0/29 next-hop 10.xxx.xxx.113;
route 10.xxx.xxx.0/29 next-hop 10.xxx.xxx.9;
route 0.0.0.0/0 next-hop 181.xxx.xxx.17;
}
}
protocols {
ospf {
area 0.0.0.0 {
network-summary-export export-ospf;
network-summary-import import-ospf;
interface vlan.1;
interface vlan.10;
interface vlan.20;
interface vlan.150;
interface vlan.140;
interface st0.1 {
interface-type p2p;
metric 10;
}
interface st0.2 {
interface-type p2p;
metric 20;
}
interface vlan.3;
interface vlan.490;
interface vlan.11;
}
}
stp;
}
policy-options {
policy-statement export-ospf {
term export-ospf {
from protocol direct;
then accept;
}
}
policy-statement import-ospf {
term import-ospf {
from protocol ospf;
then accept;
}
}
}
security {
ike {
proposal phase1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy ike-policy {
mode main;
proposals phase1;
pre-shared-key ascii-text "***************";
}
gateway ike-gw {
ike-policy ike-policy;
address 10.***.***.3;
external-interface fe-0/0/7.0;
}

}
ipsec {
proposal phase2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy ipsec-policy {
perfect-forward-secrecy {
keys group2;
}
proposals phase2;
}
vpn ipsec- {
bind-interface st0.1;
vpn-monitor {
optimized;
}
ike {
gateway ike-gw;
ipsec-policy ipsec-policy;
}
establish-tunnels immediately;
}
}
alg {
sip disable;
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set planta-solar-to-untrust {
from zone trust;
to zone untrust;
rule red-planta-solar {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.11 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
fe-0/0/5.0;
fe-0/0/6.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_ADM {
address-book {
address RED_LAN_ADM_ 10.150.7.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
vlan.3;
}
}
security-zone ZONA_TELF_IP_ {
address-book {
address RED_TELF_IP_ 10.110.7.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.20 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_RED_CAM_ {
address-book {
address RED_LAN_CAMARAS_IP 10.50.7.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.150 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_RED_DATOS_ {
address-book {
address RED_LAN_ 192.168.7.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.10 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_BIOMETRICOS_ {
address-book {
address RED_BIOMETRICOS_ 192.168.207.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.140 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone VPN_OSFP {

host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
st0.2 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
security-zone ZONA_TELF_IP_CISCO {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.490 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone ZONA_RED_PLANTA_SOLAR {

host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}

}
}
vlans {
VAN_TELEFONOS_IP_ {
vlan-id 20;
l3-interface vlan.20;
}
VLAN_ADM_ANT {
vlan-id 3;
l3-interface vlan.3;
}
VLAN_BIOMETRICO_ {
vlan-id 140;
l3-interface vlan.140;
}
VLAN_RED_CAMARAS_ {
vlan-id 150;
l3-interface vlan.150;
}
VLAN_RED_LAN_DATOS_ {
vlan-id 10;
l3-interface vlan.10;
}
VLAN_RED_PLANTA_SOLAR {
vlan-id 11;
l3-interface vlan.11;
}
VLAN_TELEFONOS_CISCO {
description "TELEFONOS CISCO";
vlan-id 490;
interface {
ge-0/0/1.0;
}
l3-interface vlan.490;
}
default {
l3-interface vlan.1;
}
}


Any idea how I can fix it?

Thanks

Ed.