Question Juniper SRX220/240 routing (or policy) issues

[PoPetW]

So long story short: we have multiple locations and we want to connect them with L3 connections.

From the ISP side everything has been set up correctly, their device is working. We have a Juniper SRX220 (and also an SRX 240 but it dosent work neither) that we can ping from our network without any issue. But the Huawei router provided by our ISP connected to this Juniper is not reachable at all, or at least almost, cos somhow 2 of our servers (the domain controllers) can ping it. So from the same network only 2 servers can reach the ISP router through our Juniper, but any other PC or server don't. From the other side we can get through until the ISP routher, but can't reach the Juniper at all.

The routing table on the Juniper seems to be fine, but the policys on it dont want to start at all. The policys conatins the connection settings between the two zones.

We are lost at this point, so if you have any idea what to do to trubelshoot, or if u run into problems like this before, dont hold anything back.

Thanks for the help!

 

[Ralston18]

Are you able to provide a simple sketch or diagram that shows the network topology: how the routers, switches, servers, and other relevant devices are all connected?

Identify each component in the sketch with make and model information. Indicate which devices are in which zone.

Provide as much information as you can but be careful not to reveal any personal or company related information.

You can post the sketch or diagram here via imgur (www.imgur.com).

 

[PoPetW]

Are you able to provide a simple sketch or diagram that shows the network topology: how the routers, switches, servers, and other relevant devices are all connected?

Identify each component in the sketch with make and model information. Indicate which devices are in which zone.

Provide as much information as you can but be careful not to reveal any personal or company related information.

You can post the sketch or diagram here via imgur (www.imgur.com).

I can send a sanitized config, but if u need i can scath a diagram too, but dont have it atm.

Config

 

[bill001g]

Been lots of years since i looked at juniper stuff, does juniper have a forum someone who does commercial juniper routers might be able to more easily read the config. I suspect though it is limitation of the huawei.


So basically it seems you have

----lots of ip subnets---juniper router----ISP router----internet.

The largest issue is the devices the ISP uses for home use are not actually "routers" . They are better called gateways. They take a single lan subnet and translate all the ip to the wan IP.

So this would mean if the lan ip was 192.168.1.x/24 only that single subnet could talk to the internet. If you were to connection 10.x.x.x IP it would assume they were on the wan interface of the device and attempt to send it to the internet.

Now some consumer grade routers have some basic ability to run static routes. From the little I have tried on other brands of consumer "routers" it did not work all that well. I have no idea about huawei devices.

So I would first check the huawei device if you have attempted to configure this stuff.

In the end when you have a commercial firewall like you do you need to in effect get rid of the huawei device. You would have to put the huawei in bridge mode and use it only as a modem. You would then need configure the wan interface on the juniper to accept the real internet ip via dhcp. You would also need to run the nat on the juniper. The juniper firewall although complex to configure will always greatly outperform any consumer router.

Now if you can't change the huawei for some reason you can hide all the issue by running NAT on the juniper router. It will then make all the traffic appear to come from a single ip that the huawei thinks is on its lan subnet. No need for any static routes on the huawei.

 

[Ralston18]

Also: you do not need to 'sanitize" the results of "ipconfig /all" with the possible execption of its' revealing a personal name or company name. The private IP addresses ranges are used by thousands of networks.

FYI:

https://www.lifewire.com/what-is-an... types of IP addresses,are assigned by an ISP.

And a simple sketch or diagram helps everyone to understand the scope of the net and its' hosted devices.

For example, the sketch may reveal some error of omission or commision with respect to the above mention ip subnets.

Not uncommon that there are errors with respect to the implemented IP addresses and/or subnet masking.

Then again it could be a simple error in the physical connections within the overall network.