Hello,
I have a SRX300 at my place and a SRX220 on other location, both makes a VPN connection to our headquarter.
SRX220 is working normally and I can ping and receive ping from any other location.
My SRX300 is working fine, I can ping anywhere but I cannot receive pings.
If I ping my SRX300 I get a message of timeout.
I can ping anywhere from SRX300.
Its internal IP address is 10.196.23.1.
Take a look at SRX300 configuration. Please tell me what to do.
system {
host-name rotem_brazil_saopaulo;
time-zone GMT;
root-authentication {
encrypted-password "$5$dav8mVfZasd2131sa213xaA";
}
name-server {
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/1.0;
}
https {
system-generated-certificate;
interface ge-0/0/1.0;
}
session {
idle-timeout 60;
}
}
dhcp {
name-server {
10.196.23.169;
}
router {
10.196.23.1;
}
pool 10.196.23.0/24 {
address-range low 10.196.23.100 high 10.196.23.200;
exclude-address {
10.196.23.178;
10.196.23.169;
10.196.23.170;
10.196.23.171;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
security {
ike {
proposal pre-g2-3des-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy Rotem {
mode aggressive;
proposals pre-g2-3des-sha;
pre-shared-key ascii-text "$9$AYJPuIc-dsoZjKMYoaJkq/CtuRSevL";
}
gateway Rotem {
ike-policy Rotem;
address 58.87.57.67;
local-identity hostname rotem_brazil_saopaulo;
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal esp-3des-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy Rotem {
proposals esp-3des-sha;
}
vpn Rotem {
bind-interface st0.0;
ike {
gateway Rotem;
no-anti-replay;
ipsec-policy Rotem;
}
establish-tunnels immediately;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
ssh;
telnet;
}
}
}
}
}
security-zone Internet {
interfaces {
ge-0/0/0.0;
st0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 177.67.51.119/25;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.196.23.1/24;
}
}
}
st0 {
unit 0 {
family inet;
family inet6;
}
}
}
routing-options {
static {
route 10.0.0.0/8 next-hop st0.0;
route 0.0.0.0/0 next-hop 177.67.51.1;
}
}