dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2567
share rss forum feed

bulkmailme

join:2003-02-11
indonesia

srx 220 with TP-Link TL-WR941ND---Stuck in cofiguration.

Click for full size
network diagram
Greetings,
I am stumbled a bit of a problem hereI hope somebody here could kindly let me know the correct cli config. What I want to achieve is to have the computer in zone 192.168.2.2 to talk to my server at 10.0.20.9.

Here are bits of my network setup:
I have 1 Juniper SRX220 as router and DHCP. I have connected to wireless router TP-Link WR941ND.

My problem is that I have a server attached to ge-0/0/5 which is part of my internal vlan group. The computer which is behind TP-Link address(192.168.2.2) can ping the router 10.0.20.1, but can't see the server(10.0.20.9). It must be something I miss in my cli ? Changing connection mode in tp-link in router mode (Connect to WAN port in TP-Link) and as access point mode(connect to regular port in TP-Link) is not working.

if I put TP-Link as AP(DHCP on Juniper). I can ping from server to any pc on the TP-Link WIFI, but nobody from TP-Link can ping the server I already disable the firewall on the server.

Thanks for any info.

Here are my cli config:
system {
    host-name parthia;
    domain-name PAT;
    root-authentication {
        encrypted-password "x"; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    login {
    }
    services {
        ssh;
        dhcp {
            router {
                10.0.20.1;
            }
            pool 10.0.20.0/24 {
                address-range low 10.0.20.8 high 10.0.20.210;
                maximum-lease-time 2419200;
                default-lease-time 1209600;
                name-server {
                    8.8.8.8;
                    8.8.4.4;
                }
                domain-search {
                    PAT;
                }
                propagate-settings vlan.20;
            }
            static-binding x:x:x:x:x:x {
                fixed-address {
                    10.0.20.9;
                }
            }
            static-binding x:x:x:x:x:x {
                fixed-address {
                    10.0.20.207;
                }
            }
            static-binding x:x:x:x:x:x {
                fixed-address {
                    10.0.20.10;
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.14.200/24;
            }
            family inet6 {
                address fec0:1:1:1::2/64;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    vlan {
        unit 20 {
            family inet {
                address 10.0.20.1/24;
            }
        }
    }
}
snmp {
    community public {
        authorization read-only;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 192.168.14.201;
    }
}
security {
    nat {
        source {
            rule-set interface-nat {
                from zone trust;
                to zone internet;
                rule rule1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone internet {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone trust {
            interfaces {
                ge-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
                vlan.20 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            dhcp;
                            ping;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone internet {
            policy allow-all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
vlans {
    ilan {
        vlan-id 20;
        interface {
            ge-0/0/1.0;
            ge-0/0/2.0;
            ge-0/0/3.0;
            ge-0/0/4.0;
            ge-0/0/5.0;
            ge-0/0/6.0;
            ge-0/0/7.0;
        }
        l3-interface vlan.20;
    }
}
 

Best Regards,

Joni


va176thunder

join:2001-09-14
Columbus, OH

you need a security policy allow trusted to trusted traffic.
--
and the hits just keep on coming.........