Reading
Add Comment
Symptoms:
- DNS name resolution only resolves external domain names (i.e. Internet).
- SRX DNS proxy does not resolve internal/ local domains from DNS server on other side of the VPN..
- Ping requests fail from the SRX (i.e., DNS-Proxy) to the remote VPN site.
For Example, SRX2 cannot ping any node behind SRX1 via VPN. - All ping requests from the SRX fail without specifying exit interface.
- Ping request from nodes on either side of the VPN are successful. Routing and VPN work.
- SRX1 is at the data center. Its site hosts the primary domain controller (DC) and DNS servers.
- SRX2 is at the branch office.
- The SRX2 site does not have a local DC or DNS server. It uses a split-tunnel VPN and split-brain DNS proxy for internal and external name resolution
Solution: Assume routing, DNS-Proxy and firewall configurations are OK. The problem is with how the SRX chooses its default address. Specify the default address for s should fix the problem:
set system default-address-selection
Next, assign the loopback interface with a routed IP address.
set interface lo0 unti 0 family inet address
N.B., Planning to use the DNS proxy with an public DNS server (e.g., 8.8.8.8)? Don't forget to create a corresponding NAT statement:[edit security nat]
rule-set self-internet {
from zone junos-host;
to zone UNTRUST;
rule RE-untrust {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
Reason: The DNS proxy service uses the SRX loopback interface (lo0) for its source address. The default lo0 addess is 127.0.0.1. Traffic isn't going to go far with that address! Everything works if you assign lo0 with an IP address from your default VLAN!N.B., This fixes all other issues with ICMP, FTP, etc., across the SRX to VPN as well.
References:
https://www.juniper.net/documentation/en_US/junos13.1/topics/reference/configuration-statement/default-address-selection-edit-system.html
CISCO Juniper Network Administration Routing
0 Comments:
Post a Comment