SRX

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Source-Based Routing problem

    Posted 10-30-2013 19:14

    Hello

    I have a source-based routing problem that I am trying to get to the bottom of. Here goes…

     

    I have two sites connected by a VPN using two SRX110 firewalls. The link is too slow for the video camera traffic coming from one of the sites so they have put a wireless link in as well which I have configured on a separate port on both SRX firewalls. The problem is that the client wants the camera traffic to go over the wireless link and all other traffic goes over the VPN.

     

    I have tried to resolve this by using source-based routing where the SRX at site A routes all traffic destined for a camera IP address through the wireless route. At the other end the SRX at site B has a source-based route directing all traffic from the cameras through the wireless route.

     

    Unfortunately I can’t get this to work. Here is the config:

     

    SRX site A:

      routing-options {
        static {
            route 0.0.0.0/0 next-hop <Internet gateway>;
            route 10.0.7.15/32 (IP of camera) next-hop 192.168.1.11 (IP of remote SRX site B);
            route 10.0.7.0/24 next-hop st0.1;
        }
    }
    

     

    SRX site B (where cameras are installed):

    show routing-instances
    WiFi-Router {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 192.168.1.254 (IP of remote SRX site A);
            }
        }
    }
    
    show firewall
    family inet {
        filter WiFi-Filter {
            term 0 {
                from {
                    source-address {
                        10.0.7.15/32; (IP of one of the cameras)
                    }
                }
                then {
                    routing-instance WiFi-Router;
                }
            }
            term 1 {
                then accept;
            }
        }
    }
    filter accept {
        term 0 {
            then accept;
        }
    }
    
    show routing-options
    interface-routes {
        rib-group inet WiFi-Router;
    }
    static {
        route 0.0.0.0/0 next-hop at-1/0/0.0;
        route 192.168.2.0/24 next-hop st0.0;
    }
    rib-groups {
        WiFi-Router {
            import-rib [ inet.0 WiFi-Router.inet.0 ];
        }
    }
    

     



  • 2.  RE: Source-Based Routing problem

    Posted 11-01-2013 04:40

    Hi,

     

    I will expect you configure your policy correctly and your problem in routing.

     

    You sure at site B (WiFi-Router table) has route back to 10.0.7.15/32. If not you shall configure static route back again under the VR.

     

    Regards,

    Mohamed Elhariry



  • 3.  RE: Source-Based Routing problem

    Posted 11-03-2013 15:43

    Hi

     

    The policies are working because I can change the default routes and traffic can flow over the wireless.

     

    The IP address 10.0.7.15 is local to site B so I wouldn't have thought I need a route back to it (unless I'm missing something obvious). There is a route on Site A to 10.0.7.15.

     

    Regards,

    Andre



  • 4.  RE: Source-Based Routing problem

    Posted 11-05-2013 15:05

    From what I can see the source-address is not being triggered because the traffic is being initiated from the remote end. If I initiate the connection from the source-address then it triggers the rule. 

     

    Is there a way to make an IP address go out a certain route regardless of whether it initiated the traffic or not?

     

    Cheers,

    Andre



  • 5.  RE: Source-Based Routing problem

    Posted 11-05-2013 20:23

    Hi,

     

    I will advise you to paste full configuration without passwords or public IPs just use x.x.x.x instead

     

    Regards,

    Mohamed Elhariry



  • 6.  RE: Source-Based Routing problem

    Posted 11-06-2013 13:14

    OK here is is:

     

    Site A (side that initiates the connection)

    ## Last changed: 2013-11-06 12:16:27 NZDT
    version 12.1R3.5;
    
    interfaces {
        fe-0/0/0 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/1 {
            vlan-tagging;
            unit 0 {
                vlan-id 400;
                family inet {
                    address <Internet IP>/30; # Internet
                }
            }
        }
        fe-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/3 {
            unit 0 {
                family inet {
                    address 192.168.1.10/24; # Wireless link
                }
            }
        }
        fe-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/7 {
            unit 0 {
                family inet {
                    address 192.168.68.254/24; # DMZ
                }
            }
        }
    
        st0 {
            unit 0 {
                family inet;
            }
            unit 1 {
                family inet;
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 192.168.2.253/24;
                }
            }
        }
    }
    routing-options {
    
        static {
            route 172.17.48.0/24 next-hop st0.0;
            route 0.0.0.0/0 next-hop <Internet gateway>;
            route 10.0.7.0/24 next-hop st0.1;
    	route 10.0.7.15/32 next-hop 192.168.1.11; # If going to DVR route through wireless.
        }
    }
    protocols {
        stp;
    }
    security {
        ike {
            proposal Custom_Proposal {
                authentication-method pre-shared-keys;
                dh-group group1;
                authentication-algorithm md5;
                encryption-algorithm des-cbc;
                lifetime-seconds 28800;
            }
            policy ike_pol_VPN_Timaru {
                mode main;
                proposals Custom_Proposal;
                pre-shared-key ascii-text "password";
            }
            policy ike_pol_VPN_Clive {
                mode main;
                proposal-set standard;
                pre-shared-key ascii-text "password";
            }
            gateway gw_VPN_Timaru {
                ike-policy ike_pol_VPN_Timaru;
                address <Internet IP>;
                dead-peer-detection;
                external-interface fe-0/0/1;
                version v1-only;
            }
            gateway gw_VPN_Clive {
                ike-policy ike_pol_VPN_Clive;
                address <Internet IP>;
                dead-peer-detection;
                external-interface fe-0/0/1;
            }
        }
        ipsec {
            proposal Custom_Propasal {
                protocol esp;
                authentication-algorithm hmac-md5-96;
                encryption-algorithm des-cbc;
                lifetime-seconds 28800;
            }
            policy ipsec_pol_VPN_Timaru {
                proposals Custom_Propasal;
            }
            policy ipsec_pol_VPN_Clive {
                perfect-forward-secrecy {
                    keys group2;
                }
                proposal-set standard;
            }
            vpn VPN_Timaru {
                bind-interface st0.0;
                ike {
                    gateway gw_VPN_Timaru;
                    ipsec-policy ipsec_pol_VPN_Timaru;
                }
                establish-tunnels immediately;
            }
            vpn VPN_Clive {
                bind-interface st0.1;
                vpn-monitor;
                ike {
                    gateway gw_VPN_Clive;
                    ipsec-policy ipsec_pol_VPN_Clive;
                }
                establish-tunnels immediately;
            }
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone [ DMZ trust ];
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
            destination {
                pool SMTP {
                    address 192.168.2.6/32 port 25;
                }
                pool HTTPS {
                    address 192.168.2.6/32 port 443;
                }
                pool RDS {
                    description "Remote Desktop to TS";
                    address 192.168.2.7/32 port 443;
                }
                pool IMM1 {
                    description "IMM for HBWS-VM1";
                    address 192.168.2.28/32 port 1443;
                }
                pool IMM2 {
                    description "IMM for HBWS-VM2";
                    address 192.168.2.29/32 port 2443;
                }
                pool Camera-22609 {
                    address 192.168.2.230/32 port 22609;
                }
                pool Camera-8881 {
                    address 192.168.2.230/32 port 8881;
                }
                rule-set HBWS_NAT {
                    from zone untrust;
                    rule Email {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address <Internet IP>/32;
                            destination-port 25;
                        }
                        then {
                            destination-nat pool SMTP;
                        }
                    }
                    rule OWA {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address <Internet IP>/32;
                            destination-port 443;
                        }
                        then {
                            destination-nat pool HTTPS;
                        }
                    }
                    rule RDWeb {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address <Internet IP>/32;
                            destination-port 443;
                        }
                        then {
                            destination-nat pool RDS;
                        }
                    }
                    rule VIP-Email {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address <Internet IP>/32;
                            destination-port 25;
                        }
                        then {
                            destination-nat pool SMTP;
                        }
                    }
                    rule VIP-OWA {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address <Internet IP>/32;
                            destination-port 443;
                        }
                        then {
                            destination-nat pool HTTPS;
                        }
                    }
                    rule VIP-RDS {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address <Internet IP>/32;
                            destination-port 443;
                        }
                        then {
                            destination-nat pool RDS;
                        }
                    }
                    rule SecCamera-22609 {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address <Internet IP>/32;
                            destination-port 22609;
                        }
                        then {
                            destination-nat pool Camera-22609;
                        }
                    }
                    rule SecCamera-8881 {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address <Internet IP>/32;
                            destination-port 8881;
                        }
                        then {
                            destination-nat pool Camera-8881;
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy Airnet_SMTP {
                    match {
                        source-address any;
                        destination-address SBS_Server;
                        application junos-smtp;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
                policy SBS_Services {
                    match {
                        source-address any;
                        destination-address SBS_Server;
                        application [ junos-https junos-pptp ];
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                        count;
                    }
                }
                policy RDS {
                    match {
                        source-address any;
                        destination-address RDS_Server;
                        application junos-https;
                    }
                    then {
                        permit;
                    }
                }
                policy Security-Camera {
                    match {
                        source-address any;
                        destination-address Camera-Server;
                        application [ Camera-22609 Camera-8881 ];
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            from-zone trust to-zone VPN {
                policy policy_out_VPN_Timaru {
                    match {
                        source-address any;
                        destination-address addr_172_17_48_0_24;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy policy_out_VPN_Clive {
                    match {
                        source-address addr_192_168_2_0_24;
                        destination-address addr_10_0_7_0_24;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            from-zone VPN to-zone trust {
                policy policy_in_VPN_Timaru {
                    match {
                        source-address addr_172_17_48_0_24;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy policy_in_VPN_Clive {
                    match {
                        source-address addr_10_0_7_0_24;
                        destination-address addr_192_168_2_0_24;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            from-zone DMZ to-zone untrust {
                policy DMZ_Internet {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone wireless {
                policy Clive-Link {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            from-zone wireless to-zone trust {
                policy Clive-Awatoto {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
        }
        zones {
            security-zone trust {
                address-book {
                    address addr_192_168_2_0_24 192.168.2.0/24;
                    address SBS_Server 192.168.2.6/32;
                    address RDS_Server 192.168.2.7/32;
                    address HBWS-IMM1 192.168.2.28/32;
                    address HBWS-IMM2 192.168.2.29/32;
                    address Camera-Server 192.168.2.230/32;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    vlan.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone untrust {
                screen untrust-screen;
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    fe-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                https;
                            }
                        }
                    }
                }
            }
            security-zone VPN {
                address-book {
                    address addr_172_17_48_0_24 172.17.48.0/24;
                    address addr_10_0_7_0_24 10.0.7.0/24;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    st0.0;
                    st0.1;
                }
            }
            security-zone DMZ {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    fe-0/0/7.0;
                }
            }
            security-zone wireless {
                description "Wireless Link";
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    fe-0/0/3.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
        }
    }
    applications {
        application HBWS-VM1-IMM {
            protocol tcp;
            destination-port 1443;
        }
        application HBWS-VM2-IMM {
            protocol tcp;
            destination-port 2443;
        }
        application Camera-22609 {
            protocol tcp;
            destination-port 22609;
        }
        application Camera-8881 {
            protocol tcp;
            destination-port 8881;
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
    }

     Site B (site with the DVR and cameras)

     

    ## Last changed: 2013-11-06 12:18:03 NZDT
    version 11.2R3.3;
    
    interfaces {
        fe-0/0/0 {
            unit 0 {
                family inet {
                    dhcp;
                }
            }
        }
        fe-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/7 {
            unit 0 {
                family inet {
                    address 192.168.1.11/24; # Wireless
                }
            }
        }
        at-1/0/0 {
            description "DSL Interface";
            mtu 1524;
            encapsulation atm-pvc;
            atm-options {
                vpi 0;
            }
            dsl-options {
                operating-mode auto;
            }
            unit 0 {
                description PPPoA;
                encapsulation atm-ppp-vc-mux;
                vci 0.100;
                ppp-options {
                    pap {
                        local-name user.name;
                        local-password "Password";
                        passive;
                    }
                }
                family inet {
                    negotiate-address;
                }
            }
        }
        st0 {
            unit 0 {
                family inet;
            }
        }
        vlan {
            unit 0 {
                family inet {
                    filter {
                        input WiFi-Filter;
                    }
                    address 10.0.7.249/24;
                }
            }
        }
    }
    routing-options {
        interface-routes {
            rib-group inet WiFi-Router;
        }
        static {
            route 0.0.0.0/0 next-hop at-1/0/0.0;
            route 192.168.2.0/24 next-hop st0.0;
        }
        rib-groups {
            WiFi-Router {
                import-rib [ inet.0 WiFi-Router.inet.0 ];
            }
        }
    }
    protocols {
        stp;
    }
    security {
        ike {
            policy ike_pol_Clive-Awatoto {
                mode main;
                proposal-set standard;
                pre-shared-key ascii-text "password";
            }
            gateway gw_Clive-Awatoto {
                ike-policy ike_pol_Clive-Awatoto;
                address <Internet IP>;
                external-interface at-1/0/0.0;
            }
        }
        ipsec {
            policy ipsec_pol_Clive-Awatoto {
                perfect-forward-secrecy {
                    keys group2;
                }
                proposal-set standard;
            }
            vpn Clive-Awatoto {
                bind-interface st0.0;
                vpn-monitor;
                ike {
                    gateway gw_Clive-Awatoto;
                    ipsec-policy ipsec_pol_Clive-Awatoto;
                }
                establish-tunnels immediately;
            }
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
    
        policies {
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone VPN {
                policy policy_out_Clive-Awatoto {
                    match {
                        source-address addr_10_0_7_0_24;
                        destination-address addr_192_168_2_0_24;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            from-zone VPN to-zone trust {
                policy policy_in_Clive-Awatoto {
                    match {
                        source-address addr_192_168_2_0_24;
                        destination-address addr_10_0_7_0_24;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            from-zone trust to-zone wireless {
                policy to-awatoto {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
            from-zone wireless to-zone trust {
                policy from-awatoto {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
        }
        zones {
            security-zone trust {
                address-book {
                    address addr_10_0_7_0_24 10.0.7.0/24;
                    address Camera-Server 10.0.7.124/32;
                    address Camera125 10.0.7.125/32;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    vlan.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    fe-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                            }
                        }
                    }
                    at-1/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                ping;
                                traceroute;
                                ssh;
                                https;
                                http;
                            }
                        }
                    }
                }
            }
            security-zone VPN {
                address-book {
                    address addr_192_168_2_0_24 192.168.2.0/24;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    st0.0;
                }
            }
            security-zone wireless {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    fe-0/0/7.0;
                }
            }
        }
    }
    firewall {
        family inet {
            filter WiFi-Filter {
                term 0 {
                    from {
                        source-address {
                            10.0.7.15/32;
                        }
                    }
                    then {
                        routing-instance WiFi-Router;
                    }
                }
                term 1 {
                    then accept;
                }
            }
        }
        filter accept {
            term 0 {
                then accept;
            }
        }
    }
    routing-instances {
        WiFi-Router {
            instance-type forwarding;
            routing-options {
                static {
                    route 192.168.2.0/24 next-hop 192.168.1.10;
                }
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
    }

     



  • 7.  RE: Source-Based Routing problem
    Best Answer

    Posted 11-07-2013 05:23

    Hi,

     

    I faced similar issue before. if I intiate traffic (ping) from site B to A will work fine. but from site A to B traffic will hit the camera but will not hit the PBR will go directly using normal routing table.

     

    I have no explain why it has happened but that what I faced and did work around to make it work

     

    you can do source NAT on site A to force return traffic to get back to site A

     

     

    nat {
            source {
                rule-set camera{
                    from zone  trust;
                    to zone wireless;
                    rule camera {
                        match {
                            source-address 192.168.2.0/0;
    destination-address 10.0.7.15/32; } then { source-nat { interface; } } } } }


  • 8.  RE: Source-Based Routing problem

    Posted 11-07-2013 13:47

    Hi

    Using NAT sounds promising. I just wanted to clarify a few things. The connection is initiated at site A which goes to the DVR camera server at site B. Connections from site A go over the wireless fine but the return traffic from site B goes out the wrong interface. Should the source NAT config you suggested be on the site B firewall?

     

    Regards,

    Andre



  • 9.  RE: Source-Based Routing problem

    Posted 11-07-2013 13:55
    No my friend it is in site A so the traffic will reach site B with new source address and no need for PBR in sit B anymore


  • 10.  RE: Source-Based Routing problem

    Posted 11-07-2013 16:23

    Legend. I made the change you suggested by adding the source NAT and removed the PBR and it started working straight away. Thanks so much for your help.

     

    Regards,

    Andre



  • 11.  RE: Source-Based Routing problem

    Posted 11-01-2017 09:03

    mhariry,

     

    Greetings!  I came across this tech-tip.  This is exactly what I am looking for.  I tried this solution and got blank screens.  If you get this message, I will send you the config, if you want to help.

     

    Thank you,

    Dave