SRX

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  My Local LAN network cannot route to internet

    Posted 01-27-2018 08:06
      |   view attached

    Dear All,

    I would like to know why my loacal net work cannot route to internet in this topology.

    i have two internet connections and juniper HA and then L3 switch.i run stacking in L3 switch and all vlan are create in L3 and i connect one connection to firewall ( VLAN 7 -1.1.7.1/24) and  default route next hop ip is firewall LAN IP (1.1.7.2/24).

    My problem is i get internet access in VLAN only.other Vlan cannot access internet.how to fix it?



  • 2.  RE: My Local LAN network cannot route to internet

    Posted 01-27-2018 08:25

    Does the SRX have a return route to all the vlans that are setup layer 3 on the switch?

     

    show route

     

    Does the internet nat rule cover all the vlans on the switch to perform the public nat?

     

    show configuration security nat source

     



  • 3.  RE: My Local LAN network cannot route to internet

    Posted 01-27-2018 12:58

    wrote:

    Does the SRX have a return route to all the vlans that are setup layer 3 on the switch?

     

    show route

     

    Does the internet nat rule cover all the vlans on the switch to perform the public nat?

     

    show configuration security nat source

     


    HI,

    Please see the attached myconfig file.My SRX don't have vlan. VLans are only in L3 switch.the L3 switch is the gateway for all VLANs, it will route directly between them . i configure default route in L3 to firewall(eg. 0.0.0.0/0 next-hop 10.1.7.2).10.1.7.2 is firewall interface and 10.1.7.1 is the L3 vlan7 interface IP.When i connect l2 switch to firewall and i assign static ip (10.1.7.1) in my laptop .I can access internet. i can not access internet under L3 switch and others vlan also cannot access internet.

    I didn't run nat rule in L3 switch. I run nat rule in my SRX firewall.Do i need to run nat in switch?



  • 4.  RE: My Local LAN network cannot route to internet

    Posted 01-27-2018 14:04

    As Steve suspect you are missing a route for your vlan subnets.

     

    something like 'set routing-options static route <lan-net> next-hop 10.7.1.1' where you have to either route a larger prefix or alternative one route statement per vlan.

     

    Nat and security policies should allow traffic correctly when routes have been applied.



  • 5.  RE: My Local LAN network cannot route to internet

    Posted 01-27-2018 18:52

    Dear Steve  and jonashauge,

    Please see the attachment files. i already run nat in firewall.L3 switch didn't run nat.i run static route in l3 switch with firewall ip as next hop IP.i already allow any any to internet.i didn't put prefix or alternative one route statement per vlan beause i want to run round robin for wan loadbalance.


    wrote:

    As Steve suspect you are missing a route for your vlan subnets.

     

    something like 'set routing-options static route <lan-net> next-hop 10.7.1.1' where you have to either route a larger prefix or alternative one route statement per vlan.

     

    Nat and security policies should allow traffic correctly when routes have been applied.


     



  • 6.  RE: My Local LAN network cannot route to internet
    Best Answer

    Posted 01-28-2018 04:51

    Sorry for the confusion.

     

    NAT

    You do NOT need to do NAT on the switch.  We needed to confirm that your source NAT rule on the SRX would cover all subnets on your network.  This is good per you attachment so no changes are needed.

     

    Routing

     

    Your multiple VLANs on the switch each have a ip address subnet associated with them.  You need to insure that those ip subnets have a route on on the SRX pointed to the switch ip address link 10.1.7.1. 

    This is missing and likely the problem

     

    On the SRX add routes for all these subnets:

     

    set routing-options static route x.x.x.x/xx next-hop 10.1.7.1

     

    If all the routes are continuous you can add a single larger route that covers the whole range instead of individual ones.