SRX

Expand all | Collapse all

Correct options and config for adding public routable block to existing deployment?

Jump to Best Answer
  • 1.  Correct options and config for adding public routable block to existing deployment?

    Posted 12-10-2018 21:42

    Hello, I am able to reach the public routable ip if assigned to the WAN interface and a public routable ip from a different subnet depending on the configuration. Stuck on traffic not reaching internet or gateway from device with an ip on the public routable block.

     

    /30 link to ISP /27 customer routed block

    srx -- xe-0/0/17 - wan 192.168.1.2/30 - - has existing ipsec tunnels on link ip

    srx -- xe-0/0/0 - existing private lan 10.1.0.0/16

    srx -- ge-0/0/1 - first available ip in customer routed block ex. 193.168.1.1 with 192.168.1.2 on device directly connected.

     

    What may I be missing?

     



  • 2.  RE: Correct options and config for adding public routable block to existing deployment?

    Posted 12-10-2018 22:23

    The ip on srx (193.x.x.x) and on device (192.x.x.x.) are on different subnet. May be typo?

    Please share your configuration if possible. You may change/remove sensitive info



  • 3.  RE: Correct options and config for adding public routable block to existing deployment?

    Posted 12-11-2018 08:17

    Hi Nellikka,

    That is correct in the required config our WAN /30 link would be 192.168.1.2/30 as an example with a gateway of 192.168.1.1.

    The second public routable block provided would be 193.168.1.1/27.

    The ISP managed device knows to route both blocks across its physical link to our equipment. 

     

    I beleive there are multiple ways to achieve this such as placing dual ips on the WAN interface, NAT and proxy-arp on the WAN interface?

     

    set system host-name sjc-pa-01
    set system domain-name internal.company.com
    
    set system root-authentication encrypted-password "removed"
    
    set system login user admin uid 2000
    set system login user admin class super-user
    set system login user admin authentication encrypted-password "removed"
    
    set system services ssh root-login allow
    set system services dhcp-local-server group company_guest_wifi interface irb.1001
    set system services web-management https system-generated-certificate
    set system services web-management https interface vlan.30
    
    set system syslog host 10.1.60.16 any any
    
    set chassis alarm management-ethernet link-down ignore
    
    set security ike proposal ike-prop-vpn-2e5c463c-1 authentication-method pre-shared-keys
    set security ike proposal ike-prop-vpn-2e5c463c-1 dh-group group2
    set security ike proposal ike-prop-vpn-2e5c463c-1 authentication-algorithm sha1
    set security ike proposal ike-prop-vpn-2e5c463c-1 encryption-algorithm aes-128-cbc
    set security ike proposal ike-prop-vpn-2e5c463c-1 lifetime-seconds 28800
    set security ike proposal ike-prop-vpn-2e5c463c-2 authentication-method pre-shared-keys
    set security ike proposal ike-prop-vpn-2e5c463c-2 dh-group group2
    set security ike proposal ike-prop-vpn-2e5c463c-2 authentication-algorithm sha1
    set security ike proposal ike-prop-vpn-2e5c463c-2 encryption-algorithm aes-128-cbc
    set security ike proposal ike-prop-vpn-2e5c463c-2 lifetime-seconds 28800
    set security ike proposal ike-prop-vpn-a020c4b5-1 authentication-method pre-shared-keys
    set security ike proposal ike-prop-vpn-a020c4b5-1 dh-group group2
    set security ike proposal ike-prop-vpn-a020c4b5-1 authentication-algorithm sha1
    set security ike proposal ike-prop-vpn-a020c4b5-1 encryption-algorithm aes-128-cbc
    set security ike proposal ike-prop-vpn-a020c4b5-1 lifetime-seconds 28800
    set security ike proposal ike-prop-vpn-a020c4b5-2 authentication-method pre-shared-keys
    set security ike proposal ike-prop-vpn-a020c4b5-2 dh-group group2
    set security ike proposal ike-prop-vpn-a020c4b5-2 authentication-algorithm sha1
    set security ike proposal ike-prop-vpn-a020c4b5-2 encryption-algorithm aes-128-cbc
    set security ike proposal ike-prop-vpn-a020c4b5-2 lifetime-seconds 28800
    set security ike proposal ike-prop-vpn-0a6a8b3-1 authentication-method pre-shared-keys
    set security ike proposal ike-prop-vpn-0a6a8b3-1 dh-group group2
    set security ike proposal ike-prop-vpn-0a6a8b3-1 authentication-algorithm sha1
    set security ike proposal ike-prop-vpn-0a6a8b3-1 encryption-algorithm aes-128-cbc
    set security ike proposal ike-prop-vpn-0a6a8b3-1 lifetime-seconds 28800
    set security ike proposal ike-prop-vpn-0a6a8b3-2 authentication-method pre-shared-keys
    set security ike proposal ike-prop-vpn-0a6a8b3-2 dh-group group2
    set security ike proposal ike-prop-vpn-0a6a8b3-2 authentication-algorithm sha1
    set security ike proposal ike-prop-vpn-0a6a8b3-2 encryption-algorithm aes-128-cbc
    set security ike proposal ike-prop-vpn-0a6a8b3-2 lifetime-seconds 28800
    set security ike proposal ipsec-proposal-remote-office authentication-method pre-shared-keys
    set security ike proposal ipsec-proposal-remote-office dh-group group2
    set security ike proposal ipsec-proposal-remote-office authentication-algorithm sha1
    set security ike proposal ipsec-proposal-remote-office encryption-algorithm 3des-cbc
    set security ike proposal ike-prop-vpn-0377bcb-1 authentication-method pre-shared-keys
    set security ike proposal ike-prop-vpn-0377bcb-1 dh-group group2
    set security ike proposal ike-prop-vpn-0377bcb-1 authentication-algorithm sha1
    set security ike proposal ike-prop-vpn-0377bcb-1 encryption-algorithm aes-128-cbc
    set security ike proposal ike-prop-vpn-0377bcb-1 lifetime-seconds 28800
    set security ike proposal ike-prop-vpn-0377bcb-2 authentication-method pre-shared-keys
    set security ike proposal ike-prop-vpn-0377bcb-2 dh-group group2
    set security ike proposal ike-prop-vpn-0377bcb-2 authentication-algorithm sha1
    set security ike proposal ike-prop-vpn-0377bcb-2 encryption-algorithm aes-128-cbc
    set security ike proposal ike-prop-vpn-0377bcb-2 lifetime-seconds 28800
    
    set security ike policy ike-pol-vpn-2e5c463c-1 mode main
    set security ike policy ike-pol-vpn-2e5c463c-1 proposals ike-prop-vpn-2e5c463c-1
    set security ike policy ike-pol-vpn-2e5c463c-1 pre-shared-key ascii-text "removed"
    set security ike policy ike-pol-vpn-2e5c463c-2 mode main
    set security ike policy ike-pol-vpn-2e5c463c-2 proposals ike-prop-vpn-2e5c463c-2
    set security ike policy ike-pol-vpn-2e5c463c-2 pre-shared-key ascii-text "removed"
    set security ike policy ike-pol-vpn-a020c4b5-1 mode main
    set security ike policy ike-pol-vpn-a020c4b5-1 proposals ike-prop-vpn-a020c4b5-1
    set security ike policy ike-pol-vpn-a020c4b5-1 pre-shared-key ascii-text "removed"
    set security ike policy ike-pol-vpn-a020c4b5-2 mode main
    set security ike policy ike-pol-vpn-a020c4b5-2 proposals ike-prop-vpn-a020c4b5-2
    set security ike policy ike-pol-vpn-a020c4b5-2 pre-shared-key ascii-text "removed"
    set security ike policy ike-pol-vpn-0a6a8b3-1 mode main
    set security ike policy ike-pol-vpn-0a6a8b3-1 proposals ike-prop-vpn-0a6a8b3-1
    set security ike policy ike-pol-vpn-0a6a8b3-1 pre-shared-key ascii-text "removed"
    set security ike policy ike-pol-vpn-0a6a8b3-2 mode main
    set security ike policy ike-pol-vpn-0a6a8b3-2 proposals ike-prop-vpn-0a6a8b3-2
    set security ike policy ike-pol-vpn-0a6a8b3-2 pre-shared-key ascii-text "removed"
    set security ike policy ike-policy-remote-office mode main
    set security ike policy ike-policy-remote-office proposal-set standard
    set security ike policy ike-policy-remote-office pre-shared-key ascii-text "removed"
    set security ike policy ike-pol-vpn-0377bcb-1 mode main
    set security ike policy ike-pol-vpn-0377bcb-1 proposals ike-prop-vpn-0377bcb-1
    set security ike policy ike-pol-vpn-0377bcb-1 pre-shared-key ascii-text "removed"
    set security ike policy ike-pol-vpn-0377bcb-2 mode main
    set security ike policy ike-pol-vpn-0377bcb-2 proposals ike-prop-vpn-0377bcb-2
    set security ike policy ike-pol-vpn-0377bcb-2 pre-shared-key ascii-text "removed"
    
    set security ike gateway gw-vpn-2e5c463c-1 ike-policy ike-pol-vpn-2e5c463c-1
    set security ike gateway gw-vpn-2e5c463c-1 address 172.213.89.83
    set security ike gateway gw-vpn-2e5c463c-1 dead-peer-detection interval 10
    set security ike gateway gw-vpn-2e5c463c-1 dead-peer-detection threshold 3
    set security ike gateway gw-vpn-2e5c463c-1 no-nat-traversal
    set security ike gateway gw-vpn-2e5c463c-1 external-interface ge-0/0/0.0
    set security ike gateway gw-vpn-2e5c463c-1 local-address 192.168.1.2
    set security ike gateway gw-vpn-2e5c463c-2 ike-policy ike-pol-vpn-2e5c463c-2
    set security ike gateway gw-vpn-2e5c463c-2 address 172.213.89.83
    set security ike gateway gw-vpn-2e5c463c-2 dead-peer-detection interval 10
    set security ike gateway gw-vpn-2e5c463c-2 dead-peer-detection threshold 3
    set security ike gateway gw-vpn-2e5c463c-2 no-nat-traversal
    set security ike gateway gw-vpn-2e5c463c-2 external-interface ge-0/0/0.0
    set security ike gateway gw-vpn-2e5c463c-2 local-address 192.168.1.2
    set security ike gateway gw-vpn-a020c4b5-1 ike-policy ike-pol-vpn-a020c4b5-1
    set security ike gateway gw-vpn-a020c4b5-1 address 172.213.89.83
    set security ike gateway gw-vpn-a020c4b5-1 no-nat-traversal
    set security ike gateway gw-vpn-a020c4b5-1 external-interface xe-0/0/17
    set security ike gateway gw-vpn-a020c4b5-1 local-address 192.168.1.2
    set security ike gateway gw-vpn-a020c4b5-2 ike-policy ike-pol-vpn-a020c4b5-2
    set security ike gateway gw-vpn-a020c4b5-2 address 172.213.89.83
    set security ike gateway gw-vpn-a020c4b5-2 dead-peer-detection interval 10
    set security ike gateway gw-vpn-a020c4b5-2 dead-peer-detection threshold 3
    set security ike gateway gw-vpn-a020c4b5-2 no-nat-traversal
    set security ike gateway gw-vpn-a020c4b5-2 external-interface xe-0/0/17
    set security ike gateway gw-vpn-a020c4b5-2 local-address 192.168.1.2
    set security ike gateway gw-vpn-0a6a8b3-1 ike-policy ike-pol-vpn-0a6a8b3-1
    set security ike gateway gw-vpn-0a6a8b3-1 address 172.213.89.83
    set security ike gateway gw-vpn-0a6a8b3-1 dead-peer-detection interval 10
    set security ike gateway gw-vpn-0a6a8b3-1 dead-peer-detection threshold 3
    set security ike gateway gw-vpn-0a6a8b3-1 no-nat-traversal
    set security ike gateway gw-vpn-0a6a8b3-1 external-interface xe-0/0/17
    set security ike gateway gw-vpn-0a6a8b3-1 local-address 192.168.1.2
    set security ike gateway gw-vpn-0a6a8b3-2 ike-policy ike-pol-vpn-0a6a8b3-2
    set security ike gateway gw-vpn-0a6a8b3-2 address 172.213.89.83
    set security ike gateway gw-vpn-0a6a8b3-2 dead-peer-detection interval 10
    set security ike gateway gw-vpn-0a6a8b3-2 dead-peer-detection threshold 3
    set security ike gateway gw-vpn-0a6a8b3-2 no-nat-traversal
    set security ike gateway gw-vpn-0a6a8b3-2 external-interface xe-0/0/17.0
    set security ike gateway gw-vpn-0a6a8b3-2 local-address 192.168.1.2
    
    set security ike gateway ike-remote-office ike-policy ike-policy-remote-office
    set security ike gateway ike-remote-office address 172.213.89.83
    set security ike gateway ike-remote-office external-interface xe-0/0/17
    set security ike gateway ike-remote-office version v1-only
    
    set security ike gateway gw-vpn-0377bcb-1 ike-policy ike-pol-vpn-0377bcb-1
    set security ike gateway gw-vpn-0377bcb-1 address 172.213.89.83
    set security ike gateway gw-vpn-0377bcb-1 dead-peer-detection interval 10
    set security ike gateway gw-vpn-0377bcb-1 dead-peer-detection threshold 3
    set security ike gateway gw-vpn-0377bcb-1 no-nat-traversal
    set security ike gateway gw-vpn-0377bcb-1 external-interface xe-0/0/17.0
    set security ike gateway gw-vpn-0377bcb-1 local-address 192.168.1.2
    set security ike gateway gw-vpn-0377bcb-2 ike-policy ike-pol-vpn-0377bcb-2
    set security ike gateway gw-vpn-0377bcb-2 address 172.213.89.83
    set security ike gateway gw-vpn-0377bcb-2 dead-peer-detection interval 10
    set security ike gateway gw-vpn-0377bcb-2 dead-peer-detection threshold 3
    set security ike gateway gw-vpn-0377bcb-2 no-nat-traversal
    set security ike gateway gw-vpn-0377bcb-2 external-interface xe-0/0/17.0
    set security ike gateway gw-vpn-0377bcb-2 local-address 192.168.1.2
    
    --removed ike proposal algorithms--
    
    set security ipsec vpn vpn-2e5c463c-1 bind-interface st0.1
    set security ipsec vpn vpn-2e5c463c-1 df-bit clear
    set security ipsec vpn vpn-2e5c463c-1 ike gateway gw-vpn-2e5c463c-1
    set security ipsec vpn vpn-2e5c463c-1 ike ipsec-policy ipsec-pol-vpn-2e5c463c-1
    set security ipsec vpn vpn-2e5c463c-2 bind-interface st0.2
    set security ipsec vpn vpn-2e5c463c-2 df-bit clear
    set security ipsec vpn vpn-2e5c463c-2 ike gateway gw-vpn-2e5c463c-2
    set security ipsec vpn vpn-2e5c463c-2 ike ipsec-policy ipsec-pol-vpn-2e5c463c-2
    set security ipsec vpn ipsec-vpn-it bind-interface st0.3
    set security ipsec vpn ipsec-vpn-it ike gateway ike-gate-it
    set security ipsec vpn ipsec-vpn-it ike ipsec-policy ipsec-policy-it
    set security ipsec vpn ipsec-vpn-it establish-tunnels on-traffic
    set security ipsec vpn vpn-a020c4b5-1 bind-interface st0.4
    set security ipsec vpn vpn-a020c4b5-1 df-bit clear
    set security ipsec vpn vpn-a020c4b5-1 ike gateway gw-vpn-a020c4b5-1
    set security ipsec vpn vpn-a020c4b5-1 ike ipsec-policy ipsec-pol-vpn-a020c4b5-1
    set security ipsec vpn vpn-a020c4b5-2 bind-interface st0.5
    set security ipsec vpn vpn-a020c4b5-2 df-bit clear
    set security ipsec vpn vpn-a020c4b5-2 ike gateway gw-vpn-a020c4b5-2
    set security ipsec vpn vpn-a020c4b5-2 ike ipsec-policy ipsec-pol-vpn-a020c4b5-2
    set security ipsec vpn vpn-0a6a8b3-1 bind-interface st0.6
    set security ipsec vpn vpn-0a6a8b3-1 df-bit clear
    set security ipsec vpn vpn-0a6a8b3-1 ike gateway gw-vpn-0a6a8b3-1
    set security ipsec vpn vpn-0a6a8b3-1 ike ipsec-policy ipsec-pol-vpn-0a6a8b3-1
    set security ipsec vpn vpn-0a6a8b3-2 bind-interface st0.7
    set security ipsec vpn vpn-0a6a8b3-2 df-bit clear
    set security ipsec vpn vpn-0a6a8b3-2 ike gateway gw-vpn-0a6a8b3-2
    set security ipsec vpn vpn-0a6a8b3-2 ike ipsec-policy ipsec-pol-vpn-0a6a8b3-2
    set security ipsec vpn ipsec-remote-office bind-interface st0.8
    set security ipsec vpn ipsec-remote-office ike gateway ike-remote-office
    set security ipsec vpn ipsec-remote-office ike ipsec-policy ipsec-remote-office
    set security ipsec vpn ipsec-remote-office establish-tunnels on-traffic
    set security ipsec vpn vpn-0377bcb-1 bind-interface st0.9
    set security ipsec vpn vpn-0377bcb-1 df-bit clear
    set security ipsec vpn vpn-0377bcb-1 ike gateway gw-vpn-0377bcb-1
    set security ipsec vpn vpn-0377bcb-1 ike ipsec-policy ipsec-pol-vpn-0377bcb-1
    set security ipsec vpn vpn-0377bcb-2 bind-interface st0.10
    set security ipsec vpn vpn-0377bcb-2 df-bit clear
    set security ipsec vpn vpn-0377bcb-2 ike gateway gw-vpn-0377bcb-2
    set security ipsec vpn vpn-0377bcb-2 ike ipsec-policy ipsec-pol-vpn-0377bcb-2
    
    set security flow tcp-mss ipsec-vpn mss 1379
    
    set security nat source rule-set trust-untrust from zone trust
    set security nat source rule-set trust-untrust to zone untrust
    set security nat source rule-set trust-untrust rule internet-NAT match destination-address 0.0.0.0/0
    set security nat source rule-set trust-untrust rule internet-NAT then source-nat interface
    
    set security nat source rule-set guest_internet-untrust from zone company_guest
    set security nat source rule-set guest_internet-untrust to zone untrust
    set security nat source rule-set guest_internet-untrust rule guest_to_internet match destination-address 0.0.0.0/0
    set security nat source rule-set guest_internet-untrust rule guest_to_internet then source-nat interface
    
    set security nat destination pool ssl-services address 10.1.13.2/32
    set security nat destination pool ssl-services address port 443
    
    set security policies from-zone trust to-zone untrust policy NAT-to-Internet match source-address any
    set security policies from-zone trust to-zone untrust policy NAT-to-Internet match destination-address any
    set security policies from-zone trust to-zone untrust policy NAT-to-Internet match application any
    set security policies from-zone trust to-zone untrust policy NAT-to-Internet then permit
    
    set security policies from-zone trust to-zone trust policy inbound-AWS match source-address any
    set security policies from-zone trust to-zone trust policy inbound-AWS match destination-address any
    set security policies from-zone trust to-zone trust policy inbound-AWS match application any
    set security policies from-zone trust to-zone trust policy inbound-AWS then permit
    
    set security policies from-zone untrust to-zone trust policy external_access match source-address any
    set security policies from-zone untrust to-zone trust policy external_access match destination-address firewall000
    set security policies from-zone untrust to-zone trust policy external_access match destination-address vdi
    set security policies from-zone untrust to-zone trust policy external_access match destination-address dropbox000
    set security policies from-zone untrust to-zone trust policy external_access match destination-address vsftpd000
    set security policies from-zone untrust to-zone trust policy external_access match application https
    set security policies from-zone untrust to-zone trust policy external_access match application junos-ssh
    set security policies from-zone untrust to-zone trust policy external_access match application ssh
    set security policies from-zone untrust to-zone trust policy external_access match application https-alt
    set security policies from-zone untrust to-zone trust policy external_access match application ipsec-tcp
    set security policies from-zone untrust to-zone trust policy external_access match application ipsec-udp
    set security policies from-zone untrust to-zone trust policy external_access match application s3
    set security policies from-zone untrust to-zone trust policy external_access match application sftp
    set security policies from-zone untrust to-zone trust policy external_access then permit
    
    set security policies from-zone company_guest to-zone untrust policy nat-to-internet match source-address any
    set security policies from-zone company_guest to-zone untrust policy nat-to-internet match destination-address any
    set security policies from-zone company_guest to-zone untrust policy nat-to-internet match application any
    set security policies from-zone company_guest to-zone untrust policy nat-to-internet then permit
    
    set security policies from-zone trust to-zone remote-office policy trust-to-remote-office match source-address any
    set security policies from-zone trust to-zone remote-office policy trust-to-remote-office match destination-address lan-remote-office-192.168.2.0
    set security policies from-zone trust to-zone remote-office policy trust-to-remote-office match application any
    set security policies from-zone trust to-zone remote-office policy trust-to-remote-office then permit
    
    set security policies from-zone remote-office to-zone trust policy remote-office-to-company-hq match source-address lan-remote-office-192.168.2.0
    set security policies from-zone remote-office to-zone trust policy remote-office-to-company-hq match destination-address company_servers_virtual
    set security policies from-zone remote-office to-zone trust policy remote-office-to-company-hq match destination-address company_servers
    set security policies from-zone remote-office to-zone trust policy remote-office-to-company-hq match destination-address router
    set security policies from-zone remote-office to-zone trust policy remote-office-to-company-hq match application any
    set security policies from-zone remote-office to-zone trust policy remote-office-to-company-hq then permit
    
    set security policies from-zone untrust to-zone untrust policy TEST match source-address any
    set security policies from-zone untrust to-zone untrust policy TEST match destination-address phys-device
    set security policies from-zone untrust to-zone untrust policy TEST match application any
    set security policies from-zone untrust to-zone untrust policy TEST then permit
    
    set security zones security-zone trust address-book address guestwifi 172.16.1.0/24
    set security zones security-zone trust address-book address matchall 0.0.0.0/0
    set security zones security-zone trust address-book address company_servers 10.1.50.0/24
    set security zones security-zone trust address-book address company_servers_virtual 10.1.60.0/24
    set security zones security-zone trust address-book address vdi 10.1.60.26/32
    set security zones security-zone trust address-book address firewall000 10.1.13.2/32
    set security zones security-zone trust address-book address dropbox000 10.1.60.26/32
    set security zones security-zone trust address-book address router 10.1.10.1/32
    set security zones security-zone trust address-book address vsftpd000 10.1.60.43/32
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols bgp
    set security zones security-zone trust host-inbound-traffic protocols ospf
    
    set security zones security-zone trust interfaces st0.2
    set security zones security-zone trust interfaces st0.1
    set security zones security-zone trust interfaces lo0.0
    set security zones security-zone trust interfaces irb.10
    set security zones security-zone trust interfaces st0.4
    set security zones security-zone trust interfaces st0.5
    set security zones security-zone trust interfaces st0.6
    set security zones security-zone trust interfaces st0.7
    set security zones security-zone trust interfaces st0.9
    set security zones security-zone trust interfaces st0.10
    
    set security zones security-zone untrust address-book address phys-device 193.168.1.4/32
    set security zones security-zone untrust address-book address phys-to-device 193.168.1.2/32
    
    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust host-inbound-traffic system-services ike
    set security zones security-zone untrust host-inbound-traffic system-services ssh
    set security zones security-zone untrust host-inbound-traffic protocols ospf
    
    set security zones security-zone untrust interfaces ge-0/0/0.0
    set security zones security-zone untrust interfaces xe-0/0/17.0
    set security zones security-zone untrust interfaces ge-0/0/1.0
    
    set security zones security-zone company_guest address-book address company_guests_wifi 172.16.1.0/24
    set security zones security-zone company_guest host-inbound-traffic system-services dhcp
    set security zones security-zone company_guest host-inbound-traffic system-services ping
    set security zones security-zone company_guest interfaces irb.1001
    set security zones security-zone remote-office address-book address lan-remote-office-192.168.2.0 192.168.2.0/24
    set security zones security-zone remote-office address-book address lan2-remote-office-192.168.1.0 192.168.1.0/24
    set security zones security-zone remote-office interfaces st0.8
    
    set interfaces ge-0/0/1 unit 0 family inet address 193.168.1.2/27
    set interfaces xe-0/0/16 native-vlan-id 10
    set interfaces xe-0/0/16 unit 0 family ethernet-switching interface-mode trunk
    set interfaces xe-0/0/16 unit 0 family ethernet-switching vlan members guest_internet
    set interfaces xe-0/0/16 unit 0 family ethernet-switching vlan members company_oob
    set interfaces xe-0/0/17 link-mode full-duplex
    set interfaces xe-0/0/17 unit 0 family inet address 192.168.1.2/30
    
    set interfaces fxp0 unit 0 family inet
    
    set interfaces irb unit 10 family inet address 10.1.10.1/24
    set interfaces irb unit 1001 family inet address 172.16.1.1/24
    
    set interfaces lo0 unit 0 family inet address 10.1.1.1/32
    
    set interfaces st0 unit 1 family inet mtu 1436
    set interfaces st0 unit 1 family inet address 16.25.1.118/30
    set interfaces st0 unit 2 family inet mtu 1436
    set interfaces st0 unit 2 family inet address 16.25.1.70/30
    set interfaces st0 unit 3 family inet address 10.0.0.254/24
    set interfaces st0 unit 4 family inet mtu 1436
    set interfaces st0 unit 4 family inet address 16.25.1.106/30
    set interfaces st0 unit 5 family inet mtu 1436
    set interfaces st0 unit 5 family inet address 16.25.1.6/30
    set interfaces st0 unit 6 family inet mtu 1436
    set interfaces st0 unit 6 family inet address 16.25.1.38/30
    set interfaces st0 unit 7 family inet mtu 1436
    set interfaces st0 unit 7 family inet address 16.25.1.134/30
    set interfaces st0 unit 8 family inet address 192.168.2.254/24
    set interfaces st0 unit 9 family inet mtu 1436
    set interfaces st0 unit 9 family inet address 16.25.1.126/30
    set interfaces st0 unit 10 family inet mtu 1436
    set interfaces st0 unit 10 family inet address 16.25.1.38/30
    
    set snmp name sjc-pa-srx-01
    set snmp description "Core Temp Rack"
    set snmp location C202
    set snmp community companyname authorization read-only
    
    set routing-options static route 10.0.0.0/24 next-hop st0.3
    set routing-options static route 10.1.0.0/16 next-hop 10.1.10.2
    set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
    set routing-options static route 192.168.2.0/24 next-hop st0.8
    set routing-options router-id 10.1.10.1
    
    set protocols bgp group ebgp type external
    set protocols bgp group ebgp neighbor 16.24.1.117 hold-time 30
    set protocols bgp group ebgp neighbor 16.24.1.117 export EXPORT-DEFAULT
    set protocols bgp group ebgp neighbor 16.24.1.117 peer-as 7224
    set protocols bgp group ebgp neighbor 16.24.1.117 local-as 65000
    set protocols bgp group ebgp neighbor 16.24.1.69 hold-time 30
    set protocols bgp group ebgp neighbor 16.24.1.69 export EXPORT-DEFAULT
    set protocols bgp group ebgp neighbor 16.24.1.69 peer-as 7224
    set protocols bgp group ebgp neighbor 16.24.1.69 local-as 65000
    set protocols bgp group ebgp neighbor 16.24.1.105 hold-time 30
    set protocols bgp group ebgp neighbor 16.24.1.105 export EXPORT-DEFAULT
    set protocols bgp group ebgp neighbor 16.24.1.105 peer-as 7224
    set protocols bgp group ebgp neighbor 16.24.1.105 local-as 65002
    set protocols bgp group ebgp neighbor 16.24.1.5 hold-time 30
    set protocols bgp group ebgp neighbor 16.24.1.5 export EXPORT-DEFAULT
    set protocols bgp group ebgp neighbor 16.24.1.5 peer-as 7224
    set protocols bgp group ebgp neighbor 16.24.1.5 local-as 65002
    set protocols bgp group ebgp neighbor 16.24.1.37 hold-time 30
    set protocols bgp group ebgp neighbor 16.24.1.37 export EXPORT-DEFAULT
    set protocols bgp group ebgp neighbor 16.24.1.37 peer-as 64512
    set protocols bgp group ebgp neighbor 16.24.1.37 local-as 65004
    set protocols bgp group ebgp neighbor 16.24.1.133 hold-time 30
    set protocols bgp group ebgp neighbor 16.24.1.133 export EXPORT-DEFAULT
    set protocols bgp group ebgp neighbor 16.24.1.133 peer-as 64512
    set protocols bgp group ebgp neighbor 16.24.1.133 local-as 65004
    set protocols bgp group ebgp neighbor 16.24.1.125 hold-time 30
    set protocols bgp group ebgp neighbor 16.24.1.125 export EXPORT-DEFAULT
    set protocols bgp group ebgp neighbor 16.24.1.125 peer-as 64512
    set protocols bgp group ebgp neighbor 16.24.1.125 local-as 65005
    set protocols bgp group ebgp neighbor 16.24.1.37 hold-time 30
    set protocols bgp group ebgp neighbor 16.24.1.37 export EXPORT-DEFAULT
    set protocols bgp group ebgp neighbor 16.24.1.37 peer-as 64512
    set protocols bgp group ebgp neighbor 16.24.1.37 local-as 65005
    
    set protocols ospf area 0.0.0.0 interface lo0.0
    set protocols ospf area 0.0.0.1 interface xe-0/0/17.0
    set protocols ospf area 0.0.0.1 interface ge-0/0/1.0
    set protocols l2-learning global-mode switching
    
    set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact
    set policy-options policy-statement EXPORT-DEFAULT term default then accept
    set policy-options policy-statement EXPORT-DEFAULT term reject then reject
    
    set access address-assignment pool company_guest family inet network 172.16.1.0/24
    set access address-assignment pool company_guest family inet range range_company_guest low 172.16.1.20
    set access address-assignment pool company_guest family inet range range_company_guest high 172.16.1.200
    set access address-assignment pool company_guest family inet dhcp-attributes server-identifier 172.16.1.1
    set access address-assignment pool company_guest family inet dhcp-attributes name-server 8.8.8.8
    set access address-assignment pool company_guest family inet dhcp-attributes router 172.16.1.1
    
    --removed applications/exposed ports--
    
    set vlans company_oob vlan-id 10
    set vlans company_oob l3-interface irb.10
    set vlans guest_internet vlan-id 1001
    set vlans guest_internet l3-interface irb.1001

     

     



  • 4.  RE: Correct options and config for adding public routable block to existing deployment?
    Best Answer

    Posted 12-11-2018 10:20

    So ge-0/0/1 is part of untrust zone and assigned ip address 193.168.1.2/27. The WAN interface is also in untrust zone. And there is only one untrust to untrust security policy which allows communication to ge-0/0/1 (193.168.1.2) from any source.

    Now let me know from where you are trying to which ip? Are you able to reach internet using source as ge-0/0/1 public ip?

     

    eg: ping 8.8.8.8 source 193.168.1.2

    traceroute 8.8.8.8 source 193.168.1.2 no-resolve

     

    Since wan and ge-0/0/1 are part of same security zone (intra-zone), you have to allow traffic from 193.168.1.0/27 to internet and vice versa if required

     

    eg:-

    set security policies from-zone untrust to-zone untrust policy allow-internet match source-address  <193.168.1.0/27>

    set security policies from-zone untrust to-zone untrust policy allow-internet match destination-address any

    set security policies from-zone untrust to-zone untrust policy allow-internet match application any

    set security policies from-zone untrust to-zone untrust policy allow-internet then permit

     

     



  • 5.  RE: Correct options and config for adding public routable block to existing deployment?

    Posted 12-11-2018 20:59

    Thank you, this appears to have addressed the issue. I just noticed with a bit of patience too that it takes about 10-15 seconds before the traffic starts flowing and this could be due to having multiple routes and figuring out which route is best. I will prune and sanitize the final config to serve as an example for other readers within the next day or so. 

     

    Thank you again