SRX

Hi,

Hopefully, I have posted this in the correct forum.  😉

Could someone please advise me how I would configure an SRX340 with Junos: 19.4R1.10 to do the following:

- I have been assigned a /25 block of IP addresses from our DC

- DC connection is a point-to-point 10.10.10.126/30 on my side connecting to 10.10.10.125 on the DC side. This feed is providing us access to our /25 block of IP's.

- IP assignment 10.10.10.128/25

- Our SRX340 will be the gateway on our side for the 128/25 assignment

- One of the ports will be feeding a load balancer that has a large number of these public IP's assigned to it and handles the translation to the private side. The LB also screens which services and ports are available.

- A few other ports will be connected directly to individual pieces of hardware that are each public.

- I require ports ge-0/0/1 - 0/10 to allow me to plug any piece of hardware into it configured either with a single IP or in the case of our LB, the majority of our public IP's.

- Port ge-0/0/15 will be assigned a private IP and connected to our private network. I would like this port to be able to supply some DHCP addresses to the private 192.168.x.x network.

I have configured ge-0/0/0 with the following for the point-to-point:

ge-0/0/0 {
unit 0 {
family inet {
address 10.10.10.126/30;
}

Not sure what I need to do with the rest of the ports?

I see in the default config, it has two zones, Internal and Internet. Should I also be assigning ports to these zones?

Thanks in advance!

Welcome to Junos and the forums.

Your configuration for the ip address facing your upstream looks correct.  By most of the default configurations this interface should be assigned to the untrust zone which you can use for traffic going out to the rest of the data center.

The rest of the interfaces are likely assigned to the trust vlan and local bridge domain which can be used for all your local service connections.  Here the interface to assign your 10.10.10.129/25 gateway is likely irb unit 0 the same way you did the upstream.  Delete the default address and assign yours.

The default nat rule will be doing interface address nat from trust to untrust.  In your case I think you need to remove that as you likely don't want nat for these rfc 1918 addresses inside the data center.  This is found under "security nat source"

Default security policy allow connections to be intiated from trust to untrust but not the reverse direction.  So these will need to be reviewed and changed as needed.

Next consideration is the default route or other routing connection to your DC.  You mention a load balancer connecting to your devices and public ip addresses.  How does that routing and physical connection work?  

I would guess you would have a default route pointed at the DC interface 10.10.10.125 and all the nat and traffic is upstream of that.

But if the load balancer has a direct port on your 10.10.10.128/25 subnet you would need return traffic from these requests to go back there using either default or static routes or some kind of nat rule.

For the second 192.168 subnet on a single interface you will need remove that interface from the trust vlan.  And either create a new vlan and irb interface or if it will only ever be one port directly but the subnet address on the interface.

After creating the new vlan you will need to either add that interface (irb or physical) to an existing zone (untrust/trust) if the traffic allow patterns match or create a new zone for this traffic.

Thanks Steve for the great info and reply, really appreciated! Apologies for my delay in responding, as I had to divert all my attention to our staff, ensuring they could work from home and such, due to this unprecedented times we now all are facing. I have been on a steep learning curve here with JunOS, as I have never used it before and am used to FOS and ScreenOS. Must say, I do like the rollback feature, some other stuff tho, has me scratching my head.  😉

Now for the good stuff, all is working relative to my question here, you pointed me in the right direction regarding the irb interface, this one took me a bit to get my head around. I created a new irb unit for the /25 public space, then created a vlan for this new irb unit and associated ports along with a new zone. Did something similar for the 192.168 subnet. Policies created to suit my needs and all is working as expected.  

The DC had a misconfiguration on their end, that was preventing me from pinging hostnames, however IP's worked. Trying google.com was a big failure, more on this in a bit. This unfortunately took a lot of time to resolve, as they were blaming it on the "new guy" (me) in their DC that they felt did not know what he was doing. Setup a monitor on the outgoing interface and did a trace of all the traffic saved to a log file, showed the "new guy" was right afterall.  For a bit, I did figure I fudged something up, being new to JunOS here.  

The LB is connected to one of the ports in the VLAN and configured to handle the associated public IP's associated with any hardware or such behind it. All is working with it as well, no issues.

Now going back to pinging google.com dilemna , I was using that as my ping test originally and the hostname was failing with a "no route to host" error. I now know this is due to being associated with an IPv6 address and something the SRX does not like to do. Seems that any hostname that has an IPv6 addy, will fail on a ping with a "no route to host" error from the SRX device. My older SSG devices do not have this problem, and I am not sure at this point if I shoud even be concerned about this, or what to do to fix this. 

Thanks,

Chuck

I have not used ipv6 for the test routines before but on the cli you need to use ping6 instead of ping so there may be some config adjustments needed for that as well.

thanks and keep safe!

C