SRX

Expand all | Collapse all

SRX340 as Internet Gateway

Jump to Best Answer
  • 1.  SRX340 as Internet Gateway

    Posted 03-23-2017 17:15

    Hi!


    I am working for the first time with a Juniper equipment. I am trying to set up my machine (SRX340) as the internal network internet gateway. I do not have any VLANs, I just wish all computers in the internet network could access the internet through this Gateway.
    I tried setting up using the Wizard and also searched for materials on the internet, but I did not succeed with any settings. At momento computer can not access the internet, but If I try to access the internet through the equipment  via CLI it works (ping works normally).

     

    Could you help me with this setup?

     

    This is my interface configuration:

     

    ge-0/0/0 - ISP Provider

    ge-0/0/2 - Gateway for internal network computers

    fxp0 - Management interface

    static route - Gateway from ISP

     

    Securty conifguration - Internal to Internet - ALL,ALL

     

     

    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 177.19.201.116/29;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family inet {
                    address 192.168.5.200/23;
                }
            }
        }
        fxp0 {
            unit 0 {
                family inet {
                    address 192.168.5.3/23;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop [ 192.168.5.254 177.19.xxx.xxx ];
        }
    }



  • 2.  RE: SRX340 as Internet Gateway
    Best Answer

     
    Posted 03-23-2017 20:04

    hello ,

     

    Couple of suggestion  :

     

    1) Mark the static default route  pointing to  the Internet gatway and for your LAN and FXP port , make the specific static route .  Delete all other default routes . 

    eg: 

     

    set routing-options static route 0/0 next-hop 177.19.xxx.xxx 

     

    2) try using a different subnet for FXP  ( not use the same as LAN ) to avoid any subnet confusion , because the FXP is specifically for inbound management and not used for transit traffic . So please be adviced  to use a differenty subnet  for management on FXP .

     

    3)  The NAT configuration is missing along with zones and policies .

     

    Here is  a sample configuration that you can try  :

     

    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 177.19.201.116/29;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family inet {
                    address 192.168.5.200/23;
                }
            }
        }
        fxp0 {
            unit 0 {
                family inet {
                    address 192.168.10.2/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 177.19.xxx.xxx ;
            route 192.168.10.0/24 next-hop 192.168.10.X ;
            route 192.168.5.0/23 next-hop 192.168.xxx.xxx ;
        }
    }
    security {
        nat {
            source {
                rule-set SNAT {
                    from zone trust;
                    to zone untrust;
                    rule 1 {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }

        policies {
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                interfaces {
                    ge-0/0/4.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone teste {
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
        }
    }

     



  • 3.  RE: SRX340 as Internet Gateway

    Posted 03-24-2017 13:32

    Thanks Sam!!

    You are right! The problem in my connection was solved when I change my management network to a different network from the internal network.



  • 4.  RE: SRX340 as Internet Gateway

     
    Posted 03-26-2017 23:09

     Hello ,

     

    Thanks for the update . Glad that it helped . Please mark the update as " solved " that helped you to fix the issue , so that it will useful for others and future use .



  • 5.  RE: SRX340 as Internet Gateway

     
    Posted 03-23-2017 20:06

    Hello ,

     

    To add , the FXP will be active only in Cluster configuration , otherwise , you can use the ge-0/0/2 IP for LAN management  .