SRX

Hi everyone.

I would like some help to redirect a server in my Company to another Internet link, in a different physical location, interconnected by two SRX240.

I'll try to explain next, and post a print of my topology, as follows:

1) My Company has two site locations where "SITE A" is the office building and "SITE B" is the data center (image attached).

2) Each one has an Internet link with a different valid pulic IP address assigned by also two different ISP.

3) The buildings are connected by a radio link and there are two Juniper SRX240 in each point managing all the LAN traffic.

Due to technical problems, the Link2 (on the "SITE B") is offline and there's no deadline from the ISP to fix it.

What I want is to redirect the Server in the 172.20.2.0/24 LAN to use the Internet link in the "SITE A". Both of SRX240 are comunicating with each other, and the LANs too.

How can I acomplish this?

Thanks in advance.

In site B on SRX 2

deactivate the default route to ISP link 2

deactivate routing-options static route 0.0.0.0/0 next-hop x.x.x.x

Add a default route to radio route B

set routing-options static route 0.0.0.0/0 next-hop x.x.x.x

In site B on radio router B

Add a default route to radio router A

In Site A on SRX 1

Expand or Add a policy that allows radio A interface zone to untrust for internet traffic

Expand or add a NAT policy from radio A interface zone to untrust for internet traffic

I assume that there is already a route to reach the server subnet from site A to site B in place.

I addition to Steve said, Since your DNS is external, I think you need to modify DNS record in your parent domain for DNS Server Public IP (ISP2 to ISP 1 public IP)

Thanks a lot guys.

I will try these modifications and pos the results later.

Regards.

Hi

---

@spuluka wrote:

In site B on SRX 2

 

deactivate the default route to ISP link 2

deactivate routing-options static route 0.0.0.0/0 next-hop x.x.x.x

 

Add a default route to radio route B

set routing-options static route 0.0.0.0/0 next-hop x.x.x.x

 

In site B on radio router B

Add a default route to radio router A

 

In Site A on SRX 1

Expand or Add a policy that allows radio A interface zone to untrust for internet traffic

 

Expand or add a NAT policy from radio A interface zone to untrust for internet traffic

 

I assume that there is already a route to reach the server subnet from site A to site B in place.

 

---

Thanks for your reply.

I'm still strugling with some configurations (sorry, i'm kinda newbie in Juniper universe), i'll try to explain where i'm stucked based on your previous reply (my comments goes in blue).

deactivate the default route to ISP link 2

deactivate routing-options static route 0.0.0.0/0 next-hop x.x.x.x

- Done. There's only one route from 0.0.0.0/0 (print_1.jpg) 

Add a default route to radio route B

set routing-options static route 0.0.0.0/0 next-hop x.x.x.x

- Done. There's only one route from 0.0.0.0/0 (print_1.jpg)

In site B on radio router B

Add a default route to radio router A

- OK, there's already a route between these two routers that communicate SITE A to SITE B. I can ping from both SRX to the router on the other side. (print_2.jpg)

In Site A on SRX 1

Expand or Add a policy that allows radio A interface zone to untrust for internet traffic

 - Here is where i'm getting trouble. I don't know exactly how to do that in my SRX devices. Could you guide me a little more on this topic?

Expand or add a NAT policy from radio A interface zone to untrust for internet traffic

 - Same as above.

If i understood correctly, Juniper SRX is a zone based firewall, so i don't have much experience in these kind of equipment.

I assume that there is already a route to reach the server subnet from site A to site B in place.

- Yes, there is. I can ping from SRX SITE A to the SRX SITE B subnet lan interface which is the gateway IP address for the server. (print_3.jpg)

Hope i'm not bein abusive of your good will, but i'll be very thankful if you can help me a little more.

Regards.

Add a default route to radio router A

- OK, there's already a route between these two routers that communicate SITE A to SITE B. I can ping from both SRX to the router on the other side. (print_2.jpg)

The point here is that the current default route at site B points to the site B internet router.

You need that default route on this router to point to site A.

Unless this already changes automatically during failover such as now.

In Site A on SRX 1

Expand or Add a policy that allows radio A interface zone to untrust for internet traffic

 - Here is where i'm getting trouble. I don't know exactly how to do that in my SRX devices. Could you guide me a little more on this topic?

Each interface belongs to a zone.  The default external zone is untrust but may be something else.

In your web interface:  Security > zones 

should tell you the zone names for the internet and site B interfaces

Security > Policies

Change the from zone to site B and the to zone to Internet

confirm or add a security policy to permit traffic

Expand or add a NAT policy from radio A interface zone to untrust for internet traffic

 - Same as above.

If i understood correctly, Juniper SRX is a zone based firewall, so i don't have much experience in these kind of equipment.

under NAT > Source

confirm or add a policy for outbound source NAT from site B zone to internet zone

Hi Steve,

I'm still getting trouble to acomplish this and I think that my problem is in find out which router IP I need to put as next hop in the default route from the SRX on SITE B, so i'm posting a more detailed draw of my topology for you to take a look.

I'm post this because all the infrastructure here is online (except by this problem that i'm trying to fix), and i have a complex network with different vLANs, VPNs and p2p links with clients on both sides, so I can't make any mistakes and make things even worst.

By the way, in the "SERVERS SUBNET" I specified only the 172.20.2.0/24 because is where the DNS Servers are, but I have some more subnets on SITE B, i'm think once I solve the problem for one subnet, i'll be able to solve the rest.

I appreciate your attention (and your pacience. LoL).

Thanks a lot.

Starting on site B from the SRX (I think you did the SRX already)

deactivate the default route pointing to ISP gateway address

Add a default route to the Cisco 172.18.3.30 next hop

On the Cisco:  Confirm or add a default route to the radio router 10.200.100.7

Through the radio network:

each hop has to have the default route forwarding towards the next device in line towards site A

Well, after pointing the default route to the 172.18.3.30 IP in the SRX Site B, I got "TTL expired in transit" messages when pinging some external IP (like Google).

I did a trace route and saw that packets are bouncing between Cisco Router Site B (10.200.100.2 ip interface) and cisco Router Site A (10.200.100.1 ip interface) till the limit when it's droped.

This means that I need to verify and/or change route configurations in teh Cisco Routers?

The cisco device needs to point the default route to the radio B at 100.200.100.7 NOT the SRX B.

You basically need to follow that path around all the devices to site A SRX with default routes each device pointing to the next in line.

So radio B then has a default route to 10.200.100.6 on the repeater.

And the repeater points to radio A at 10.200.100.4.

This is assuming all these are independent devices.  If Radio B can reach radio A directly in routing then you can point the route directly there.

the generall point is that you want these two events:

From site B to Site A is pointing default routes

From site A to Site B is pointing the specific subnets of the site B only

After many days trying, I finally make the things happen.

Thank for your help, Steve.

Cheers.

Glad to hear you have it working.

Happy to help.