SRX

 View Only
last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX with ISP with default gateway from different subnet

    Posted 09-27-2018 05:46

    We have the SRX 320.

    Our ISP provides several external static IP addresses from the 95.78.228.208/29 subnet.
    ISP routes these addresses from the gateway 95.78.251.254 to the address 95.78.251.27, which also needs to be configured on our side.
    ISP is connected to the interface ge-0/0/0.2018-09-27_17-06-13.png

    I guess that the addresses 95.78.228.208/29 should be configured on some internal virtual interface, but I did not find anything suitable in the documentation.
    I tried the configuration where address 95.78.251.27 is configured on the interface ge-0/0/0.0 by using proxy arp.

     

    Something like that:

    set security zones security-zone untrust-isp-1 interfaces ge-0/0/0.0
    
    set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.209/29 primary
    set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.210/29
    set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.211/29
    set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.212/29
    set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.213/29
    set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.214/29
    
    set security nat proxy-arp interface ge-0/0/0.0 address 95.78.251.27/24
    
    set routing-instances isp-1 instance-type virtual-router
    set routing-instances isp-1 interface ge-0/0/0.0
    set routing-instances isp-1 routing-options static route 95.78.251.27/32 next-hop 95.78.251.254
    set routing-instances isp-1 routing-options static route 0.0.0.0/0 next-hop 95.78.251.27 resolve

     

    But this configuration didn't work. The list of routes to the 0.0.0.0/0 for the routing-instance isp-1 was empty.

    root@orn-gw-01> show route table isp-1.inet.0 0.0.0.0/0 exact

     

    Therefore pings to google dns returned a "ping: sendto: No route to host" error.

     

    I suspect that I'm doing everything wrong 🙂

    Could you help me how to configure this in the right way?


    #gateway
    #Route
    #SRX
    #ISP
    #subnet


  • 2.  RE: SRX with ISP with default gateway from different subnet

     
    Posted 09-27-2018 06:08

    Are you able to ping 95.78.251.27 ? Can you share "show route detail " output for 0/0 ?



  • 3.  RE: SRX with ISP with default gateway from different subnet

    Posted 09-27-2018 07:17

    No, I can't ping 95.78.251.27.

     

    root@orn-gw-01# show routing-instances isp-1 routing-options static
    route 95.78.251.27/32 next-hop 95.78.251.254;
    route 0.0.0.0/0 {
        next-hop 95.78.251.27;
        resolve;
    }
    root@orn-gw-01> ping routing-instance isp-1 95.78.251.27
    PING 95.78.251.27 (95.78.251.27): 56 data bytes
    ping: sendto: No route to host
    ping: sendto: No route to host
    ping: sendto: No route to host
    ^C
    --- 95.78.251.27 ping statistics ---
    3 packets transmitted, 0 packets received, 100% packet loss

    Route to 0/0 also doesn't work. isp-2 is routing instance for the backup ISP.

    root@orn-gw-01> show route detail 0.0.0.0/0 exact
    
    inet.0: 144 destinations, 145 routes (144 active, 0 holddown, 0 hidden)
    0.0.0.0/0 (1 entry, 1 announced)
            *Static Preference: 5
                    Next table: isp-1.inet.0
                    Next-hop index: 1320
                    Address: 0x19a079c
                    Next-hop reference count: 3
                    State: <Active Int Ext>
                    Age: 1w0d 22:28:28
                    Validation State: unverified
                    Task: RT
                    Announcement bits (2): 0-KRT 2-Resolve tree 2
                    AS path: I
    
    isp-1.inet.0: 39 destinations, 46 routes (38 active, 0 holddown, 2 hidden)
    
    isp-2.inet.0: 34 destinations, 35 routes (34 active, 0 holddown, 0 hidden)
    
    0.0.0.0/0 (1 entry, 1 announced)
            *Static Preference: 5
                    Next hop type: Router, Next hop index: 1570
                    Address: 0x19a1cd0
                    Next-hop reference count: 3
                    Next hop: 79.140.22.1 via ge-0/0/2.0, selected
                    Session Id: 0x0
                    State: <Active Int Ext>
                    Age: 1w0d 5:22:29
                    Validation State: unverified
                    Task: RT
                    Announcement bits (1): 1-KRT
                    AS path: I

     



  • 4.  RE: SRX with ISP with default gateway from different subnet

    Posted 09-27-2018 09:00

    Hi Avanoc,

     

    What will be the purpose of the 95.78.228.208/29 subnet? Is it for port-forwarding purposes, meaning that if traffic reaches the SRX on 95.78.228.210 and a specific port it will be redirected to an internal server/host?

     

    The fact that your ISP gateway is 95.78.251.254 forces you to have address 95.78.251.27 configured on ge-0/0/0 so that you could have Internet connectivity. As for thee configuration of the 95.78.228.208/29 subnet, I would like to better understand its purpose so I can help you with the required config. 

     



  • 5.  RE: SRX with ISP with default gateway from different subnet

    Posted 09-27-2018 23:35

    Hi 

     

     



  • 6.  RE: SRX with ISP with default gateway from different subnet

    Posted 09-27-2018 17:08

    This is a standard allocation format for ISP, we set these up for clients as well.  you will not need routing instances for this setup as all the connections can be in the same master or route VR.

     

    ge-0/0/0 should be connected to the ISP gateway 95.78.251.254 on the address 95.78.251.27.  You don't mention the subnet mask but the interface should have that mask.

     

    Your default route with a next hop of the ISP gateway 95.78.251.254.

     

    For the /29 subnet you have options.

     

    1- you can configure this directly on an interface in the same routing instance as your ge-0/0/0.  This then would be used directly on your devices and servers connected to this interface.  This option is typically used by VOIP systems, VPN appliances or other software that does not like to have nat applied to their connections.

     

    2-you can use the /29 as a nat addresses that you can use for destination, source or static nat to other devices using private addressing on your network.  This is the more typical option.  Here you create as many internal interfaces and zones as you need.  DMZ, Internal, mgmt or whatever.  You assign these your desired zones and subnet allocations from internal space.  Then you use the available /29 addresses to setup your nat forwarding and outbound request rules as desired.

     

     

    Our ISP provides several external static IP addresses from the 95.78.228.208/29 subnet.
    ISP routes these addresses from the gateway 95.78.251.254 to the address 95.78.251.27, which also needs to be configured on our side.



  • 7.  RE: SRX with ISP with default gateway from different subnet

    Posted 09-27-2018 23:36

     

    Option two seems to be what we need. If I understand correctly, address 95.78.251.27 remains on the interface-0/0/0.0. And addresses from the 95.78.228.208/29 subnet can be used in a destination nat without any virtual interfaces, "magic routes" and etc.

     

    For example:

     

    set security zones security-zone untrust-isp-1 interfaces ge-0/0/0.0
    
    set interfaces ge-0/0/0 unit 0 family inet address 95.78.251.27/24
    
    set routing-instances isp-1 instance-type virtual-router
    set routing-instances isp-1 interface ge-0/0/0.0
    set routing-instances isp-1 routing-options static route 0.0.0.0/0 next-hop 95.78.251.254
    
    set security nat destination pool orn-lb-01-tcp80 address 10.110.9.2/32
    set security nat destination pool orn-lb-01-tcp80 address port 80
    set security nat destination rule-set from-untrust-isp-1 from zone untrust-isp-1 set security nat destination rule-set from-untrust-isp-1 rule orn-lb-01-tcp80 match destination-address 95.78.228.210/29 set security nat destination rule-set from-untrust-isp-1 rule orn-lb-01-tcp80 match destination-port 80 set security nat destination rule-set from-untrust-isp-1 rule orn-lb-01-tcp80 then destination-nat pool orn-lb-01-tcp80



  • 8.  RE: SRX with ISP with default gateway from different subnet
    Best Answer

    Posted 09-28-2018 02:57

    The interface configuration looks correct.

     

    You don't need to put this into a routing instance.  But it will work if you do as long as you continue then to put the internal interfaces into that same routing instance and continue to build it out that way.

     

    If you are using the routing instance because you expect a second ISP and want to keep them separate then you will also need to do some route leaking between the base routing instance with your site addresses and the ISP upstream ones.

     

    The nat is correct so far.  But you will also need to add a security policy to permit the traffic.  You can see full examples here.

    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

     



  • 9.  RE: SRX with ISP with default gateway from different subnet

    Posted 09-28-2018 07:09

     



  • 10.  RE: SRX with ISP with default gateway from different subnet

    Posted 12-09-2020 21:44
    I found this discussion looking for the same situation.

    As far as SRX config: for the 2nd IP range (95.78.228.208/29) do I need to specify proxy-arp on the interface?


  • 11.  RE: SRX with ISP with default gateway from different subnet

    Posted 12-10-2020 10:03
    Hi alexd,


    If the static nat is using the same segment with isp interface then it will required proxy-arp.


    Thanks