SRX

Expand all | Collapse all

VLAN to LAN visibility

Jump to Best Answer
  • 1.  VLAN to LAN visibility

    Posted 11-05-2018 15:50

    Hello,

    I have workstation A connected to SRX240 on ge-0/0/5 (one of the ports that acting as a switch) for VLAN123 (zone trust)
    for network A.A.A.A/24 with (LAN DHCP). Workstation A has access to the Internet.

    In the same room I have unmanaged switch connected to the back of ISP modem (that setup for LAN B.B.B.B/24)
    Laptop B is connected to that unmanaged switch.

    Is it possible for workstation A on VLAN123 (connected to SRX) to see Laptop B connected to the switch?
    With this setup how do I accomplish this result: network A.A.A.A/24 will see network B.B.B.B/24 and vise versa?
    Do I need to add an extra L3 device or since I have available extra ports on SRX and access to the switch that won't be needed?
    My ISP is the same for both sides.
    I looked in different places for my answer but I can't find it. Smiley Sad

    Thank you!



  • 2.  RE: VLAN to LAN visibility

     
    Posted 11-06-2018 02:49

    I assume the untrust inteface of the SRX is connected to the same lan as the unmanaged switch.  This would put the untrust interface in the same subnet. 

     

    So connection attempts from host A to host B will be permitted by the outbound security policy.

    And they will be source nat to the SRX interface.

    So B will be reachable by A

     

    Inbound however there is just the default deny policy from untrust to trust.

    To overcome this you create a permit policy for the B address to the trust zone addresses you want.

     

    And the B device will have only a default route to the ISP modem so any attempt to reach the trust subnet will go to the ISP modem.  To overcome this you will need to install a route for the trust subnet on the PC pointing to the SRX address.

     



  • 3.  RE: VLAN to LAN visibility

    Posted 11-06-2018 12:58

    Steve,

    Thank you for the reply. I'm not able to access SRX at this moment to test it but was wondering:
    I have only one interface on SRX under zone untrust and it has only public IP assigned to that (given by my ISP)

    A.A.A.A/24 = VLAN123 - zone trust on SRX
    I already source NAT this internal subnet to my Internet (egress) interface with a different rule-set name

    B.B.B.B/24 = LAN - unmanaged switch with laptop plugged into it (switch connected to ISP modem on the back)

    Will this additional configuration work? Am I on the right track?
    Will A.A.A.A/24 see B.B.B.B/24 like this ?:

    set security nat source rule-set NAT-SRX from zone trust
    set security nat source rule-set NAT-SRX to zone untrust
    set security nat source rule-set NAT-SRX rule PAT match source-address A.A.A.A/24
    set security nat source rule-set NAT-SRX rule PAT match destination-address B.B.B.B/24
    set security nat source rule-set NAT-SRX rule PAT then source-nat interface

     

    thank you



  • 4.  RE: VLAN to LAN visibility

    Posted 11-07-2018 10:17

    Anyone? Am I thinking it wrong? Can someone please point me to the reading material in relation to this?
    I really woudl like to understand this setup and if my approach is making sence. Woman Sad



  • 5.  RE: VLAN to LAN visibility

     
    Posted 11-07-2018 15:11

    I don't follow how the networks are connected then.

     

    If the SRX untrust is a public address how is the b.b.b.b/24 connected and routed?

     

    I guess let's start with what device and ports are connected to where and what models we are dealing with.

     



  • 6.  RE: VLAN to LAN visibility

    Posted 11-07-2018 15:41
      |   view attached

    Hello Steve,

    Please see my drawing:
    I want my workstation and laptop to be able to reach each other.



  • 7.  RE: VLAN to LAN visibility

     
    Posted 11-07-2018 16:54

    Thanks for the diagram.  I did not expect the srx untrust interface to be in the same vlan as the b.b.b.b/24 network.

     

    Add a secondary ip address to the untrust interface on the srx with a b.b.b.b/24 address.

     

    Add a static route on the laptop for a.a.a.a/24 next hop of the b.b.b.b address on the SRX

     

    Create an untrust to trust policy on the SRX to permit the laptop source to the desktop destination address.

     



  • 8.  RE: VLAN to LAN visibility

    Posted 11-09-2018 03:55

    Hello,

     

    as per the diagram 

    Please check below point:

    1. when you add interfaces in zones please check   "host-inbound-traffic" configuration in "show security zones security-zone trust/untrust interfaces"

    for testing: 

    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }

    2. check securities policies from trust to untrust and vice-versa.  if you are doing natting please add NATed IPs in zones and policies.

    3. By default, its deny in any zone so add permit first and then deny. 

     



  • 9.  RE: VLAN to LAN visibility

    Posted 11-11-2018 15:47

    cc@tifr.res.in, thank you, I will take a look at this later.



  • 10.  RE: VLAN to LAN visibility

    Posted 11-11-2018 15:46

    Steve,
    When I try:

    set interfaces ge-0/0/0 unit 0 family inet address b.b.b.b/24 secondary

    I get a syntax error.
    ge-0/0/0 unit 0 already has a public IP assigned to it Smiley Indifferent is this is why it fails?
    What is the correct format for this command?
    Thank you.



  • 11.  RE: VLAN to LAN visibility
    Best Answer

     
    Posted 11-11-2018 17:26

    Sorry for the confusion, there is no keyword secondary.  Simply stop after adding the ip address.

     

    You can have as many ip addresses as you want on an interface.  Optionally you can add the primary designation to one of these addresses.  But it is not required.

     



  • 12.  RE: VLAN to LAN visibility

    Posted 11-12-2018 09:27

    Thank you, Steve!
    That worked! Woman Very Happy

    What if another device was connected to that ISP modem and acted as a router and provided Internet access?
    Same ISP, but with the different, next available public IP with the same public gateway and it would serve B.B.B.B/24 for its LAN clients.
    Let's say I setup LAN B.B.B.B/24 on it and it would connect to the same switch with SRX.

    If understand this correctly, it should work for this setup as well.
    I do not have an extra device to test it, but was just wondering if I'm right.



  • 13.  RE: VLAN to LAN visibility

     
    Posted 11-12-2018 16:41

    Whether or not it would work will depend on the make/model of your ISP modem and how they have their network configured upstream. 

     

    Most consumer ISP will restrict home connections to getting a single public ip address so only one device will succussfully use the modem bridge and get a working address.

     



  • 14.  RE: VLAN to LAN visibility

    Posted 11-13-2018 10:21
      |   view attached

    Let's say it is not an issue with my ISP and I will assign next available public IP with the same public gateway to another device - Router X and it will serve B.B.B.B/24 for its LAN clients.
    Router X is now connected to the ISP modem via WAN port and to the switch using its LAN port.
    Laptop is still connected to the switch.

    Will workstation and laptop still be able to reach each other?
    Using my previous configuration is there is anything else special to consider?

    Please take a look at my updated diagram.



  • 15.  RE: VLAN to LAN visibility

     
    Posted 11-13-2018 17:07

    Well, that is an unusual setup.  But yes, adding the other router won't change reability between the laptop and the original SRX in this setup.

     

    For any routing through a firewall all you need to do is start at the device initiating the traffic. 

    Then find where the next hop will be towards the destination. 

    On each device consult the route table and security policy to see if it allows the traffic and where the next hop is.

    Once at the destination we reverse the process for the reply packet.

     



  • 16.  RE: VLAN to LAN visibility

    Posted 11-14-2018 10:38

    Thank you, Steve!
    I will defiantly give it go once I get an extra router. Woman Happy

    Would this work with a VPN in place when remote side (remote LAN) reaches my A.A.A.A/24 on SRX?
    Will remote LAN also see B.B.B.B/24 since I already added policy to allow traffic from B.B.B.B/24 to A.A.A.A/24 on SRX and added secondary IP address with a B.B.B.B/24 address to my untrust interface (plus the rest of the configuration)?
    I do not see any need to add anything else to my existing configuration, but I could be wrong.



  • 17.  RE: VLAN to LAN visibility

     
    Posted 11-14-2018 17:06

    With a VPN site to site connection the tunnel transports specifc prefixes that are configured across the tunnel.  So if you want both prefixes to be visible to the remote site both would need to be part of the vpn routing or policy vpn setup to be sent across the tunnel.

     

    In addition on the b.b.b.b subnet a return path route for the remote lan segment on the other side of the vpn would need to be added pointing to the local srx in the same way the a.a.a.a/24 subnet was added.  Otherwide the remote vpn lan will hit the b.b.b.b default route out and not return to the originator.

     



  • 18.  RE: VLAN to LAN visibility

    Posted 11-14-2018 17:31

    Steve, thank you for all your help! Woman Happy



  • 19.  RE: VLAN to LAN visibility

    Posted 11-15-2018 05:31

    Let's see if I understood this correctly..
    So after ike gateway, ike and ipsec proposals and policies I will need to add not just proxy-identity local A.A.A.A/24 (SRX side) on my end, I will need to add an additional proxy-identity local for B.B.B.B/24 as well into my VPN config for my side?
    And the remote side will need to add not just A.A.A.A/24 for my end but an additional B.B.B.B/24 on their end as well?



  • 20.  RE: VLAN to LAN visibility

     
    Posted 11-15-2018 17:05

    Basically yes, to connect the B subnet to the remote site via vpn the subnet needs to be configured on the site to site vpn.  The remote site needs to know that subnet is reachable via this tunnel.

     

    One option is as you note proxy id or traffic selectors.  These are used generally when the other side is not an SRX or some other brand that allows route based vpn with open proxy id.  This will use  a route based vpn and you need a tunnel interface and the route to the remote site pointed at that tunnel interface.

     

    Second option in that case is to create policy based  vpn which generates those proxy id via security policy with the tunnel option.

     



  • 21.  RE: VLAN to LAN visibility

    Posted 11-18-2018 16:58
      |   view attached

    Was thinking about this scenario and even if it is possible. Smiley Indifferent
    Steve, please see my drawing.

    SRX Stays as it is with VLAN123 (zone trust) with network A.A.A.A/24 (LAN DHCP).
    Workstation A connected to one of the ports on SRX that is assigned to my VLAN123.
    Workstation A has access to the Internet.

    Now I added another device named Router X that connected to the same ISP modem via WAN port.
    Router X (just like SRX) has public IP assigned to it with the same public gateway for the same ISP.

    Router X also has LAN ports on it and it will serve B.B.B.B/24 for its LAN clients.
    One of them is Laptop B already connected to Router X on LAN port 1 and it has access to Internet.

    Lets say I plug another Ethernet cable into the LAN port 2 on Router X.
    Will it be possible with this scenario for Laptop B (connected to Router X) to communicate with Workstation A (connected to SRX).

    Or pretty much anything connected on LAN for Router X communicate with the LAN for VLAN123 on SRX. Woman Frustrated


    Where would it that Ethernet cable coming from LAN port 2 on Router X would go?
    Into another available port for VLAN123 on SRX? Into a separate new port on SRX that needs to be setup?
    I do not think I can add another IP with B.B.B.B/24 for VLAN123 on SRX and setup routing this way.

     



  • 22.  RE: VLAN to LAN visibility

    Posted 11-19-2018 10:54

    Spoke with one of the IT guys that used to work for our graphic company and he said that there is no need to do anything on the Router X except for the actual physical connectivity between Router X's LAN ports and SRX.
    Everything else needs to be done on SRX, but nothing specific was mentioned as far as on where and on what to start on SRX.

    Woman Frustrated Please advice and thank you.



  • 23.  RE: VLAN to LAN visibility

     
    Posted 11-19-2018 16:29

    Looking at the diagram you could connect the b.b.b.b/24 router x interface to one of the SRX interfaces.

     

    On the SRX this connected interface would be removed from the a.a.a.a/24 vlan.

     

    you would assign a b.b.b.x/24 address on this interface.

    You would add this interface to the Trust zone.

     

    Assuming you have a security policy that allows trust to trust traffic everything would be in place.  Otherwise you create a trust to trust policy for the two subnets to allow the communications.

     

    On Router X you need to add a static route for a.a.a.a/24 with a next hop of the b.b.b.x address you have installed on the SRX.  This is needed for the return path of the traffic.

     



  • 24.  RE: VLAN to LAN visibility

    Posted 11-20-2018 14:28
      |   view attached

    Steve, please see my updated diagram

     

    I decided to use a separate interface on SRX for this: ge-0/0/4
    Assigned B.B.B.B.x/24 on SRX for ge-0/0/4.0 - zone trust

    I connected LAN port on Router X into the port on SRX ge-0/0/4
    On Router X I added static route with destination to B.B.B.B.x/24 on SRX (ge-0/0/4.0)
    Added policy from trust to trust to match source-address any, destination-address any, application any and permit

    I ssh into SRX and I can ping Laptop B connected to Router X LAN interface:

    ping b.b.b.x/24 interface ge-0/0/4.0

    From Laptop B I can ping IP B.B.B.B.x/24 assigned to ge-0/0/4.0 on SRX

     

    But I can't communicate with Workstation A connected to SRX on VLAN123 A.A.A.A/24 (zone trust) from Laptop B
    And Workstation A can't see Laptop B
    Did I miss to add anything on SRX? Woman Frustrated



  • 25.  RE: VLAN to LAN visibility

     
    Posted 11-21-2018 04:46

    That all looks complete.

     

    Can you verify the windows firewall is off on the workstation so it allows inbound ping.

     

    Also confirm that the session is seen an permited on the SRX during the ping operation.

     

    show security flow session source-prefix b.b.b.b/24

     



  • 26.  RE: VLAN to LAN visibility

    Posted 11-23-2018 19:36

    Thank you, Steve.
    I'm currently out of town, but will test it once I have a chance.