Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

Routing and Firewall filter

  • 1.  Routing and Firewall filter

    Posted 01-28-2021 03:38
    Hi everyone,
    I just do config srx100 and cannot do config router and firewall filter. so please help, I will describe detail as below.
    - I have local network with multiple VLAN: 172.16.0.xxx , 172.16.1.xxx, ..., 172.16.240.xxx and 1 VLAN control is: 172.16.0.xxx
    - I have SRX100 with fe-0/0/3 : 172.16.0.3 and ISP1 : fe-0/0/1 :192.168.99.22 and 1 ISP2: fe-0/0/7: 192.168.110.22
    - I create Security zone for some IP can access internet via ISP1 and Some IP for Access ISP2. but now all default access in ISP1 only.

    I create below. could everyone can help me fixed this problem
    interfaces {
        fe-0/0/0 {
            unit 0 {
                encapsulation ppp-over-ether;
            }
        }
        fe-0/0/1 {
            unit 0 {
                description ISP1;
                family inet {
                    address 192.168.99.22/24;
                }
            }
        }
        fe-0/0/3 {
            unit 0 {
                family inet {
                    filter {
                        input 2nd-ISP;
                    }
                    address 172.16.0.3/24;
                }
            }
        }
        fe-0/0/7 {
            unit 0 {
                description ISP2;
                family inet {
                    address 192.168.110.22/24;
                }
            }
        }​
    firewall {
        family inet {
            filter 2nd-ISP {
                term 0 {
                    from {
                        source-address {
                            172.16.6.0/24;
                        }
                    }
                    then {
                        routing-instance 2nd-router;
                    }
                }
                term 1 {
                    then accept;
                }
            }
        }
    }
    routing-options {
        interface-routes {
            rib-group inet 2nd-router;
        }
        static {
            route 0.0.0.0/0 next-hop 192.168.99.1;
            route 172.18.0.0/16 next-hop 172.16.0.2;
            route 192.168.201.0/24 next-hop 172.16.0.2;
            route 172.16.0.0/16 next-hop [ 172.16.0.254 172.16.0.253 ];
        }
        rib-groups {
            2nd-router {
                import-rib [ inet.0 2nd-router.inet.0 ];
            }
        }
    }
    
    routing-instances {
        2nd-router {
            instance-type forwarding;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop 192.168.110.1;
                    route 172.18.0.0/16 next-hop 172.16.0.2;
                    route 192.168.201.0/24 next-hop 172.16.0.2;
                    route 172.16.0.0/16 next-hop [ 172.16.0.254 172.16.0.253 ];
                }
            }
        }
    }
     zones {
            security-zone Internal {
                address-book {
                    address 172.16.0.201 172.16.0.201/32;
                    address 172.16.201.0/32 172.16.201.0/32;
                    address Internal_Net 172.16.201.0/24;
                    address Active_update 172.16.210.252/32;
                    address Dev_UV_Gia 172.16.4.30/32;
                    address ECUS_SYS_01 172.16.4.72/32;
                    address ECUS_SYS_02 172.16.4.178/32;
     }
                interfaces {
                    fe-0/0/3.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                dhcp;
                                http;
                                https;
                                ssh;
                                telnet;
                            }
                        }
                    }
                }
            }
             fe-0/0/7.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                dhcp;
                                http;
                                https;
                                ssh;
                                telnet;
                            }
                        }
                    }
                }
            }
        }
    
    ​


    ------------------------------
    HONG NGUYEN DINH
    ------------------------------