SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Have an issue with routing instances

    Posted 05-06-2016 11:55

    I need route a machine on my network to the second IP from my ISP, but I'm having trouble, don't work!!

    My scheme is:

     

    ISP: ge-0/0/1 
    IP: 200.55.125.149 / 200.55.125.153 / 200.55.125.154 / 200.55.125.156
    GW: 200.55.125.254

    DMZ: ge-0/02
    IP: 172.16.0.234/24

    I need that:
    172.16.0.56 --- > 200.55.125.153
    172.16.0.57 --- > 200.55.125.222

    0.0.0.0/0      ---- > 200.55.125.156

    I'm trying this way but don't work!

    # Set logical interfaces with multiple IP address
    set interfaces ge-0/0/1 vlan-tagging
    set interfaces ge-0/0/1 unit 0 description "IP149"
    set interfaces ge-0/0/1 unit 0 vlan-id 20
    set interfaces ge-0/0/1 unit 0 family inet address 200.55.125.149/24
    set interfaces ge-0/0/1 unit 1 description "IP153"
    set interfaces ge-0/0/1 unit 1 vlan-id 21
    set interfaces ge-0/0/1 unit 1 family inet address 200.55.125.153/24
    set interfaces ge-0/0/1 unit 2 description "IP154"
    set interfaces ge-0/0/1 unit 2 vlan-id 22
    set interfaces ge-0/0/1 unit 2 family inet address 200.55.125.154/24
    set interfaces ge-0/0/1 unit 3 description "IP154"
    set interfaces ge-0/0/1 unit 3 vlan-id 23
    set interfaces ge-0/0/1 unit 3 family inet address 200.55.125.156/24
    set interfaces ge-0/0/1 unit 4 description "IP153"
    set interfaces ge-0/0/1 unit 4 vlan-id 24
    set interfaces ge-0/0/1 unit 4 family inet address 200.55.125.222/24


    # Seteo las security zones

    set security zones security-zone Z-IP149 interfaces ge-0/0/1.0
    set security zones security-zone Z-IP153 interfaces ge-0/0/1.1
    set security zones security-zone Z-IP154 interfaces ge-0/0/1.2
    set security zones security-zone Z-IP156 interfaces ge-0/0/1.3
    set security zones security-zone Z-IP222 interfaces ge-0/0/1.4


    # Set routing instances

    set routing-instances ROUTE-IP149 instance-type forwarding
    set routing-instances ROUTE-IP149 routing-options static route 0.0.0.0/0 next-hop 200.55.125.254

    set routing-instances ROUTE-IP153 instance-type forwarding
    set routing-instances ROUTE-IP153 routing-options static route 0.0.0.0/0 next-hop 200.55.125.254

    set routing-instances ROUTE-IP154 instance-type forwarding
    set routing-instances ROUTE-IP154 routing-options static route 0.0.0.0/0 next-hop 200.55.125.254

    set routing-instances ROUTE-IP156 instance-type forwarding
    set routing-instances ROUTE-IP156 routing-options static route 0.0.0.0/0 next-hop 200.55.125.254

    set routing-instances ROUTE-IP222 instance-type forwarding
    set routing-instances ROUTE-IP222 routing-options static route 0.0.0.0/0 next-hop 200.55.125.254


    # Set filter 

    set interfaces ge-0/0/2 unit 0 family inet filter input FILTER-IP1
    set interfaces ge-0/0/2 unit 0 family inet filter input FILTER-IP2


    # Set los rib groups

    set routing-options interface-routes rib-group inet IMPORT-PHY
    set routing-options rib-groups IMPORT-PHY import-rib inet.0
    set routing-options rib-groups IMPORT-PHY import-rib ROUTE-IP149.inet.0
    set routing-options rib-groups IMPORT-PHY import-rib ROUTE-IP153.inet.0
    set routing-options rib-groups IMPORT-PHY import-rib ROUTE-IP154.inet.0
    set routing-options rib-groups IMPORT-PHY import-rib ROUTE-IP156.inet.0
    set routing-options rib-groups IMPORT-PHY import-rib ROUTE-IP222.inet.0

     

    # Set filter

    set firewall filter FILTER-IP1 term 1 from source-address 172.16.0.56/32
    set firewall filter FILTER-IP1 term 1 then routing-instance ROUTE-IP153

    set firewall filter FILTER-IP1 term 2 from source-address 0.0.0.0/0
    set firewall filter FILTER-IP1 term 2 then routing-instance ROUTE-IP156

    set firewall filter FILTER-IP2 term 1 from source-address 172.16.0.57/32
    set firewall filter FILTER-IP2 term 1 then routing-instance ROUTE-IP222

    set firewall filter FILTER-IP2 term 2 from source-address 0.0.0.0/0
    set firewall filter FILTER-IP2 term 2 then routing-instance ROUTE-IP156


    # accept ping
    set security zone security-zone Z-IP153 interface ge-0/0/1.1 host-inbound-traffic system-services ping
    set security zone security-zone Z-IP222 interface ge-0/0/1.4 host-inbound-traffic system-services ping

     

    # Addresses books

    set security zones security-zone DMZ address-book address CLIENTE 172.16.0.56
    set security zones security-zone DMZ address-book address PROXY 172.16.0.57

     

    # Set access to:

    set security policies from-zone DMZ to-zone Z-IP153 policy allow-internal-clients match source-address CLIENTE
    set security policies from-zone DMZ to-zone Z-IP153 policy allow-internal-clients match destination-address any
    set security policies from-zone DMZ to-zone Z-IP153 policy allow-internal-clients match application any
    set security policies from-zone DMZ to-zone Z-IP153 policy allow-internal-clients then permit

    set security policies from-zone DMZ to-zone Z-IP222 policy allow-internal-clients match source-address PROXY
    set security policies from-zone DMZ to-zone Z-IP222 policy allow-internal-clients match destination-address any
    set security policies from-zone DMZ to-zone Z-IP222 policy allow-internal-clients match application any
    set security policies from-zone DMZ to-zone Z-IP222 policy allow-internal-clients then permit


    ### SNAT
    set security nat source rule-set DMZ-to-IP153 from zone DMZ
    set security nat source rule-set DMZ-to-IP153 to zone Z-IP153
    set security nat source rule-set DMZ-to-IP153 rule inet-access match source-address 172.16.0.56
    set security nat source rule-set DMZ-to-IP153 rule inet-access match destination-address 0.0.0.0/0
    set security nat source rule-set DMZ-to-IP153 rule inet-access then source-nat interface

     

    set security nat source rule-set DMZ-to-IP222 from zone DMZ
    set security nat source rule-set DMZ-to-IP222 to zone Z-IP222
    set security nat source rule-set DMZ-to-IP222 rule inet-access2 match source-address 172.16.0.57
    set security nat source rule-set DMZ-to-IP222 rule inet-access2 match destination-address 0.0.0.0/0
    set security nat source rule-set DMZ-to-IP222 rule inet-access2 then source-nat interface




    Whats wrong?

     


    #fbf
    #routing
    #multipleip


  • 2.  RE: Have an issue with routing instances
    Best Answer

    Posted 05-07-2016 04:13

    Hi Marc ,

     

    From your requirement ,it seems to me that you want to translate (source NAT)  your internal addresses as below - 

    Instead or routing them  As there is only one gateway (.254) - single ip on ISP and you have multiple IPs .  

    172.16.0.56 --- > 200.55.125.153
    172.16.0.57 --- > 200.55.125.222
    0.0.0.0/0 ---- > 200.55.125.156 .

     

    Please clarify if this is not correct.  If my understanding is correct we can achieve this with simple source NAT without going for filter based forwarding . 

     

    Generally we go for filter based forwarding ,when we have different next-hops ( multiple ISPs) , but in this case we have only a singel next-hop. 

     

    sample source NAT config , that works for you - 

    set interfaces ge-0/0/1 unit 0 family inet address 200.55.125.149/24
    set security zones security-zone Z-IP149 interfaces ge-0/0/1.0

    set security nat source pool IP153 address 200.55.125.153/32
    set security nat source pool IP222 address 200.55.125.222/32
    set security nat source pool IP156 address 200.55.125.156/32
    set security nat source rule-set DMZ-to-Internet from zone DMZ
    set security nat source rule-set DMZ-to-Internet to zone Z-IP149
    set security nat source rule-set DMZ-to-Internet rule IP153 match source-address 172.16.0.56/32
    set security nat source rule-set DMZ-to-Internet rule IP153 match destination-address 0.0.0.0/0
    set security nat source rule-set DMZ-to-Internet rule IP153 then source-nat pool IP153
    set security nat source rule-set DMZ-to-Internet rule IP222 match source-address 172.16.0.57/32
    set security nat source rule-set DMZ-to-Internet rule IP222 match destination-address 0.0.0.0/0
    set security nat source rule-set DMZ-to-Internet rule IP222 then source-nat pool IP222
    set security nat source rule-set DMZ-to-Internet rule IP156 match source-address 0.0.0.0/0
    set security nat source rule-set DMZ-to-Internet rule IP156 match destination-address 0.0.0.0/0
    set security nat source rule-set DMZ-to-Internet rule IP156 then source-nat pool IP156


    set security nat proxy-arp interface ge-0/0/1.0 address 200.55.125.153/32
    set security nat proxy-arp interface ge-0/0/1.0 address 200.55.125.156/32
    set security nat proxy-arp interface ge-0/0/1.0 address 200.55.125.222/32

     



  • 3.  RE: Have an issue with routing instances

    Posted 05-08-2016 19:07

    Hi, thank you for your quick answer.

    My problem is I actually have 2 isp default gateways, and for that, I though this can be fixed using filter based routing. For this configuration doesn't need any failover configuration.

    For that what I need is to be able to forward one private ip addr to one public ip in one ISP or another when is required.

    Do you think this can be archieved using source nat or ill need to use another configuration?

    i tryed to use vlan tagging to 4 unit logical interface, this didn't worked because I was unable to route throug vlans.

     

    thanks in advance.

     

    Regards.



  • 4.  RE: Have an issue with routing instances

    Posted 05-08-2016 21:58

    Yeah men!!! It work fine!!!

     

    He has only missed you put security police from DMZ to Z-IP149 any

     

    Trank U!!!

     

    You say that with the other ISP do the same?

     

    Tanks again!



  • 5.  RE: Have an issue with routing instances

    Posted 05-08-2016 20:26

    Lets se if we can clarify. You would like to translate two internal IP addresses as shown and all others (0/00 as shown?

    So it seems like what you need is STATIC NAT for:

    rule 1

    172.16.0.56 --- > 200.55.125.153

    rule 2
    172.16.0.57 --- > 200.55.125.222

    source NAT rule 1

    and source NAT for with a pool for 200.55.125.156:

    0.0.0.0/0      ---- > 200.55.125.156

     

    You would use filtr-based forwarding when you want to forward traffic to a destination IP when matching criteria x.