Juniper SRX 320 - srx now cannot configure proper routes and NAT

View Only

last person joined: 2 days ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

Juniper SRX 320 - srx now cannot configure proper routes and NAT

1. Juniper SRX 320 - srx now cannot configure proper routes and NAT

0 Recommend
Ammar Malhotra
Posted 03-25-2024 08:53

Reply Reply Privately
Hello all,

dear i have moved from cisco meraki to juniper srx 320 now it was very hard i was able to setup internet with great difficulty but help on this place

now i have to access 10.199.0.7 from sdwan device that is connected to juniper but i am not able to set it up properly after 3 days of constact trying.

this is little diagram and config below it

## Last changed: 2024-03-25 14:38:13 GST
version 15.1X49-D50.3;
system {
host-name SepcoDxb;
time-zone Asia/Dubai;
root-authentication {
encrypted-password "$5$4DyJWl39$zR0QXqLhk.Z2GEDydb1d4Sgk4meIp4eLryMqgDDPFlA";
}
name-server {
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/1.0;
}
https {
system-generated-certificate;
interface ge-0/0/1.0;
}
session {
idle-timeout 60;
}
}
dhcp {
domain-name ######################;
name-server {
192.168.1.2;
}
router {
192.168.1.1;
}
pool 192.168.0.0/23 {
address-range low 192.168.0.50 high 192.168.1.254;
exclude-address {
192.168.1.2;
192.168.1.3;
192.168.1.4;
192.168.1.5;
192.168.1.6;
192.168.1.7;
192.168.1.8;
192.168.1.9;
192.168.1.10;
192.168.1.11;
192.168.1.12;
192.168.1.13;
192.168.1.14;
192.168.1.15;
192.168.1.16;
192.168.1.17;
192.168.1.18;
}
domain-name ######################;
name-server {
206.67.222.222;
206.67.220.220;
192.168.1.2;
192.168.1.1;
}
router {
192.168.1.1;
}
}
pool 192.168.199.0/24 {
address-range low 192.168.199.2 high 192.168.199.254;
router {
192.168.199.1;
}
}
static-binding 00:10:7f:83:ed:a2 {
fixed-address {
192.168.1.50;
}
router {
192.168.1.1;
}
}
static-binding 00:10:74:c7:85:f6 {
fixed-address {
192.168.1.60;
}
router {
192.168.1.1;
}
}
static-binding 96:9b:f5:5d:ce:2e {
fixed-address {
192.168.1.100;
}
router {
192.168.1.1;
}
}
propagate-ppp-settings pp0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
security {
flow {
tcp-mss {
all-tcp {
mss 1310;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
pool SD-WAN-POOL {
address {
192.168.199.1/32 to 192.168.199.255/32;
}
port {
no-translation;
}
}
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set SDWAN-RULE {
from zone Internal;
to zone sdwan-china;
rule SDWAN-RULE {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
rule internal-sdwan-traffic {
description internal-sdwan-traffic;
match {
source-address 192.168.0.45/32;
destination-address 192.168.199.2/32;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool port-forwarding-pool {
routing-instance {
default;
}
address 192.168.199.2/32;
}
pool translated-pool {
address 192.168.0.45/32;
}
rule-set port-forwarding {
from zone Internet;
rule port-forwarding-rule-1 {
match {
destination-address 192.168.199.2/32;
destination-port {
16999;
}
}
then {
destination-nat {
pool {
port-forwarding-pool;
}
}
}
}
rule port-forwarding-rule-2 {
match {
destination-address 192.168.199.2/32;
destination-port {
17443;
}
}
then {
destination-nat {
pool {
port-forwarding-pool;
}
}
}
}
rule port-forwarding-rule-3 {
match {
destination-address 192.168.199.2/32;
destination-port {
11998;
}
}
then {
destination-nat {
pool {
port-forwarding-pool;
}
}
}
}
}
rule-set dest-nat-rule-set {
from zone Internal;
rule dest-nat-rule {
match {
destination-address 192.168.0.45/32;
}
then {
destination-nat {
pool {
translated-pool;
}
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy AllowAll_Internet_Internal {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone Internal {
policy AllowAll_Internet_Internal {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone Internal {
policy Internal-Access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone sdwan-china to-zone Internal {
policy All_sdwan-internal {
match {
source-address any;
destination-address any;
application any;
source-identity any;
}
then {
permit;
}
}
}
from-zone Internal to-zone sdwan-china {
policy All-internal-sdwan {
match {
source-address any;
destination-address any;
application any;
source-identity any;
}
then {
permit;
}
}
}
from-zone sdwan-china to-zone Internet {
policy All-sdwan-internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone sdwan-china {
policy all-sdwan-internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
ssh;
telnet;
}
}
}
}
}
security-zone Internet {
interfaces {
pp0.0;
ge-0/0/0.0;
}
}
security-zone sdwan-china {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
encapsulation ppp-over-ether;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.8.1/24;
address 192.168.1.1/23;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.199.1/24;
}
}
}
irb {
unit 0 {
family inet {
address 192.168.1.1/23;
}
}
unit 1 {
family inet {
address 192.168.2.1/24;
}
}
unit 2 {
family inet {
address 192.168.199.1/24;
}
}
}
pp0 {
unit 0 {
apply-macro Startup_Connection;
ppp-options {
chap {
default-chap-secret "######################";
local-name ######################;
passive;
}
pap {
local-name 9######################;
local-password "$9$JgGqm369AuO/9Lx7dsY36/9O1evWXNdSybs2gJZtu0Iyl8X7-wYKv";
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
}
family inet {
negotiate-address;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop pp0.0 {
metric 1;
}
}
route 10.199.0.0/16 next-hop 192.168.0.45;
route 192.168.11.0/24 next-hop 192.168.0.45;
route 192.168.12.0/24 next-hop 192.168.0.45;
route 172.17.13.0/24 next-hop 192.168.0.45;
route 172.16.14.0/24 next-hop 192.168.0.45;
route 192.168.100.0/22 next-hop 192.168.0.45;
route 172.25.0.0/22 next-hop 192.168.0.45;
route 10.19.0.0/16 next-hop 192.168.0.45;
}
}
protocols {
l2-learning {
global-mode switching;
}
}
vlans {
VLAN199 {
description sepco-sdwan;
vlan-id 199;
l3-interface irb.2;
}
VLAN2 {
description sepco-data;
vlan-id 2;
l3-interface irb.0;
}
VLAN3 {
description sepco-voice;
vlan-id 3;
l3-interface irb.1;
}
}

------------------------------
Ammar Malhotra
------------------------------
2. RE: Juniper SRX 320 - srx now cannot configure proper routes and NAT

0 Recommend
Nikolay Semov
Posted 03-25-2024 14:00
Edited by Nikolay Semov 03-25-2024 14:00

Reply Reply Privately
Ammar,

You have address overlap between interface irb unit 0 and interface ge-0/0/1 unit 0. They both have 192.168.1.1/23. Since none of the ports on the SRX320 are configured as switch ports, you don't need the interface irb and the vlans sections at all.

The main problem I can see is asymmetric routing. Traffic from USER to 10.199.0.7 passes through the SRX but the return traffic would go from the SDWAN directly to USER. You would have to disable further TCP checks in the SRX in order to allow such scenario. This traffic pattern may be a problem for the NAT you're trying to do.

It's probably better to route 10.199.0.7 through 192.168.199.2 instead of through 192.168.0.45.

I think there are further issues with your NAT configuration, but I don't know exactly what you're trying to translate and why, so I can decipher it.

Lastly, your SRX320 is running a fairly old version of JunOS. Reference:
https://support.juniper.net/support/eol/software/junos/

------------------------------
Nikolay Semov
------------------------------

Original Message
3. RE: Juniper SRX 320 - srx now cannot configure proper routes and NAT

0 Recommend
Ammar Malhotra
Posted 03-26-2024 09:01

Reply Reply Privately
Dear,

I have put in route for route 10.199.0.0/16 next-hop 192.168.0.45; what i understand is if i access 10.199.0.7 it will go to 192.168.1.1 then to 192.168.0.45

but it is not doing that

it just do not go forward after 192.168.1.1

i think interface irb unit 0 came after i configured VLANs if i remove vlans from firewall should i configure them on core switch.

------------------------------
Ammar Malhotra
------------------------------

Original Message
4. RE: Juniper SRX 320 - srx now cannot configure proper routes and NAT

0 Recommend
Nikolay Semov
Posted 03-26-2024 09:14

Reply Reply Privately
Have you tried pinging 192.168.0.45 from the SRX? What about 10.199.0.7 from the SRX?

As for VLANs, I can't say in general whether you should or shouldn't configure VLANs because I don't know the needs of your network. My point was that if the SRX is not acting as a switch, then you don't need "irb" or "vlans" sections in the SRX configuration. That's not an opinion as to whether or not you need VLANs in general.

------------------------------
Nikolay Semov
------------------------------

Original Message

SRX

Juniper SRX 320 - srx now cannot configure proper routes and NAT

Ammar Malhotra03-25-2024 08:53

Nikolay Semov03-25-2024 14:00

Ammar Malhotra03-26-2024 09:01

Nikolay Semov03-26-2024 09:14

1. Juniper SRX 320 - srx now cannot configure proper routes and NAT

2. RE: Juniper SRX 320 - srx now cannot configure proper routes and NAT

3. RE: Juniper SRX 320 - srx now cannot configure proper routes and NAT

4. RE: Juniper SRX 320 - srx now cannot configure proper routes and NAT