SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX345 - how do I pass traffic between to interfaces?

    Posted 5 days ago

    First off let me preface this with a "I'm not a network guy" statement. However, I do have *some knowledge.

    I've been trying to get my SRX345 to do what I consider a simple thing: send traffic between two interfaces. I know it's a firewall, but I also know it can route traffic. 

    My need is (what I consider) simple: I need it to route two or more IP ranges to each other. The only way I've been successful so far is to make each logical interface I'm using an IPv4, add the IP range i want assigned to it and put it in the pre-configured trust zone and then use NAT to translate the traffic in both directions. Is this the correct way? Isn't there a better way to do it?

    Joe



    ------------------------------
    JOE EZELL
    ------------------------------


  • 2.  RE: SRX345 - how do I pass traffic between to interfaces?

    Posted 5 days ago

    NAT should not be necessary for connections between two subnets on the same SRX.

    The routing element is automatic once you configure the two gateway interfaces of the subnets on the SRX.  Once created those layer 3 interfaces create the local subnet route in the table are are reachable from a straight routing perspective.

    If you have no need of firewall, you can switch the SRX to packet mode and it will behave as a router and no other configuration would be needed.

    https://supportportal.juniper.net/s/article/SRX-How-to-change-forwarding-mode-for-IPv4-from-flow-based-to-packet-based?language=en_US

    In the standard flow mode with firewall turned on, the two interfaces would need to be added to a zone.  In your case putting both in the default Trust zone means that the existing policy that allows any traffic from Trust to Trust zone to flow should apply and allow the connections between the two subnets.

    Assigning them to different zones would mean creating a zone to zone policy with the necessary parameters of ip addresses and protocols to allow the connection or a similar allow any/any type policy that exists in the Trust zone.

    You can see which security polices and NAT are engaged for traffic using the flow sessions command line adding source or destination addresses to limit returned results on device.

    show security flow session

    https://www.juniper.net/documentation/us/en/software/junos/flow-packet-processing/topics/topic-map/security-flow-session-and-error-handling.html#id-monitoring-security-flow-sessions-overview



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX345 - how do I pass traffic between to interfaces?

    Posted 4 days ago

    Thanks for the reply Steve. I've confirmed NAT isn't necessary. On another SRX345, I was able to configure the interfaces, add them to the Trust zone and data flow worked fine - it just felt like I should be doing something more than just that.

    I would change it to packet mode, but I'm afraid I'm the ONLY one that would know or remember this change and when they wanted to use it as a firewall again, it wouldn't work. 

    In response:

    • "In the standard flow mode with firewall turned on, the two interfaces would need to be added to a zone.  In your case putting both in the default Trust zone means that the existing policy that allows any traffic from Trust to Trust zone to flow should apply and allow the connections between the two subnets.
    • Assigning them to different zones would mean creating a zone to zone policy with the necessary parameters of ip addresses and protocols to allow the connection or a similar allow any/any type policy that exists in the Trust zone."

    I did try this, made a zone and then created rules to allow traffic but it didnt work. I'll probably stick to the trust zone where I know it works.

    Again, thank you very much for the response.

    Joe



    ------------------------------
    JOE EZELL
    ------------------------------



  • 4.  RE: SRX345 - how do I pass traffic between to interfaces?

    Posted 4 days ago

    Hi,

    If SRX already has routes for source and destination (or they are directly connected to firewall), then you need to add relevant interface to security zones (might be different zones or the same) and then permit all (or specific) traffic between these zones with a security policy.

    No need to NAT for that.



    ------------------------------
    FARID AKHUNDOV
    ------------------------------



  • 5.  RE: SRX345 - how do I pass traffic between to interfaces?

    Posted 4 days ago

    Thanks Farid,

    I verified that it was necessary to add the interfaces to the security zone. I appreciate the response!

    Joe



    ------------------------------
    JOE EZELL
    ------------------------------



  • 6.  RE: SRX345 - how do I pass traffic between to interfaces?

    Posted 3 days ago

    You are welcome.

    On SRX, if interface is not placed to user-defined security zone, then it is automatically placed into null zone, to which all traffic is being dropped.

    Check this document - 

    https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/security-zone-configuration.html



    ------------------------------
    FARID AKHUNDOV
    ------------------------------