Thanks for the reply Steve. I've confirmed NAT isn't necessary. On another SRX345, I was able to configure the interfaces, add them to the Trust zone and data flow worked fine - it just felt like I should be doing something more than just that.
I would change it to packet mode, but I'm afraid I'm the ONLY one that would know or remember this change and when they wanted to use it as a firewall again, it wouldn't work.
In response:
- "In the standard flow mode with firewall turned on, the two interfaces would need to be added to a zone. In your case putting both in the default Trust zone means that the existing policy that allows any traffic from Trust to Trust zone to flow should apply and allow the connections between the two subnets.
- Assigning them to different zones would mean creating a zone to zone policy with the necessary parameters of ip addresses and protocols to allow the connection or a similar allow any/any type policy that exists in the Trust zone."
I did try this, made a zone and then created rules to allow traffic but it didnt work. I'll probably stick to the trust zone where I know it works.
Again, thank you very much for the response.
Joe
------------------------------
JOE EZELL
------------------------------
Original Message:
Sent: 09-04-2024 20:05
From: spuluka
Subject: SRX345 - how do I pass traffic between to interfaces?
NAT should not be necessary for connections between two subnets on the same SRX.
The routing element is automatic once you configure the two gateway interfaces of the subnets on the SRX. Once created those layer 3 interfaces create the local subnet route in the table are are reachable from a straight routing perspective.
If you have no need of firewall, you can switch the SRX to packet mode and it will behave as a router and no other configuration would be needed.
https://supportportal.juniper.net/s/article/SRX-How-to-change-forwarding-mode-for-IPv4-from-flow-based-to-packet-based?language=en_US
In the standard flow mode with firewall turned on, the two interfaces would need to be added to a zone. In your case putting both in the default Trust zone means that the existing policy that allows any traffic from Trust to Trust zone to flow should apply and allow the connections between the two subnets.
Assigning them to different zones would mean creating a zone to zone policy with the necessary parameters of ip addresses and protocols to allow the connection or a similar allow any/any type policy that exists in the Trust zone.
You can see which security polices and NAT are engaged for traffic using the flow sessions command line adding source or destination addresses to limit returned results on device.
show security flow session
https://www.juniper.net/documentation/us/en/software/junos/flow-packet-processing/topics/topic-map/security-flow-session-and-error-handling.html#id-monitoring-security-flow-sessions-overview
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 09-04-2024 13:56
From: JOE EZELL
Subject: SRX345 - how do I pass traffic between to interfaces?
First off let me preface this with a "I'm not a network guy" statement. However, I do have *some knowledge.
I've been trying to get my SRX345 to do what I consider a simple thing: send traffic between two interfaces. I know it's a firewall, but I also know it can route traffic.
My need is (what I consider) simple: I need it to route two or more IP ranges to each other. The only way I've been successful so far is to make each logical interface I'm using an IPv4, add the IP range i want assigned to it and put it in the pre-configured trust zone and then use NAT to translate the traffic in both directions. Is this the correct way? Isn't there a better way to do it?
Joe
------------------------------
JOE EZELL
------------------------------