Ask the Expert

Routing and Firewall filter

  • 1.  Routing and Firewall filter

    Posted 01-28-2021 03:38
    Hi everyone,
    I just do config srx100 and cannot do config router and firewall filter. so please help, I will describe detail as below.
    - I have local network with multiple VLAN: 172.16.0.xxx , 172.16.1.xxx, ..., 172.16.240.xxx and 1 VLAN control is: 172.16.0.xxx
    - I have SRX100 with fe-0/0/3 : 172.16.0.3 and ISP1 : fe-0/0/1 :192.168.99.22 and 1 ISP2: fe-0/0/7: 192.168.110.22
    - I create Security zone for some IP can access internet via ISP1 and Some IP for Access ISP2. but now all default access in ISP1 only.

    I create below. could everyone can help me fixed this problem
    interfaces {
        fe-0/0/0 {
            unit 0 {
                encapsulation ppp-over-ether;
            }
        }
        fe-0/0/1 {
            unit 0 {
                description ISP1;
                family inet {
                    address 192.168.99.22/24;
                }
            }
        }
        fe-0/0/3 {
            unit 0 {
                family inet {
                    filter {
                        input 2nd-ISP;
                    }
                    address 172.16.0.3/24;
                }
            }
        }
        fe-0/0/7 {
            unit 0 {
                description ISP2;
                family inet {
                    address 192.168.110.22/24;
                }
            }
        }​
    firewall {
        family inet {
            filter 2nd-ISP {
                term 0 {
                    from {
                        source-address {
                            172.16.6.0/24;
                        }
                    }
                    then {
                        routing-instance 2nd-router;
                    }
                }
                term 1 {
                    then accept;
                }
            }
        }
    }
    routing-options {
        interface-routes {
            rib-group inet 2nd-router;
        }
        static {
            route 0.0.0.0/0 next-hop 192.168.99.1;
            route 172.18.0.0/16 next-hop 172.16.0.2;
            route 192.168.201.0/24 next-hop 172.16.0.2;
            route 172.16.0.0/16 next-hop [ 172.16.0.254 172.16.0.253 ];
        }
        rib-groups {
            2nd-router {
                import-rib [ inet.0 2nd-router.inet.0 ];
            }
        }
    }
    
    routing-instances {
        2nd-router {
            instance-type forwarding;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop 192.168.110.1;
                    route 172.18.0.0/16 next-hop 172.16.0.2;
                    route 192.168.201.0/24 next-hop 172.16.0.2;
                    route 172.16.0.0/16 next-hop [ 172.16.0.254 172.16.0.253 ];
                }
            }
        }
    }
     zones {
            security-zone Internal {
                address-book {
                    address 172.16.0.201 172.16.0.201/32;
                    address 172.16.201.0/32 172.16.201.0/32;
                    address Internal_Net 172.16.201.0/24;
                    address Active_update 172.16.210.252/32;
                    address Dev_UV_Gia 172.16.4.30/32;
                    address ECUS_SYS_01 172.16.4.72/32;
                    address ECUS_SYS_02 172.16.4.178/32;
     }
                interfaces {
                    fe-0/0/3.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                dhcp;
                                http;
                                https;
                                ssh;
                                telnet;
                            }
                        }
                    }
                }
            }
             fe-0/0/7.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                dhcp;
                                http;
                                https;
                                ssh;
                                telnet;
                            }
                        }
                    }
                }
            }
        }
    
    ​


    ------------------------------
    HONG NGUYEN DINH
    ------------------------------