Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

source based routing (without firewall filter)?

  • 1.  source based routing (without firewall filter)?

    Posted 03-17-2023 13:42
      |   view attached

    Hi,

    After migrating from old Juniper SSG (ScreenOS) to new SRX (JunOS), I faced some issues in network traffic. I hope someone can give me useful info. I'll upload network schema, that I am working on in my lab, in order to get what I need. Here are some details:

    There is CORE firewall system, which establishes IPSec VPN (route-based) to remote offices.

    There is other – WAN firewall system, that is used to route all traffic to public Internet.

    Remote offices establishes IPSec VPN to CORE firewall over Internet, and they are located behind xDSL devices that provide dynamic IP addresses. Therefore, aggressive mode VPN is used.

    On CORE firewall system, there is also DMZ zone.

    Critical requirement is: all production traffic from remote offices and DMZ zone servers, that targets public Internet, must go over WAN firewall, that is, it should be routed through CORE firewall trust interface, to main L3 router, than over WAN firewall right to Internet.

    On old Juniper SSG (ScreenOS), everything was so easy. There was untrust-vr and trust-vr, and traffic was routed from one to other and vice-versa. As remote offices that establishes IPSec VPN over Internet, comes over untrust interface, source-based routing was used on Juniper SSG, and all traffic was then routed to trust-vr, and further more to WAN firewall system.

    But, on new Juniper SRX, it seems to be more complicated. There are some ways to establish something that seems to be source-based routing (using Junos firewall filters), but this method has some disadvantages. Therefore, I tried to create two virtual routers on SRX, i.e. two routing instances, and then to import routes from one to other. As only static routing is used in this environment (simple as that), I found that same can be done with one routing instance. Therefore, I created the following:

    # interfaces

    set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.51/27

    set interfaces ge-0/0/1 unit 0 family inet address 192.168.50.15/24

    set interfaces ge-0/0/2 unit 0 family inet address 192.168.73.15/24

    set interfaces fxp0 unit 0 family inet address 192.168.51.50/24

    set interfaces lo0 unit 0 family inet

    set interfaces st0 unit 0 family inet

    set interfaces st0 unit 1 family inet

    set interfaces st0 unit 2 family inet

    # zones

    set security zones security-zone trust host-inbound-traffic system-services ssh

    set security zones security-zone trust host-inbound-traffic system-services ping

    set security zones security-zone trust interfaces ge-0/0/1.0

    set security zones security-zone untrust host-inbound-traffic system-services ping

    set security zones security-zone untrust host-inbound-traffic system-services ike

    set security zones security-zone untrust interfaces ge-0/0/0.0

    set security zones security-zone untrust interfaces st0.2

    set security zones security-zone dmz host-inbound-traffic system-services ping

    set security zones security-zone dmz interfaces ge-0/0/2.0

    # routing options

    set routing-options static route 0.0.0.0/0 next-hop 1.1.1.33

    set routing-options interface-routes rib-group inet InetToTrustVr

    set routing-options rib-groups To-Instance-Inet import-rib inet.0

    set routing-options rib-groups To-Instance-Inet import-rib trust-vr.inet.0

    set routing-options rib-groups InetToTrustVr import-rib trust-vr.inet.0

    set routing-options rib-groups InetToTrustVr import-rib inet.0

    # routing instances

    set routing-instances trust-vr routing-options static route 0.0.0.0/0 next-hop 192.168.50.21

    set routing-instances trust-vr routing-options static route 172.21.15.101/32 next-hop st0.1

    set routing-instances trust-vr routing-options static route 10.10.185.0/24 next-hop st0.2

    set routing-instances trust-vr routing-options interface-routes rib-group inet To-Instance-Inet

    set routing-instances trust-vr interface ge-0/0/1.0

    set routing-instances trust-vr interface ge-0/0/2.0

    set routing-instances trust-vr instance-type virtual-router

    With this configuration (appropriate policies are not documented here), remote office (that comes over untrust interface) can connect everything in corporate internal network, and vice versa. What it cannot access, is any public IP address (as it establishes IPSec VPN over Internet, default route turns any traffic destined to public IP, back over CORE firewall untrust interface).

    Is there any way (not using firewall filter) to forward traffic from untrust remote office, over CORE firewall trust interface?



    ------------------------------
    MILAN MARKOVIC
    ------------------------------