Routing

Hi everybody!

I´m sorry, if this post is in a wrong topic or discussed before (couldn´t find it). But my problem is as follows:

I´m trying to configure multiple private networks on my SRX240 router. I have successfully configured 1 interface with public IP-s, but struggling to configure another interface with private IP-s (192.168.60.0).

My current donfiguration is as follows:

ISP GW: X.X.X.1

ISP IP: X.X.X.2

private public GW: Y.Y.Y.1

private public IP: assigned via Juniper configured DHCP

private GW: 192.168.60.1

private IP: 192.168.60.2 (assignet to my test-PC)

## Last changed: 2013-01-02 16:12:45 EET
version 12.1R2.9;
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address Y.Y.Y.1/24;
            }
        }
    }
    ge-0/0/6 {
        description teavitus;
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description private;
            family inet {
                address 192.168.60.1/24;
            }
        }
    }
    ge-1/0/0 {
        description ISP;
        speed 1g;
        gigether-options {
            no-auto-negotiation;
        }
        unit 0 {
            description ISP;
            family inet {
                address X.X.X.2/28;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address Y.Y.Y.1/24;
                address 192.168.60.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop X.X.X.1;
    }
}
protocols {
    stp;
}
security {
    alg {
        sip disable;
        ike-esp-nat {
            enable;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        destination {
            rule-set VNC {
                from zone untrust;
                rule VNC {
                    match {
                        destination-address Y.Y.Y.100/32;
                        destination-port 5900;
                    }
                    then {
                        destination-nat off;
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy utrust-to-trust-cifs {
                match {
                    source-address any;
                    destination-address any;
                    application junos-cifs;
                }
                then {
                    deny;
                }
            }
            policy VNC {
                match {
                    source-address any;
                    destination-address any;
                    application junos-vnc;
                }
                then {
                    permit;
                }
            }
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ge-0/0/6.0;
                ge-0/0/4.0;
                ge-0/0/5.0;
                ge-0/0/7.0;
                ge-0/0/8.0;
                ge-0/0/9.0;
                ge-0/0/10.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

 When I veryfy route terse from CLI, I get the following:

user@juniper# run show route terse

inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A Destination        P Prf   Metric 1   Metric 2  Next hop         AS path
* 0.0.0.0/0          S   5                       >X.X.X.1
...
* 192.168.60.0/24    D   0                       >ge-0/0/6.0
* 192.168.60.1/32    L   0                        Local
...
* Y.Y.Y.0/24      D   0                       >ge-0/0/0.0
* Y.Y.Y.1/32      L   0                        Local
* X.X.X.0/28     D   0                       >ge-1/0/0.0
* X.X.X.2/32     L   0                        Local

 Private network with public IP-s works perfectly, but private network from interface ge-0/0/6 and private IP-s doesnt: from my computer (connected to ge-0/0/6) I can ping all the trust zone devices, but cannot ping untrust zone- also pings ISP IP, but not GW. I tried setting up routing next-hop from 192.168.60.1 to X.X.X.1, but it didnt help.

Can you help me or direct me to the right direction?

Thank you in advance!

Are you trying to set up multiple hosts to your SRX, ie. connect multiple wired devices? If so you do not IP the physical interface and the vlan, just the vlan. You should call the vlan interface vlan.3 for simplicity sake, you would assign individual physical interfaces to this vlan.

Also why do you have multiple IP addresses on the vlan interface? Your ISP address should only be configured on your external interface.

I don't see a source nat. Normaly you would like a source nat from private to public networks.

correct me if im wrong, but i don't think the srx has a ge-1/0/0 interface.

It would if they installed a card into slot 1

Hi! Sorry for the late reply- a lot of other stuff needed attention.I tried source nat- so that, the trust zone interface would go out through ge-1/0/0 (we have installed additional gebic for that) and now I can ping the untrust zone gateway as well, but still cannot get any internet connection from that trust zone interface:( Even, when I add some untrust zone ip-address on that source nat, I can ping that ip, but that page wont still open up- even with ip-address. Firewall rules are set so, that it would consider trust and untrust zone.

Still struggling with it.

I tried also to change routing from:

routing-options {
    static {
        route 0.0.0.0/0 next-hop X.X.X.1;
    }
}

 To this:

routing-options {
    static {
        route Y.Y.Y.0/24 {
            next-hop X.X.X.1;
        }
        route 192.168.60.0/24 {
            next-hop X.X.X.1;
        }
        inactive: route 0.0.0.0/0 {
            next-hop X.X.X.1;
        }
    }
}

 And also without default route at all, but all I could manage to do, was to lose connection from ge-0/0/0 as well- ge-0/0/6 still can ping all the trust zone, but not untrust zone interface gw or untrust zone.

Router log info (when I tried Packet Capturing) showed me this info: Reverse lookup for 192.168.60.1 failed (check DNS reachability).

Since ge-0/0/0 uses DHCP, I also set up a DHCP server in Juniper for ge-0/0/6 for addresses in range 192.168.60.2-192.168.60.254. Results are the same- all from the trust zone pings, but untrust zone is still unreachable.

One weird thing also- when I assigned the ge-0/0/6 to a VLAN, I could still ping all the trust zone.

Can anyone please help me, to get internet to the ge-0/0/6 interface?

Hey,

In order to have two private networks working to the internet over your untrust interface, you will need all of the following.

You will need DHCP handing out IP's to both of your networks or all machines statically assigned. The machines on each network will need to receive a default gateway of their respective interface on the SRX, and they will need a DNS server. 

If we're good up until this point and you've verified DHCP is working.

You next will need security policy between the private zones and the internet. Note if you are using a Vlan to connect multiple hosts, the VLAN Interface will need to be placed into the security zones you're using. Both networks can use the same zone. You use the VLAN interface and NOT the physical interface, in this case. Only family "inet" interfaces should be placed into zones. You will need to allow any source to any dest application any from Internal Zone A to Untrust and Inernal Zone B to Untrust.

If this sounds all configured correctly to you, you will need a NAT from each internal zone to your Untrust zone to nat behind the egress or untrust interface "source-nat interface" 

You will need a default route on your SRX pointing to your ISP.

One or more of the above is not configured correctly.

On a machine that is not working. You can run a "ping 4.2.2.2 -t" to run a continuous ping, and run a >show security flow session destination-prefix 4.2.2.2" and if you see nothing you may be dropping the traffic. Otherwise please paste the output.

If you still need assistance please supply the following

show | display set

>show interfaces terse

>show route

Show route terse gives me:

user@juniper# run show route terse

inet.0: 14 destinations, 14 routes (14 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A Destination        P Prf   Metric 1   Metric 2  Next hop         AS path
* 0.0.0.0/0          S   5                       >X.X.X.1
...
* 192.168.60.0/24    D   0                       >ge-0/0/6.0
* 192.168.60.1/32    L   0                        Local
...
* Y.Y.Y.0/24      D   0                       >ge-0/0/0.0
* Y.Y.Y.1/32      L   0                        Local
* X.X.X.0/28     D   0                       >ge-1/0/0.0
* X.X.X.2/32     L   0                        Local

 flow session destination-prefix results:

user@juniper> show security flow session destination-prefix 4.2.2.2
Session ID: 2583, Policy name: trust-to-untrust/4, Timeout: 60, Valid
  In: 192.168.60.101/43274 --> 4.2.2.2/4;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 60
  Out: 4.2.2.2/4 --> 192.168.60.101/43274;icmp, If: ge-1/0/0.0, Pkts: 0, Bytes: 0

Session ID: 9777, Policy name: trust-to-untrust/4, Timeout: 34, Valid
  In: 192.168.60.101/43269 --> 4.2.2.2/4;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 60
  Out: 4.2.2.2/4 --> 192.168.60.101/43269;icmp, If: ge-1/0/0.0, Pkts: 0, Bytes: 0

Session ID: 21674, Policy name: trust-to-untrust/4, Timeout: 40, Valid
  In: 192.168.60.101/43270 --> 4.2.2.2/4;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 60
  Out: 4.2.2.2/4 --> 192.168.60.101/43270;icmp, If: ge-1/0/0.0, Pkts: 0, Bytes: 0

Session ID: 25304, Policy name: trust-to-untrust/4, Timeout: 10, Valid
  In: 192.168.60.101/43264 --> 4.2.2.2/4;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 60
  Out: 4.2.2.2/4 --> 192.168.60.101/43264;icmp, If: ge-1/0/0.0, Pkts: 0, Bytes: 0

Session ID: 37075, Policy name: trust-to-untrust/4, Timeout: 54, Valid
  In: 192.168.60.101/43273 --> 4.2.2.2/4;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 60
  Out: 4.2.2.2/4 --> 192.168.60.101/43273;icmp, If: ge-1/0/0.0, Pkts: 0, Bytes: 0

Session ID: 37305, Policy name: trust-to-untrust/4, Timeout: 30, Valid
  In: 192.168.60.101/43268 --> 4.2.2.2/4;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 60
  Out: 4.2.2.2/4 --> 192.168.60.101/43268;icmp, If: ge-1/0/0.0, Pkts: 0, Bytes: 0

Session ID: 38082, Policy name: trust-to-untrust/4, Timeout: 50, Valid
  In: 192.168.60.101/43272 --> 4.2.2.2/4;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 60
  Out: 4.2.2.2/4 --> 192.168.60.101/43272;icmp, If: ge-1/0/0.0, Pkts: 0, Bytes: 0

Session ID: 39315, Policy name: trust-to-untrust/4, Timeout: 20, Valid
  In: 192.168.60.101/43266 --> 4.2.2.2/4;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 60
  Out: 4.2.2.2/4 --> 192.168.60.101/43266;icmp, If: ge-1/0/0.0, Pkts: 0, Bytes: 0

Session ID: 40275, Policy name: trust-to-untrust/4, Timeout: 24, Valid
  In: 192.168.60.101/43267 --> 4.2.2.2/4;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 60
  Out: 4.2.2.2/4 --> 192.168.60.101/43267;icmp, If: ge-1/0/0.0, Pkts: 0, Bytes: 0

Session ID: 44628, Policy name: trust-to-untrust/4, Timeout: 14, Valid
  In: 192.168.60.101/43265 --> 4.2.2.2/4;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 60
  Out: 4.2.2.2/4 --> 192.168.60.101/43265;icmp, If: ge-1/0/0.0, Pkts: 0, Bytes: 0

Session ID: 47940, Policy name: trust-to-untrust/4, Timeout: 44, Valid
  In: 192.168.60.101/43271 --> 4.2.2.2/4;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 60
  Out: 4.2.2.2/4 --> 192.168.60.101/43271;icmp, If: ge-1/0/0.0, Pkts: 0, Bytes: 0
Total sessions: 11

At the moment its no problem, if the working interface and interface I am trying to configure, would run on the same vlan, but thanks for the tip- about configuring vlans on firewall.

Session ID: 47940, Policy name: trust-to-untrust/4, Timeout: 44, Valid
  In: 192.168.60.101/43271 --> 4.2.2.2/4;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 60
  Out: 4.2.2.2/4 --> 192.168.60.101/43271;icmp, If: ge-1/0/0.0, Pkts: 0, Bytes: 0
Total sessions: 11

If you look at your "Out:" flow you'll see the original source repeated "192.168.60.101"meaning its not being NAT which is your problem. 

Check your source nat rule set make sure its applied to the zone for this network, or create a 2nd rule set that matches this zone.Also make sure the rule to nat behind source interface matches this network. 

etc.

Muchos, muchos gracias amigo! I kept constantly messing up the source nat rule, but now I got it working.

Source nat, that works:

    nat {
        source {
            pool private1 {
                address {
                    Y.Y.Y.165/32;
                }
            }
            rule-set private2 {
                from interface ge-0/0/6.0;
                to zone untrust;
                rule private1 {
                    match {
                        source-address 192.168.60.0/24;
                    }
                    then {
                        source-nat {
                            pool {
                                private1;
                            }
                        }
                    }
                }
            }
        }

Excellent 🙂

Yeah don't worry about security so much with your HideNAT rule, I tend to keep them wide open and say

From zone trust, to zone untrust

source 0.0.0.0/0

then source nat interface

etc.

GL 🙂