Routing

I know how to do this, but it's lost in the cobwebs...

I just finished setting up a new SRX220 to replace an old ASA.  It's connecting over a VPN tunnel to another ASA at our headquarters.  I got all the routing working for client machines, but I'm trying to set up proxy DNS.

The problem is, the SRX can't reach the DNS server in our headquarters.  The routes are there, and clients can get there.  So, I did a little investigating, and the SRX can get to the network, it's just not sourcing correctly:

root> ping 172.27.1.30
PING 172.27.1.30 (172.27.1.30): 56 data bytes
^C
--- 172.27.1.30 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

root> ping 172.27.1.30 source 172.27.2.1
PING 172.27.1.30 (172.27.1.30): 56 data bytes
64 bytes from 172.27.1.30: icmp_seq=0 ttl=127 time=18.985 ms
64 bytes from 172.27.1.30: icmp_seq=1 ttl=127 time=37.656 ms
64 bytes from 172.27.1.30: icmp_seq=2 ttl=127 time=21.798 ms
64 bytes from 172.27.1.30: icmp_seq=3 ttl=127 time=18.964 ms
64 bytes from 172.27.1.30: icmp_seq=4 ttl=127 time=25.797 ms
^C
--- 172.27.1.30 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 18.964/24.640/37.656/6.972 ms

root> 

How do I tell the SRX to source packets to that destination from the appropriate address/interface?  I can't remember, and I can't get my search terms right to find it...

root> show configuration security policies 
from-zone trust to-zone untrust {
    inactive: policy vpn_Tacoma_Seattle {
        match {
            source-address Tacoma;
            destination-address Seattle;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn Seattle-Tacoma_P2P_Tunnel;
                }
            }
        }
    }
    policy trust-to-untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone trust to-zone p2p_VPNs {
    policy Seattle_VPN_out {
        match {
            source-address Tacoma;
            destination-address Seattle;
            application any;
        }
        then {
            permit;
        }                               
    }
}
from-zone p2p_VPNs to-zone trust {
    policy Seattle_VPN_in {
        match {
            source-address Seattle;
            destination-address Tacoma;
            application any;
        }
        then {
            permit;
        }
    }
}

root> show configuration security policies 
from-zone trust to-zone untrust {
    inactive: policy vpn_Tacoma_Seattle {
        match {
            source-address Tacoma;
            destination-address Seattle;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn Seattle-Tacoma_P2P_Tunnel;
                }
            }
        }
    }
    policy trust-to-untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone trust to-zone p2p_VPNs {
    policy Seattle_VPN_out {
        match {
            source-address Tacoma;
            destination-address Seattle;
            application any;
        }
        then {
            permit;
        }                               
    }
}
from-zone p2p_VPNs to-zone trust {
    policy Seattle_VPN_in {
        match {
            source-address Seattle;
            destination-address Tacoma;
            application any;
        }
        then {
            permit;
        }
    }
}

root> show configuration security ipsec  
proposal Seattle-asa-ipsec {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 28800;
}
policy Seattle-asa-phase2 {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals Seattle-asa-ipsec;
}
vpn Seattle-Tacoma_P2P_Tunnel {
    bind-interface st0.0;
    ike {
        gateway Seattle;
        inactive: proxy-identity {
            local 172.27.2.0/24;
            remote 172.27.1.0/24;
            service any;
        }
        ipsec-policy Seattle-asa-phase2;
    }
    traffic-selector TS_1 {
        local-ip 172.27.2.0/24;
        remote-ip 172.27.1.0/24;
    }
    traffic-selector TS_2 {
        local-ip 172.27.20.0/24;
        remote-ip 172.27.1.0/24;
    }
    traffic-selector TS_3 {
        local-ip 172.27.2.0/24;
        remote-ip 192.168.27.0/24;
    }
    traffic-selector TS_4 {
        local-ip 172.27.20.0/24;
        remote-ip 192.168.27.0/24;
    }
    traffic-selector TS_5 {
        local-ip 172.27.2.0/24;
        remote-ip 10.27.1.0/24;
    }
    traffic-selector TS_6 {
        local-ip 172.27.20.0/24;
        remote-ip 10.27.1.0/24;
    }
    establish-tunnels immediately;
}

I can't find the documentation right now, but my recollection is that by default self traffic sources from the lowest ip address configured on the device.

If you configure a loopback address and then use this setting the loopback will be the source for all self traffic.

system { 
default-address-selection; 
}

Source NAT?

I can't find documentation to verify, but my recollection is that you can't hit a source nat rule with self traffic when I've tried that in the past.

ok. I see. So exactly what address is needed as the source address? Where does he want the source address to come from? Where is the address configured on teh SRX that he wants to use as the source?

He could use "preferred" or "primary"?

https://www.juniper.net/documentation/en_US/junos13.3/topics/usage-guidelines/interfaces-configuring-default-primary-and-preferred-addresses-and-interfaces.html

[edit]
root# set interfaces vlan.10 family inet primary    

[edit]
root# 

[edit]
root# commit check 
configuration check succeeds

[edit]
root# commit confirmed 5    
commit confirmed will be automatically rolled back in 5 minutes unless confirmed
commit complete

# commit confirmed will be rolled back in 5 minutes
[edit]
root# run ping 172.27.1.30 
PING 172.27.1.30 (172.27.1.30): 56 data bytes
^C
--- 172.27.1.30 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss

# commit confirmed will be rolled back in 4 minutes
[edit]
root# run ping 172.27.1.30 source 172.27.2.1 
PING 172.27.1.30 (172.27.1.30): 56 data bytes
64 bytes from 172.27.1.30: icmp_seq=0 ttl=127 time=34.788 ms
64 bytes from 172.27.1.30: icmp_seq=1 ttl=127 time=19.373 ms
^C
--- 172.27.1.30 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 19.373/27.081/34.788/7.707 ms

# commit confirmed will be rolled back in 4 minutes
[edit]
root# rollback 1 
load complete

# commit confirmed will be rolled back in 4 minutes
[edit]
root# commit 
commit complete

[edit]
root# show interfaces vlan 
unit 10 {
    family inet {
        address 172.27.2.1/24;
    }
}
unit 100 {
    family inet {
        address 172.27.20.1/24;
    }
}

[edit]
root# 

no dice... did I get that set up correctly?

I did confrim that's what's going on though:

root# run show interfaces          
Physical interface: ge-0/0/0, Enabled, Physical link is Up
  Interface index: 134, SNMP ifIndex: 508
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
  Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 0c:86:10:e3:d0:d8, Hardware address: 0c:86:10:e3:d0:d8
  Last flapped   : 2016-04-20 23:39:13 PDT (4d 11:21 ago)
  Input rate     : 32272 bps (10 pps)
  Output rate    : 11720 bps (9 pps)
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

  Logical interface ge-0/0/0.0 (Index 71) (SNMP ifIndex 510) 
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Input packets : 30996391 
    Output packets: 25942102
    Security: Zone: untrust
    Allowed host-inbound traffic : dns dhcp tftp ike ping ssh
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: ***redacted***
...
<snip>
...

Physical interface: vlan, Enabled, Physical link is Up
  Interface index: 133, SNMP ifIndex: 506
  Type: VLAN, Link-level type: VLAN, MTU: 1518, Speed: 10000mbps
  Device flags   : Present Running
  Link type      : Full-Duplex
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 0c:86:10:e3:d0:e0, Hardware address: 0c:86:10:e3:d0:e0
  Last flapped   : 2016-04-20 23:39:05 PDT (4d 11:21 ago)
  Input rate     : 2272 bps (3 pps)
  Output rate    : 8264 bps (3 pps)

  Logical interface vlan.10 (Index 69) (SNMP ifIndex 533) 
    Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.10 ]  Encapsulation: ENET2
    Bandwidth: 0
    Input packets : 25448770 
    Output packets: 30667261
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip
    router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping
    reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text
    xnm-ssl lsping ntp sip r2cp
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Primary Is-Preferred Is-Primary
        Destination: 172.27.2/24, Local: 172.27.2.1, Broadcast: 172.27.2.255

  Logical interface vlan.100 (Index 70) (SNMP ifIndex 534) 
    Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.100 ]  Encapsulation: ENET2
    Bandwidth: 0
    Input packets : 308186 
    Output packets: 267584
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip
    router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping
    reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text
    xnm-ssl lsping ntp sip r2cp
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 172.27.20/24, Local: 172.27.20.1, Broadcast: 172.27.20.255

set interfaces vlan.10 unit 10 family inet address 172.27.2.1/24 primary

I had to keep 172.27.2.1 on the vlan interface, it's the gateway for the network.

I found a solution along those lines though, I set up an unnumbered address statement to reference the VLAN IP, and it seems to work just fine.

I now have proxy-dns working and can move on to radius authentication. 

Thank you all for your help.

    lo0 {
        unit 0 {
            family inet {               
                unnumbered-address vlan.10;
            }
        }
    }

Great! I was about to suggest that, but I have never used it and was kind of unsure if it could be used in that situation. Thanks for the update. I can keep this information for future use case. Go ahead and mark your answer as the solution and close out this item as resolved.

I've never used an unnumbered loopback either.  Normally I would just assign a loopback interface IP and call it good, but I'd have to add it to the ASA on the other end.  I don't want to touch that ting, it's unstable and we're replacing it soon. 

Thanks again for your help.