Routing
Reply
r7p
Visitor
r7p
Posts: 1
Registered: ‎03-21-2012
0

srx100 Routing in to local network

Hi-

I'm new at networking and to Junos.  I got basic setup of Junos up and running.  I have pasted the config at the end.  What I wish to achieve is establish connectivity to another router (CISCO), which is plugged at fe-0/0/1, which has IP 192.168.0.5.  I wish to forward all 192.168.0.0/24 traffic to that router and have srx100 accept 192.168.100.0/24 from CISCO.

 

As you can see, all my trust zone ports are vlan configured with 192.168.100.1/24.  I've attached a laptop at fe-0/0/2, but can't ping to CISCO.  I tried creating static route from 192.168.0.0/24 to fe-0/0/1, but srx complains it is not point-to-point interface.

Hence I tried assigning IP address to fe-0/0/1 and tried creating static route to that IP, but no luck.

 

 

What is the correct approach to this kind of scenarios?

 

 name-server {
        xx.yy.xx.cc;
        xx.yy.xx.cc;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.100.1;
            }
            propagate-settings fe-0/0/0.0;
        }
    }
	interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 184.75.36.60/29;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {                
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }                                        
        }
    }
... Rest are same as above -----
    st0 {
        unit 0 {
            family inet;
        }
    }
	  vlan {
        unit 0 {
            family inet {
                address 192.168.100.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop <my_isps_gateway_ip>;
        route 10.176.xxx.0/23 next-hop st0.0;
    }
}
security {
   nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
  zones {
        security-zone trust {
            address-book {
                address net-cfgr_192-168-100-0--24 192.168.100.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
        security-zone opsourcevpn {
            address-book {
                address net-cfgr_10-176-xxx-0--23 10.176.xxx.0/23;
            }
            interfaces {
                st0.0;
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

 

Super Contributor
jwparks
Posts: 157
Registered: ‎04-20-2009
0

Re: srx100 Routing in to local network

[ Edited ]

you might need an intra-zone policy

 

foo@bar# show security policies

from-zone trust to-zone trust {         
    policy intrazone {                  
        match {                         
            source-address any;         
            destination-address any;    
            application any;            
        }                               
        then {                          
            permit;                     
        }                               
    }                                   
} 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.