SRX

last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Configure srx240 to ISP

    Posted 04-02-2016 06:19

    Deal All,

     

    I tried to configure srx240 to DIA circuit ISP with static IPs but faild. The srx is configured with the below configuration:

    set version 12.1X44-D35.5
set system host-name SRX240STV
set system time-zone MET
set system root-authentication encrypted-password "$1$WZ9iX6Mv$/PPfq6cuHFigpqD2dfK6.."
set system name-server 10.1.1.90
set system name-server 10.1.1.94
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-resolution no-resolve-on-input
set system services ssh protocol-version v2
set system services telnet
set system services netconf ssh
set system services web-management http interface ge-0/0/1.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set system services web-management session idle-timeout 60
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server us.ntp.pool.org
set interfaces ge-0/0/1 unit 0 family inet address 192.168.34.100/24
set interfaces ge-0/0/2 unit 0 family inet address 10.110.4.3/22
set interfaces ge-0/0/3 unit 0 family inet address 192.168.1.10/24
set routing-options static route 192.168.150.0/24 next-hop 192.168.34.1
set routing-options static route 0.0.0.0/0 next-hop 10.110.4.1
set protocols stp
set security address-book global address inews-a 192.168.34.61/32
set security address-book global address server1 192.168.3.155/32
set security nat source rule-set nsw_srcnat from zone STV1
set security nat source rule-set nsw_srcnat to zone Internet
set security nat source rule-set nsw_srcnat rule nsw-src-interface match source-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface match destination-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface then source-nat interface
set security nat source rule-set nsw_srcnat1 from zone Internet
set security nat source rule-set nsw_srcnat1 to zone STV1
set security nat source rule-set nsw_srcnat1 rule nsw_srcnat1 match source-address-name inews-a
set security nat source rule-set nsw_srcnat1 rule nsw_srcnat1 then source-nat off
set security nat destination pool 192_168_34_100_ address 192.168.34.100/32
set security nat destination rule-set nsw_destnat from zone Internet
set security nat destination rule-set nsw_destnat rule 0_Default--Internal_ match source-address 0.0.0.0/0
set security nat destination rule-set nsw_destnat rule 0_Default--Internal_ match destination-address 10.110.4.3/32
set security nat destination rule-set nsw_destnat rule 0_Default--Internal_ then destination-nat pool 192_168_34_100_
set security nat destination rule-set nsw_dest from zone STV1
set security nat destination rule-set nsw_dest rule int match destination-address 192.168.34.61/32
set security nat destination rule-set nsw_dest rule int then destination-nat off
set security nat static rule-set inews from zone Internet
set security nat static rule-set inews rule r1 match destination-address 10.110.4.5/32
set security nat static rule-set inews rule r1 then static-nat prefix 192.168.34.61/32
set security nat static rule-set inews rule r2 match destination-address 10.110.4.6/32
set security nat static rule-set inews rule r2 then static-nat prefix 192.168.34.62/32
set security policies from-zone STV1 to-zone Internet policy All_Internet_STV1 match source-address any
set security policies from-zone STV1 to-zone Internet policy All_Internet_STV1 match destination-address any
set security policies from-zone STV1 to-zone Internet policy All_Internet_STV1 match application any
set security policies from-zone STV1 to-zone Internet policy All_Internet_STV1 then permit
set security policies from-zone STV1 to-zone Internet policy permit-all match source-address inews-a
set security policies from-zone STV1 to-zone Internet policy permit-all match destination-address any
set security policies from-zone STV1 to-zone Internet policy permit-all match application any
set security policies from-zone STV1 to-zone Internet policy permit-all then permit
set security policies from-zone Internet to-zone STV1 policy All_Internet_STV1 match source-address any
set security policies from-zone Internet to-zone STV1 policy All_Internet_STV1 match destination-address any
set security policies from-zone Internet to-zone STV1 policy All_Internet_STV1 match application any
set security policies from-zone Internet to-zone STV1 policy All_Internet_STV1 then permit
set security policies from-zone Internet to-zone STV1 policy server-access match source-address any
set security policies from-zone Internet to-zone STV1 policy server-access match destination-address inews-a
set security policies from-zone Internet to-zone STV1 policy server-access match application any
set security policies from-zone Internet to-zone STV1 policy server-access then permit
set security zones security-zone STV1 interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone STV1 interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone STV1 interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone STV1 interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone STV1 interfaces ge-0/0/1.0 host-inbound-traffic system-services telnet
set security zones security-zone Internet interfaces ge-0/0/2.0 host-inbound-traffic system-services ping

    I want to connect the new internet circuit to srx240 ge-0/0/0 then connect ge-0/0/3 to my switch to distribute the internet.

     

    First of all, I configured the check the internet on srx but the gateway 10.0.0.5 is not pingable.

    root@SRX240STV# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.6/30
root@SRX240STV# set routing-options static route 0.0.0.0/0 next-hop 10.0.0.5
root@SRX240STV# set system name-server 84.235.6.55

     

    Your support and suggestions are highly appreciated

     



  • 2.  RE: Configure srx240 to ISP

     
    Posted 04-02-2016 06:28

    Hello ,

     

    make sure you have ge-0/0/0 and ge-0/0/3 in a security zone and enable host inbound services . Also make sure you have policy allowing traffic between them .

    Change the NAT rule accordingly  .



  • 3.  RE: Configure srx240 to ISP

    Posted 04-03-2016 02:07

    Thank for your support SAM.

     

    Yes, it's solved. My issue was with NAT rule.

    I changed the static route to 0.0.0.0/0 next-hop 94.97.241.x (ISP gateway) then the internet is working fine but the subnet 192.168.34.0 can't access the internal servers ( the old route was 0.0.0.0/0 next-hop 10.110.4.1)

     

    How can I solve it,  I want to go through two routes 

    If the subnet 192.168.34.0 requests internet will go through route 94.97.241.x

    if the subnet 192.168.34.0 requests the internal servers go through route 10.110.4.1

     

    Thanks.



  • 4.  RE: Configure srx240 to ISP

    Posted 04-03-2016 02:32

    Configure "filter-based forwarding" with two routing instances, a firewall filter to identify traffic and direct it the the appropriate routing instance, and instance-import to import the interface routes into the routing instances. They shy should be of instance-type forwarding



  • 5.  RE: Configure srx240 to ISP

    Posted 04-03-2016 03:59

    How can I configure "filter based forwarding" with two routing instances. I saw many examples but I'm confused.

     

    I want to configure the same source address to different outgoing interface.

     

    For example,

    If the subnet 192.168.34.0 requests internet will go through route 94.97.241.x ( go to interface ge-0/0/0)

    if the subnet 192.168.34.0 requests the internal servers go through route 10.110.4.1 (go to interface ge-3/0/0)

     

    Thank you for your quick response.



  • 6.  RE: Configure srx240 to ISP
    Best Answer

    Posted 04-03-2016 15:46

    Create a firewal filter with the correct match conditions; You want the most specific term to be the first term and to also account for all other traffic. term accept-all-other should be the last term in the filter
    ==================================================================
    set firewall family inet filter fbf-filter term to-server from source-address 192.168.34.0/24
    set firewall family inet filter fbf-filter term to-server from destination-address 10.110.1.0/24
    set firewall family inet filter fbf-filter term to-server then routing-instance To-Server
    set firewall family inet filter fbf-filter term default-to-internet from source-address 192.160.34.0/24
    set firewall family inet filter fbf-filter term default-to-internet then routing-instance To-Internet
    set firewall family inet filter fbf-filter term accept-all-other then accept

     

    NOTE*** if term to-server is not the first term, then insert term to-server before term default-to-internet
    =======================================================
    Apply it to the ingress interface
    ===================================================
    set interfaces ge-0/0/1 unit 0 family inet filter input fbf-filter

    This assuming that the incoming interface is ge-0/0/1.0 (just replace this interface with your incoming interface)

    =================================================
    Create the routing instances and the static routes
    =================================================
    set routing-instances To-Internet instance-type forwarding
    set routing-instances To-Internet routing-options static route 0/0 next-hop 94.97.241.x

    set routing-instances To-Server instance-type forwarding
    set routing-instances To-Server routing-options static route 0.0.0.0/0 next-hop 10.110.4.1

    =========================================================
    Ensure that the routes are imported into the routing instances. I think this should get you going. You could be more specific by using routing policies from protocol direct and from interface ge-0/0/3 and ge-0/0/0 and plly those to the specific routing instances. Or you could also create a routing policy that only accepts the desired routes and apply it as an import-policy to the rib-group. For now test this. I dont know what I am missing yet.
    ========================================================

    set routing-options interface-routes rib-group inet rib-group
    set routing-options rib-groups rib-group import-rib inet.0
    set routing-options rib-groups rib-group import-rib To-Internet.inet.0
    set routing-options rib-groups rib-group import-rib to-server.inet.0



  • 7.  RE: Configure srx240 to ISP

     
    Posted 04-03-2016 18:25

    Hello ,

     

    You can keep the following as reference : http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223&actp=search

     

    Just you need to creat filters specifying destinations :

     

    1) for internet

    2) For internal IP

     

    So I hope we cannot creat internet based filter , so create internal destination filter and rest can be matched to internet  as stated by



  • 8.  RE: Configure srx240 to ISP

    Posted 04-03-2016 18:56

    lso make sure your IP addresses are properly configured

    set security address-book global address inews-a 192.168.34.61/32
set security address-book global address server1 192.168.3.155/32

     



  • 9.  RE: Configure srx240 to ISP

    Posted 04-04-2016 12:19

    Thanks a lot