SRX

Hi everyone, I have recently implemented an SRX110 cluster which has replaced a Juniper SSG20.

I have the following setup on the SRX:

Reth 0 - trust 10.0.0.254 which is the gateway for all clients on production network
Reth 1 - untrust
Reth 2 - DMZ 192.168.168.0 (vlan on switch)
Reth 3 - guest wifi network

Apart from guest wifi all the above networks are setup as vlans on the core HP switch IP address 10.0.0.9

Now the problem:

I have a test network 172.16.28.0 which is also a vlan on the HP switch gateway is the switch 172.16.28.254.

When I rdp to the test network it drops the connection every 30 seconds or so, I know this is due to the session starting on reth0, going to the 10.0.0.9 switch but as the switch is on the same subnet as my PC it returns over the 10.0.0.0 network and not back to the SRX. To fix this I have to setup a static route on my client which points to the switch.

I don't want to have to do that for everything accessing the test network, I have been advised to setup the test network on a spare SRX interface instead of the switch but is this the only way? I also have 2 other vlans so would need to do the same for them.

Another note to access the test network when the SRX was installed I had to set static routes on the SRX pointing to the 10.0.0.9 switch for test network and other vlans.

I then had to setup a trust to trust rule any any as it sees the test network on trust due to it being on the 10.0.0.9 switch.

Can anyone suggest any solutions please?

I hope that makes sense!

Many thanks
Ross

As I understood the replies from your server reaches your core switch en-route. The core switch has an inteface inside 10.0.0.0/?, so it replies directly back to the client.

 

You could setup source address translation, so that traffic coming from 10.0.0.0/? to 172.16.28.0/? (and the other two subnets) is translated to the interface of the SRX as it exits. This would mean, that the destination address for the return traffic would be 10.0.0.254 from the servers perspective, which is the firewall. The firewall then sees this as a response to the session previously initiated and sends the reply back to the client.

 

If you need an example of how to implement this, I can work one out.

 

If you collect statistics about sources of the incoming traffic on your servers, this would be ruined. Sure you could try to track it back to the firewall sessions, but this is a tough task.

 

If you are able to disable routing for specific VLAN, you could also do this for your test network. I don't know, if this makes sense in your topology, but it's a possibility.

Sooner you re-design your network and configure all layer 3 interfaces on SRX it will resolve your issue. You dont need to spare reth for every layer 3 interface you can do it with configuring sub interfaces on reth and place each reth sub interface in appropriate zone. However following trick may work out with current design:-

 

Configure source nat for all sessions initiated from trust zone (source IP 10.0.0.0/0) and destined to 172.16.28.0/0 network with action source-nat  interface. What this will do, simply change your source IP (i.e. Client IP) to egress interface IP (i.e. 10.0.0.254) . RDP session will be established with the destination (i.e Client on test network).

On return path HP switch will forward return traffic to SRX as source IP for session was 10.0.0.254 instead of Client IP (as HP switch has APR entries for clients and SRX being on same subnet) and at  final stage SRX will forward return session to concerned Client from where RDP session request was initiated. 

 

 

Please mark this as accepted solution if it works for you

A kudos is a good way of appreciation

 

Kashif Nawaz

JNCIP-Sec ,JNCIP-Ent

JNCIS-Ent, JNCIS-Sec

JNCIA-Junos

Thanks guys, I'll try the source nat first and possibly look at configuring all l3 interfaces on the SRX. Ill report back once I've given it a go.

Many thanks.

Brilliant thank you both, the source NAT fixed it as a work around.

 

What would be the best solution to implement the proper fix out of the following?

 

1)  Create an interface on the SRX for the Test VLAN with IP 172.16.28.254,  then on the HP switch change the test network VLAN IP from 172.16.28.254 to say 172.16.28.10.   All clients on Test will not need changing as their gateway is 172.16.28.254 but they will now go to the SRX for anything not in the 172.16.28.0/24 network.

 

2)  Remove IP options from the Test VLAN on the switch and create the interface on the SRX with IP 172.16.28.254,  all clients will now go to the SRX for their gateway and the switch only passes the VLAN.

 

3)  Remove VLAN routing on the switch then route to the SRX for the 10.0.0.0/16 network,  I assume this would work as currently for 10.0.0.0/16 on the switch IP route shows gateway as the 10.0.0.0/16 VLAN and not 10.0.0.254 (the SRX).

 

I'm not sure what difference 1 and 2 make,  number 1 is how we currently have our production LAN 10.0.0.0/16 setup.  Option 2 is how we have our guest_wifi and DMZ setup.  Can anyone please explain the pro's cons to this?

 

Thanks for the help

Ross

Configure layer 3 interface on SRX for all subnets which will be gateway for all subnet. You may control inter subnet routing by security zone and security polices. Now you need access other network devices for management  function, you may use a private subnet again layer 3 interface on SRX and may extend to other devices for the purpose. Other option is that you may continue to access other devices e.g HP switch with 10.0.0.10 IP address already configured on it. But make sure SRX is gateway for each subnet this will provide great flexibility and control over your network. 

 

 

Please mark this as accepted solution if it works for you

A kudos is a good way of appreciation

 

Kashif Nawaz

JNCIP-Sec ,JNCIP-Ent

JNCIS-Ent, JNCIS-Sec

JNCIA-Junos

Ok great, thank you for the explanation.

 

Before I make any configuration changes to the network I wanted to make sure this is best solution:

 

At the moment the other VLANs are test network, iSCSI, Hyper-V comms, Live migration.  They all don't need a good performance on routing as they don't need to route other than to access some test servers from live network. Because of this moving them to subinterfaces on one physical interface of the SRX is fine.

 

However, the network was orignally setup with servers, users, printers all on 10.0.0.0/16  (servers),  10.0.2.0/16 (users), 10.0.1.0/16 (VPN users), 10.0.3.0/16 (printers).   These are all on the default vlan so not ideal.   We want to seperate these with VLANs,  will there be much of a performance hit moving these new VLANs to separate sub interface with the SRX being 100mb interface and our current core switch being a HP 5412zl  on 1gb?

 

Is there any benefit to having the networks on physical interfaces instead of sub interfaces?  Reason I ask this,  current FE0 is 10.0.0.254  which all of the above default VLAN use as their gateway.  Current other VLANs will be setup on the SRX fe07,  so should the servers/users/printers VLANs that I need to create be subinterfaces on the fe0 interface or am I wasting an interface by using fe0 and fe7?  Sorry I'm only just getting to grips with this so may be a bit confusing!

 

Many thanks!

Ross