SRX

last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Dual untrust interfaces routing issue

    Posted 02-05-2012 22:35

    Hello!

    I've got a srx100 with two interfaces in the untrust zone. Both of them gets their IP from a DHCP-server (they are in different zones and subnets). My goal is to get one subnet (got its own zone aswell) and another subnet (also got its own zone) to be NAT:ed out on the internet with different outside IP's. So in short I want clients from zone guest to be NATed out on the the interface fe-0/0/1.0 (member of zone Guest-internet) and inside clients to be NATed out on fe-0/0/0.0 (member of untrust).

    How would I implement this. Do I need to to use PBR to achive my goal? Or do I put them in different routing instances?

     

    Thanks in advance.

    Regards,

    User853



  • 2.  RE: Dual untrust interfaces routing issue

    Posted 02-06-2012 03:41

    Using two routing instances would be the best approach.



  • 3.  RE: Dual untrust interfaces routing issue

    Posted 02-06-2012 07:55

    Both PBR and Routing instance will solve the problem though Routing instance is a better option in my opinion.



  • 4.  RE: Dual untrust interfaces routing issue

    Posted 02-06-2012 09:21

    Thanks for your answrs. Will start look into routing instances then:)



  • 5.  RE: Dual untrust interfaces routing issue
    Best Answer

    Posted 02-10-2012 13:08
    @user853 wrote:

    Thanks for your answrs. Will start look into routing instances then:)

    This is generally what it would look like:

     

    interfaces {
    ge-0/0/1 {
        description "Guest internet";
        unit 0 {
            family inet {
                address 1.1.1.2/24;
            }
        }
    }
    ge-0/0/2 {
        description "Guest inside";
        unit 0 {
            family inet {
                address 2.2.2.1/24;
            }
        }
    }
    ge-0/0/3 {
        description internet;
        unit 0 {
            family inet {
                address 3.3.3.2/24;
            }
        }
    }
    ge-0/0/4 {
        description inside;
        unit 0 {
            family inet {
                address 4.4.4.1/24;
            }                                                                                                                                                                                                                                                   
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 3.3.3.1;
    }
}
security {
    zones {
        security-zone Guest-internet {
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone Guest-inside {
            interfaces {
                ge-0/0/2.0;
            }
        }
        security-zone internet {
            interfaces {
                ge-0/0/3.0;
            }                                                                                                                                                                                                                                                   
        }
        security-zone inside {
            interfaces {
                ge-0/0/4.0;
            }
        }
    }
}
routing-instances {
    Guest {
        instance-type virtual-router;
        interface ge-0/0/1.0;
        interface ge-0/0/2.0;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 1.1.1.1;
            }
        }
    }
}

     

    You would have to then create security policies from zone to zone.

     

    And if you ever wanted the guest network to communicate with the other network, you'd have to do some creative routing.



  • 6.  RE: Dual untrust interfaces routing issue

    Posted 03-08-2012 21:34

    Is dhcp in a vr supported at this point in time?



  • 7.  RE: Dual untrust interfaces routing issue

    Posted 01-12-2013 01:39
    I do not know if it is supported, but it works for me and have done so for quite some time.