IP Block Routing

last person joined: 5 hours ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

IP Block Routing

Jump to Best Answer

1. IP Block Routing

0 Recommend
Erdem
Posted 03-03-2014 11:27

Reply Reply Privately
Hi everybody,

I'm new to juniper environment, i'm actually deploying an SRX240H2 and i have a tiny issue which annoy me a lot.

Let me show you first my environment, i have 1 connected adress block ( xxx.11.132.8/30 ) & 1 assigned public ip block (

xxx.43.224.0/27 ), everything works fine except that when i'm "surfing" my detected public ip adress is actually my getaway and not one of my assigned ip block.

I dont need any private lan behind my srx just need him to act like a switch and not like a proxy.

I'm sure it's a tiny detail, if anyone can help me on this, i would appreciate.

Regards,

--

## Last changed: 2014-03-03 15:45:10 UTC
version 11.4R9.4;
system {
host-name j-cf9-co;
root-authentication {
encrypted-password « -« ; ## SECRET-DATA
}
name-server {
xx;
xx;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface [ vlan.0 vlan.4 ];
}
https {
system-generated-certificate;
interface [ vlan.0 vlan.4 ];
}
}
dhcp {
name-server {
xx;
xx;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
router {
192.168.1.1;
}
}
pool xx.43.224.0/27 {
address-range low xx.43.224.2 high xx.43.224.30;
router {
xx.43.224.1;
}
}
static-binding e0:2f:6d:75:32:2a {
fixed-address {
xx.43.224.2;
}
name-server {
xx;
xx;
}
router {
xx.43.224.1;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members wiz-vlan-4;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-4/0/0 {
unit 0 {
family inet {
address xx.11.132.10/30;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 4 {
family inet {
address xx.43.224.1/27;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop xx.11.132.9;
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.4;
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-4/0/0.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
wiz-vlan-4 {
vlan-id 4;
l3-interface vlan.4;
}
}
2. RE: IP Block Routing
Best Answer

1 Recommend
Red1
Posted 03-03-2014 21:11

Reply Reply Privately
Hello

You have source nat interface configured (see below) , so even when you are using public range , you source IPs will be translated to the outgoing interface (ge-4/0/0.0 xx.11.132.10) when try to reach the Internet, you need to remove the nat rule for force your traffic being routed instead of NATed using command : delete security nat source

nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}

Regards
3. RE: IP Block Routing

0 Recommend
Erdem
Posted 03-03-2014 23:24

Reply Reply Privately
HI,

Thanks a lot its works perfectly now 🙂

You've saved my day 😄

Regards,

SRX

IP Block Routing

Erdem03-03-2014 11:27

Red103-03-2014 21:11Best Answer

Erdem03-03-2014 23:24

1. IP Block Routing

2. RE: IP Block Routing Best Answer

3. RE: IP Block Routing

2. RE: IP Block Routing
Best Answer