SRX

Hi!

I solved my earlier problems, but now a new one has arisen... I'm quite experienced with SSG, but quite new with SRX and Junos.

I have two different internet connections, both 50 Mbit. I want my DMZ to use one of them, and the other one for my other subnets.

Obviously the other subnets also need to be able to reach the DMZ. Anyway, I guess I can cope with just two VR-s, but I was originally thinking three. One for each internet-connection, and one for the internal networks.

I have followed the documentation I was able to find on the internet, but have a few questions. I can't get DNS working on the SRX now. I have read "For self-initiated management traffic (for example, system logs and traps), route lookup starts with inet.0.". But I don't understand how to deal with it? I see many people with this problem, but no solution.

Secondly, "VPN interfaces (st) are currently terminated only in zones that are assigned to inet.0." What practical implications will that have? Is this still valid with 12.1X44?

Ok, the routing part was simple using rib-group. But it was not very obvious why I couldn't get NAT working.

I had NAT set up with "from zone" and "to zone" - and the to zone is in the untrust-vr. But it didn't work untill I changed it to "from routing-instance" and "to routing-instance"... Not obvious, but ok... 🙂

Still one curiosity, though. I get default gateway via DHCP on the untrust-interface (in untrust-zone in untrust VR...). When I use rib-group all the routes are shared between the VR's, except the untrust-vr's default gateway. I solve this easily by using a static route in the default vr: route 0.0.0.0/0 next-table untrust-vr.inet.0;

But should this really be necessary when using rib-group?

Ok, I'm stupid. I was just testing from the CLI, and hadn't included junos-host zone in my nat-rule...