SRX

Hi all

Hoping someone can take pitty on me and help me out of a bind.

Been struggling to get this working for some time now and the boss is getting a bit snarky now so really need to get it resolved asap.

I'll admit I don't have the greatest of networking knowledge so I'm hoping someone can point out something very simple that I'm missing here.

The setup I'm looking for is very similar to TriSept's in the post: https://forums.juniper.net/t5/SRX-Services-Gateway/Public-subnet-behind-SRX/td-p/300447 but I didn't want to hijack his thread.

Baasicly share our line with a tenant in the building and are looking to create 2 independent zones, with the client having all traffic from a certain IP routed to them and have their router handle security/NAT/etc (but if not possible we would be willing to have the SRX handle this).

I've been working to keep a "trust" zone for testing purposes on a vlan running off ge-0/0/1, with our network running off ge-0/0/2, and our tenant running off ge-0/0/3.

Our ISP supplied the following details:

WAN Subnet : *.*.131.196 
WAN Subnet Mask : /30 
WAN IP : *.*.131.198 
WAN Default Gateway : *.*.131.197

Routed IP's Network Number : *.*.138.216 
Routed IP Mask : /30
Routed First Host : *.*.138.217
Routed Second Host : *.*.138.218
Routed Last Host : *.*.138.218
Routed Broadcast Address : *.*.138.219

I can happily get online and get service running from WAN IP : *.*.131.198, but I've been banging my head against a wall trying to get anything working with Routed First Host : *.*.138.217, and Routed Second Host : *.*.138.218

At first I was trying to use proxy/arp but as they're not he same subnet I discovered that was clearly a dead end.

Can anyone help explain how I should setup Routed First Host : *.*.138.217, and Routed Second Host : *.*.138.218 to effectively pass through traffic to our tenant zone on ge-0/0/3?

I've attached my current "work in progress" configuration if some kind soul could have a look over and let me know what my next steps should be,

Many, many thanks in advance

Attachment(s)

WIP config (edited) 3-Dec-16.txt   12 KB 1 version

So if the second subnet is routed to your first subnet interface, I think your best solution is to place this on another interface directly and have your tenant connect to that.

Internet ---- WAN ge-0/0/0 SRX *.*.131.198/30

   ge-0/0/4 (or availabe interace)  *.*.138.217/30 --- Tenant interface *.*.138.218/30  (tenant uses *.*.138.217 as default route

Place the ge-0/0/4 into the untrust zone

create an untrust to untrust allow all rule without any NAT

Proxy arp is only needed when you have a connected subnet at layer2.  The routed subnets that exist behind your SRX will not need proxy arp.

Many, many thanks for your reply spuluka!

I'm sure I'd tried that before, but obviously had other things very wrong elsewhere at the time!

Now it's routing the *.*.138.218 IP inbound traffic to the port as required 😄

I fully intend to go through the online learning available from Juniper (as well as following your helpful tech blog), over the coming months, but this has really helped me out and I'm ever so grateful.

Just one thing that would be excellent to have working would be for traffic from that *.*.138.218 IP outbound to register as such, and not show as coming from the *.*.131.198 IP. Do you have a quick tip on how to get this implemented?

We can run as-is just now but really would like to separate our tenants email traffic from our own.

You appear to be hitting a source nat rule then.  So create a source nat rule that forces this to be off.  Adjust the zone names if needed, these need to match the zones used "from zone" is the zone on your client facing interface and "to zone" is your internet facing interface.

set security nat source rule-set tenantA from zone untrust
set security nat source rule-set tenantA to zone untrust
set security nat source rule-set tenantA rule no_nat match source-address *.*.138.218/30
set security nat source rule-set tenantA rule no_nat then source-nat off

The put this above any other source nat rules

insert security nat source rule-set tenantA before rule-set ?

Then select your first nat rule from the list

Once again spaluka, I'm in your debt for providing such a straight forward and easy to apply solution.

Many, many thanks 🙂