Routing
Routing

SRX345 Cluster, No Reth DPB Untrusted Uplink, Best practice/Suggestion

‎11-26-2018 11:45 AM

Hi

 

I have 2 x SRX 345 clustered

 

My ISP has configured 2 x /30 subnets presented on 2 x ethernet's configured with BPG for my UnTrust uplinks

 

I have a private (172.16.x.x) subnet NAT'd on the Trusted and two public / routed subnets a /28 and a /29

 

On the Trusted zone I have reth configured, however on the Untrust zone I am unable to have a reth due to the physical port limitations and configuration imposed by the ISP. 

 

My intention is to DNAT the two routed subnets to the internal IP's/ports as required.

 

My Q is, what is the best practice/config to allow me use of an IP from the routed subnets for VPN endpoint on the SRX345's ? Can I simply do this with DNAT? 

 

I hope this makes sense, it does to me Smiley Happy Newbie to Juniper and the kit is not in situ yet so I cannot test/experiment with the routed subnets over the BPG config.....

 

Thanks in advance..... 

 

Basic Cluster_SingleReth_BPG_config

set version 15.1X49-D124.3

set groups node0 system host-name XXXXX-0

set groups node0 interfaces fxp0 unit 0 family inet address x.x.x.x.1/24

set groups node1 system host-name XXXXX-1

set groups node1 interfaces fxp0 unit 0 family inet address x.x.x.x.2/24

set apply-groups "${node}"

set system root-authentication encrypted-password “xxxxx.x.xxxxx.xxxxxx.xxxxxx.xxxxxx.xxxxxx.xxxxxx”

set system services ssh

set system services web-management https system-generated-certificate

set system services web-management https interface fxp0.0

set system services web-management https interface reth0.0

set chassis cluster reth-count 2

set chassis cluster redundancy-group 0 node 0 priority 200

set chassis cluster redundancy-group 0 node 1 priority 100

set chassis cluster redundancy-group 1 node 0 priority 200

set chassis cluster redundancy-group 1 node 1 priority 100

set security zones security-zone Trusted host-inbound-traffic system-services all

set security zones security-zone Trusted interfaces reth0.0

set security zones security-zone Untrusted host-inbound-traffic system-services ping

set security zones security-zone Untrusted host-inbound-traffic system-services ssh

set security zones security-zone Untrusted interfaces ge-0/0/6.0

set security zones security-zone Untrusted interfaces ge-5/0/6.0

set interfaces ge-0/0/5 gigether-options redundant-parent reth0

set interfaces ge-0/0/6 unit 0 description to-A

set interfaces ge-0/0/6 unit 0 family inet address x.x.x.10/30

set interfaces ge-5/0/5 gigether-options redundant-parent reth0

set interfaces ge-5/0/6 unit 0 description to-B

set interfaces ge-5/0/6 unit 0 family inet address x.x.x.14/30

set interfaces fab0 fabric-options member-interfaces ge-0/0/2

set interfaces fab1 fabric-options member-interfaces ge-5/0/2

set interfaces reth0 redundant-ether-options redundancy-group 1

set interfaces reth0 unit 0 family inet address 172.16.1.1/24

set routing-options autonomous-system 12345

set protocols bgp group external-peers type external

set protocols bgp group external-peers peer-as 12346

1 REPLY 1
Highlighted
Routing

Re: SRX345 Cluster, No Reth DPB Untrusted Uplink, Best practice/Suggestion

‎11-26-2018 05:33 PM

Rather than nat I would consider putting the desired address on a loopback interface and terminating the vpn there.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home