SRX

Hey guys,

 

it's been a while, but I'm getting back into my networking stuff.  So I have a little bit of a dilemma. 

 

Here is what I want to accomplish on my network:

 

 

 

Basically, I'm looking at creating two LANs (seperate networks).  One for testing and the other is a live network. 

 

Our ISP gave us 32 public IP addresses (altered here for security reasons):

 

64.74.234.0-64.74.234.32

 

We want to use the first 16 IP addresses for our live network, and the last 16 IP addresses for a test network.  The problem is, the first network works.

 

It's configuration is 64.74.234.2/28, the route (gateway) being 64.74.234.1.

 

The second network however, does not route out.  Whenever I try to ping out, I get the following response:

 

ping: sendto: No route to host

 

Being that I'm a networking noob, I was under the assumption that 64.74.234.17/28 would route out through 64.74.234.16.

 

Any idea what I'm doing wrong here?

 

For what it's worth, my NAT configuration and policies all check out, but I'll post the config if necessary.

 

Thanks guys.

 

-Dave

 

Is your ISP waiting for traffic on the .16 IP address

 

Regards,

 

Luis Sandi

Thanks for your reply, Isandi.

 

At first, I had assumed that would not be the case.  However, after a quick phone call to my ISP, the service technician informed me that the modems are configured to listen for any additional connections under those IP addresses, so plugging in a correctly configured device should work theoretically.

Hi there,

It is strange that Your ISP gave You 33 addresses, not 32. Are you absolutely sure about "64.74.234.0-64.74.234.32" range? Should it actually be 64.74.234.0-64.74.234.31?

As for the second network:

- gateway cannot be 64.74.234.16, this is network address for 64.74.234.16/28 subnet

- broadcast cannot be 64.74.234.32. this address is outside 64.74.234.16/28 subnet.

 

For ease of t'shooting, I suggest to add 16 to 1st network addressing, to arrive at correct IPs:

 

64.74.234.2/28+16=64.74.234.18/28 - should be external IP for 2nd net

64.74.234.1/28+16=64.74.234.17/28 - should be GW IP for 2nd net

64.74.234.15/28+16=64.74.234.31/28 - should be bcast IP for 2nd net

 

HTH

Thanks
Alex

You're absolutely right.  Sorry about my error.

 

I will try changing the IP addresses accordingly.

After reviewing the logs now, I'm able to see traffic is being initiated, however I'm unable to ping or route out to the internet.  I have a feeling this has to do with resetting the modem we have, and I can't do that at the moment without pissing the whole office off.  I'll try/update this post first thing in the morning.

 

Thanks again!

No luck yet.  I reset the modem this morning and the router is still not working.

 

For what it's worth, I see that going from my untrust to my trust is translating successfully but no packets are coming in or out.

 

source NAT rule: source-nat-rule      Rule-set: trust-to-untrust 

  Rule-Id                    : 1  

  Rule position              : 1

  From zone                  : trust

  To zone                    : untrust

  Match

    Source addresses         : 0.0.0.0         - 255.255.255.255

    Destination port         : 0               - 0

  Action                        : interface 

    Persistent NAT type         : N/A              

    Persistent NAT mapping type : address-port-mapping 

    Inactivity timeout          : 0

    Max session number          : 0 

  Translation hits           : 310

    Successful sessions      : 310

    Failed sessions          : 0

  Number of sessions         : 0

 

 

Show security flow session:

 

 If: ge-0/0/0.0, Pkts: 0, Bytes: 0

 

Any ideas?

I stand corrected.  There is traffic going to the untrust, but not traffic is returning. 

 

From the sessionb output I see that the packets are being sent out but no replies back.

In your source nat configuration iff the Ip subnet given by the ISP is same as your interface try using

"proxy-arp" configuration

This KB might help you :

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21785

 

Regards,

C_R

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

Hello ,

 

Do you see entry on arp table / forwarding table for gateway ip on the 2nd ISP network connected SRX ?

 

>show arp

>show route forwarding-table | match ucst

 

-CK

Is your ISP routing the /27 to you over a WAN interface or is your default gateway on your WAN the .1 address? If it's the latter and you have one /28 configured on the WAN with another /28 configured on the 'trust' side, this won't work. Your ISP's router dies not know that it needs to route the subnet and thinks the entire /27 is directly connected.

## Last commit: 2014-03-21 09:54:05 PDT by root
version 12.1X45.5;
system {
    host-name routerthatsgivingmetrouble;
    domain-name companysite.com;
    domain-search companysite.com;
    time-zone America/Los_Angeles;
    root-authentication {
        encrypted-password "$1$DjsgG.zi$Q0VMYn87mbOT6CqwExDSh/"; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    login {
        retry-options {
            tries-before-disconnect 4;
            backoff-threshold 2;
            backoff-factor 10;
            minimum-time 60;
        }
    }
    services {                          
        ssh;
        xnm-clear-text;
        web-management {
            https {
                system-generated-certificate;
                interface [ vlan.0 ge-0/0/0.0 ];
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.100 high 192.168.1.200;
                maximum-lease-time 23290;
                default-lease-time 23290;
                domain-name companysite.com;
                name-server {
                    8.8.8.8;
                    8.8.4.4;
                }
                router {                
                    192.168.1.1;
                }
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;      
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
            archive size 1m files 15;
        }
        file interactive-commands {
            interactive-commands error;
        }
        file policy_session {
            user info;
            match RT_FLOW;
            archive size 1000k world-readable;
            structured-data;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 198.123.30.132;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 64.74.234.18/28;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }                                   
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust; 
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {                          
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    st0 {
        disable;
        unit 1 {
            family inet;
        }
        unit 2 {
            family inet;
        }
        unit 3 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {               
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 64.74.234.17;
        route 10.10.10.1 next-hop st0.1;
        route 10.10.10.2 next-hop st0.2;
        route 10.10.10.2 next-hop st0.2;
        route 10.10.10.3 next-hop st0.3;
    }
}
protocols {
    rstp;
}
security {
    ike {
        traceoptions {
            file ike-trace;
            flag all;
        }                               
        proposal proposalhere {
            authentication-method pre-shared-keys;
            dh-group group;
            authentication-algorithm auth_alghere;
            encryption-algorithm encryptionalgorithmhere;
            lifetime-seconds 28800;
        }
        policy ike_pol_1 {
            mode aggressive;
            proposals proposalhere;
            pre-shared-key ascii-text "$9$2HgGiTQn/CuTzpBEhvMVwY4Gi/9pRhrp0EyeW-ds24Jjq36At0I69IclMN-UjH"; ## SECRET-DATA
        }
        policy ike_pol_2 {
            mode main;
            proposals proposalhere;
            pre-shared-key ascii-text "$9$SIVyMXsYoJGis2jqf5/9p0BIRSlK8x7VSrVYoaHk5QF6A0IRSlvLlK2aJG.m69A0IcN-w"; ## SECRET-DATA
        }
        policy ike_pol_3 {
            mode aggressive;
            proposals proposalhere;
            pre-shared-key ascii-text "$9$vlDWxdaZjH.P4oqfTzAtlKM8xdVwgGUHs2oGDjPfuO1hSe"; ## SECRET-DATA
        }
        gateway gw_1 {
            ike-policy ike_pol_1;
            dynamic hostname vpn1;
            external-interface ge-0/0/0;
        }
        gateway gw_2 {
            ike-policy ike_pol_2;
            address 10.10.10.2;
            local-identity hostname 4.companysite.com;
            external-interface ge-0/0/0;
        }
        gateway gw_3 {
            ike-policy ike_pol_3;
            dynamic hostname 4;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        traceoptions {
            flag all;
        }
        proposal proposalhere { 
            protocol protocol;
            authentication-algorithm auth_alg;
            encryption-algorithm enc_alg;
            lifetime-seconds 3600;
        }
        policy ipsec_pol_1 {
            proposals propsal;
        }
        policy ipsec_pol_2 {
            proposals proposal;
        }
        policy ipsec_pol_3 {
            proposals proposal;
        }
        vpn 1 {
            bind-interface st0.1;
            ike {
                gateway gw_1;
                ipsec-policy ipsec_pol_1;
            }
        }
        vpn 2 {
            bind-interface st0.2;       
            ike {
                gateway gw_2;
                ipsec-policy ipsec_pol_2;
            }
        }
        vpn 3 {
            bind-interface st0.3;
            ike {
                gateway gw_3;
                ipsec-policy ipsec_pol_3;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {                       
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;  
                        }
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    64.74.234.17/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address trust_addr;
                    destination-address any;
                    application any;
                }
                then {
                    permit;             
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
        from-zone vpn to-zone trust {
            policy vpn-to-trust {
                match {
                    source-address vpn_addr;
                    destination-address trust_addr;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone vpn {
            policy trust-to-vpn {
                match {
                    source-address trust_addr;
                    destination-address vpn_addr;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            description "trust zone";
            address-book {
                address trust_addr IP here;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }                       
            }
            interfaces {
                vlan.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            description "untrust zone";
            address-book {
                address untrust_addr IP address Here;
            }
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                    ping;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }                               
        security-zone vpn {
            address-book {
                address vpn_addr IP address Here;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;        
                        }
                    }
                }
                st0.2 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                st0.3 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }                       
            }
        }
    }
}
vlans {
    vlan-trust {
        description "trust vlan";
        vlan-id 3;
        l3-interface vlan.0;
    }
}

 The above is the configuration I'm currently using (edited for security reasons).

 

When I run the 'show arp' and 'show routing table' commands, I get the following:

 

 

 

 

 

 

 

 

 

 

As far as what my ISP said, I called in and the informed me that any IP address on that block can be plugged in and will work, so I don't believe I'm bound to using only that .1 gateway.

As far as what my ISP said, I called in and the informed me that any IP address on that block can be plugged in and will work, so I don't believe I'm bound to using only that .1 gateway.

 

Would you care clarifiying the following:

 

If you configure your default gateway as .1 and .17 would you care to explain how the ISP will realize that you are subneting when they already provide you the subet information and how do you expect them to dinamically create a secondary default gateway?

 

I understand that all of those IP will be working, but that means that if you use one of the IP addresses of the subnet it will work, not that you can use any numbers that you want and your ISP will somehow figure it out.

 

Regards,

 

Luis Sandi

Given what I understand from your OP, the ISP has configured the following IP on their equipment:

 

64.74.234.1/27

 

Your fe-0/0/0.0 interface should then be configured as 64.74.234.2/27 with a default gateway of 64.74.234.1.  They are not routing the entire /27 to your network - in other words, the entire /27 is configured on their equipment.

 

If you want to use the first half of the subnet as production and the second half as a test subnet, you would most likely want to do one of two things:

 

a) Request that they configure a /30 on their equipment and route the /27 to your end of the /30 subnet.  This will allow you to break up the /27 into smaller chunks.

b) Configure two NAT pools on the firewall - one that contains addresses in the first half of the subnet and the second pool in the second half of the subnet.

For the record, I really, really appreciate your assistance, guys.

 

As for what I talked about with my ISP-  I guess it's my naivete on the subject and the lack of experience with the tech support person I spoke to.

 

He informed me that the modem is aware when I connect new devices, and that 'it should work if it's configured correctly.' I took this to mean that it somehow creates the gateway based on my router's configuration.  Why I thought that is beyond me.  Needless to say, I'll call them again and ask about having the modem reconfigured.  Wish me luck!

 

-Dave

I don't think you really need to do that.  I believe you will be able to accomplish what you want by doing #2 above.  If you configure one NAT pool on the first half of the subnet for production devices and a second NAT pool using IPs .17 through .30 for 'test' machines, you can prevent any further disruption to the service and not have to bug them to reconfigure anything.  I think it will save both you and the ISP a lot of frustration.

 

What your ISP is telling you is that if you plug in a device configured with any IP address in that /27 subnet, configured with the gateway of .1 and subnet mask of 255.255.255.224, it will "work".

I see what you're saying...  The thing is, I want the network split into two to test two different firewalls.   I have two SRX210s; one in production, and the other I want to use for the testing different configurations.  

Then I would connect a small switch in between the modem and plug both firewalls into that. Configure one firewall at the .2 address and one at the .16 address. Both would be configured with the same subnet mask and gateway.

It would be possible to daisy chain two firewalls together, but if you're unsure of what you're doing, this is over complicating things.

You know, you saying that just jogged my memory a bit.  I recall when I first started working for my company a year ago, we had some sort of set-up where we had three different routers in here.  For the life of me, I couldn't recall how they were hooked up, but we had split our 32 IPs into 3 different networks.  Since you mentioned the switch, I think that may have been exactly what we used back then.  On that note, I'm going to accept your reply as the solution.  

 

Again, thank you so much for all your help.  Onto finding a switch in our office.