SRX Services Gateway
Highlighted
SRX Services Gateway

Correct options and config for adding public routable block to existing deployment?

‎12-10-2018 09:41 PM

Hello, I am able to reach the public routable ip if assigned to the WAN interface and a public routable ip from a different subnet depending on the configuration. Stuck on traffic not reaching internet or gateway from device with an ip on the public routable block.

 

/30 link to ISP /27 customer routed block

srx -- xe-0/0/17 - wan 192.168.1.2/30 - - has existing ipsec tunnels on link ip

srx -- xe-0/0/0 - existing private lan 10.1.0.0/16

srx -- ge-0/0/1 - first available ip in customer routed block ex. 193.168.1.1 with 192.168.1.2 on device directly connected.

 

What may I be missing?

 

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Correct options and config for adding public routable block to existing deployment?

‎12-10-2018 10:22 PM

The ip on srx (193.x.x.x) and on device (192.x.x.x.) are on different subnet. May be typo?

Please share your configuration if possible. You may change/remove sensitive info

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Correct options and config for adding public routable block to existing deployment?

‎12-11-2018 08:17 AM

Hi Nellikka,

That is correct in the required config our WAN /30 link would be 192.168.1.2/30 as an example with a gateway of 192.168.1.1.

The second public routable block provided would be 193.168.1.1/27.

The ISP managed device knows to route both blocks across its physical link to our equipment. 

 

I beleive there are multiple ways to achieve this such as placing dual ips on the WAN interface, NAT and proxy-arp on the WAN interface?

 

set system host-name sjc-pa-01
set system domain-name internal.company.com

set system root-authentication encrypted-password "removed"

set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication encrypted-password "removed"

set system services ssh root-login allow
set system services dhcp-local-server group company_guest_wifi interface irb.1001
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.30

set system syslog host 10.1.60.16 any any

set chassis alarm management-ethernet link-down ignore

set security ike proposal ike-prop-vpn-2e5c463c-1 authentication-method pre-shared-keys
set security ike proposal ike-prop-vpn-2e5c463c-1 dh-group group2
set security ike proposal ike-prop-vpn-2e5c463c-1 authentication-algorithm sha1
set security ike proposal ike-prop-vpn-2e5c463c-1 encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-vpn-2e5c463c-1 lifetime-seconds 28800
set security ike proposal ike-prop-vpn-2e5c463c-2 authentication-method pre-shared-keys
set security ike proposal ike-prop-vpn-2e5c463c-2 dh-group group2
set security ike proposal ike-prop-vpn-2e5c463c-2 authentication-algorithm sha1
set security ike proposal ike-prop-vpn-2e5c463c-2 encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-vpn-2e5c463c-2 lifetime-seconds 28800
set security ike proposal ike-prop-vpn-a020c4b5-1 authentication-method pre-shared-keys
set security ike proposal ike-prop-vpn-a020c4b5-1 dh-group group2
set security ike proposal ike-prop-vpn-a020c4b5-1 authentication-algorithm sha1
set security ike proposal ike-prop-vpn-a020c4b5-1 encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-vpn-a020c4b5-1 lifetime-seconds 28800
set security ike proposal ike-prop-vpn-a020c4b5-2 authentication-method pre-shared-keys
set security ike proposal ike-prop-vpn-a020c4b5-2 dh-group group2
set security ike proposal ike-prop-vpn-a020c4b5-2 authentication-algorithm sha1
set security ike proposal ike-prop-vpn-a020c4b5-2 encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-vpn-a020c4b5-2 lifetime-seconds 28800
set security ike proposal ike-prop-vpn-0a6a8b3-1 authentication-method pre-shared-keys
set security ike proposal ike-prop-vpn-0a6a8b3-1 dh-group group2
set security ike proposal ike-prop-vpn-0a6a8b3-1 authentication-algorithm sha1
set security ike proposal ike-prop-vpn-0a6a8b3-1 encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-vpn-0a6a8b3-1 lifetime-seconds 28800
set security ike proposal ike-prop-vpn-0a6a8b3-2 authentication-method pre-shared-keys
set security ike proposal ike-prop-vpn-0a6a8b3-2 dh-group group2
set security ike proposal ike-prop-vpn-0a6a8b3-2 authentication-algorithm sha1
set security ike proposal ike-prop-vpn-0a6a8b3-2 encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-vpn-0a6a8b3-2 lifetime-seconds 28800
set security ike proposal ipsec-proposal-remote-office authentication-method pre-shared-keys
set security ike proposal ipsec-proposal-remote-office dh-group group2
set security ike proposal ipsec-proposal-remote-office authentication-algorithm sha1
set security ike proposal ipsec-proposal-remote-office encryption-algorithm 3des-cbc
set security ike proposal ike-prop-vpn-0377bcb-1 authentication-method pre-shared-keys
set security ike proposal ike-prop-vpn-0377bcb-1 dh-group group2
set security ike proposal ike-prop-vpn-0377bcb-1 authentication-algorithm sha1
set security ike proposal ike-prop-vpn-0377bcb-1 encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-vpn-0377bcb-1 lifetime-seconds 28800
set security ike proposal ike-prop-vpn-0377bcb-2 authentication-method pre-shared-keys
set security ike proposal ike-prop-vpn-0377bcb-2 dh-group group2
set security ike proposal ike-prop-vpn-0377bcb-2 authentication-algorithm sha1
set security ike proposal ike-prop-vpn-0377bcb-2 encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-vpn-0377bcb-2 lifetime-seconds 28800

set security ike policy ike-pol-vpn-2e5c463c-1 mode main
set security ike policy ike-pol-vpn-2e5c463c-1 proposals ike-prop-vpn-2e5c463c-1
set security ike policy ike-pol-vpn-2e5c463c-1 pre-shared-key ascii-text "removed"
set security ike policy ike-pol-vpn-2e5c463c-2 mode main
set security ike policy ike-pol-vpn-2e5c463c-2 proposals ike-prop-vpn-2e5c463c-2
set security ike policy ike-pol-vpn-2e5c463c-2 pre-shared-key ascii-text "removed"
set security ike policy ike-pol-vpn-a020c4b5-1 mode main
set security ike policy ike-pol-vpn-a020c4b5-1 proposals ike-prop-vpn-a020c4b5-1
set security ike policy ike-pol-vpn-a020c4b5-1 pre-shared-key ascii-text "removed"
set security ike policy ike-pol-vpn-a020c4b5-2 mode main
set security ike policy ike-pol-vpn-a020c4b5-2 proposals ike-prop-vpn-a020c4b5-2
set security ike policy ike-pol-vpn-a020c4b5-2 pre-shared-key ascii-text "removed"
set security ike policy ike-pol-vpn-0a6a8b3-1 mode main
set security ike policy ike-pol-vpn-0a6a8b3-1 proposals ike-prop-vpn-0a6a8b3-1
set security ike policy ike-pol-vpn-0a6a8b3-1 pre-shared-key ascii-text "removed"
set security ike policy ike-pol-vpn-0a6a8b3-2 mode main
set security ike policy ike-pol-vpn-0a6a8b3-2 proposals ike-prop-vpn-0a6a8b3-2
set security ike policy ike-pol-vpn-0a6a8b3-2 pre-shared-key ascii-text "removed"
set security ike policy ike-policy-remote-office mode main
set security ike policy ike-policy-remote-office proposal-set standard
set security ike policy ike-policy-remote-office pre-shared-key ascii-text "removed"
set security ike policy ike-pol-vpn-0377bcb-1 mode main
set security ike policy ike-pol-vpn-0377bcb-1 proposals ike-prop-vpn-0377bcb-1
set security ike policy ike-pol-vpn-0377bcb-1 pre-shared-key ascii-text "removed"
set security ike policy ike-pol-vpn-0377bcb-2 mode main
set security ike policy ike-pol-vpn-0377bcb-2 proposals ike-prop-vpn-0377bcb-2
set security ike policy ike-pol-vpn-0377bcb-2 pre-shared-key ascii-text "removed"

set security ike gateway gw-vpn-2e5c463c-1 ike-policy ike-pol-vpn-2e5c463c-1
set security ike gateway gw-vpn-2e5c463c-1 address 172.213.89.83
set security ike gateway gw-vpn-2e5c463c-1 dead-peer-detection interval 10
set security ike gateway gw-vpn-2e5c463c-1 dead-peer-detection threshold 3
set security ike gateway gw-vpn-2e5c463c-1 no-nat-traversal
set security ike gateway gw-vpn-2e5c463c-1 external-interface ge-0/0/0.0
set security ike gateway gw-vpn-2e5c463c-1 local-address 192.168.1.2
set security ike gateway gw-vpn-2e5c463c-2 ike-policy ike-pol-vpn-2e5c463c-2
set security ike gateway gw-vpn-2e5c463c-2 address 172.213.89.83
set security ike gateway gw-vpn-2e5c463c-2 dead-peer-detection interval 10
set security ike gateway gw-vpn-2e5c463c-2 dead-peer-detection threshold 3
set security ike gateway gw-vpn-2e5c463c-2 no-nat-traversal
set security ike gateway gw-vpn-2e5c463c-2 external-interface ge-0/0/0.0
set security ike gateway gw-vpn-2e5c463c-2 local-address 192.168.1.2
set security ike gateway gw-vpn-a020c4b5-1 ike-policy ike-pol-vpn-a020c4b5-1
set security ike gateway gw-vpn-a020c4b5-1 address 172.213.89.83
set security ike gateway gw-vpn-a020c4b5-1 no-nat-traversal
set security ike gateway gw-vpn-a020c4b5-1 external-interface xe-0/0/17
set security ike gateway gw-vpn-a020c4b5-1 local-address 192.168.1.2
set security ike gateway gw-vpn-a020c4b5-2 ike-policy ike-pol-vpn-a020c4b5-2
set security ike gateway gw-vpn-a020c4b5-2 address 172.213.89.83
set security ike gateway gw-vpn-a020c4b5-2 dead-peer-detection interval 10
set security ike gateway gw-vpn-a020c4b5-2 dead-peer-detection threshold 3
set security ike gateway gw-vpn-a020c4b5-2 no-nat-traversal
set security ike gateway gw-vpn-a020c4b5-2 external-interface xe-0/0/17
set security ike gateway gw-vpn-a020c4b5-2 local-address 192.168.1.2
set security ike gateway gw-vpn-0a6a8b3-1 ike-policy ike-pol-vpn-0a6a8b3-1
set security ike gateway gw-vpn-0a6a8b3-1 address 172.213.89.83
set security ike gateway gw-vpn-0a6a8b3-1 dead-peer-detection interval 10
set security ike gateway gw-vpn-0a6a8b3-1 dead-peer-detection threshold 3
set security ike gateway gw-vpn-0a6a8b3-1 no-nat-traversal
set security ike gateway gw-vpn-0a6a8b3-1 external-interface xe-0/0/17
set security ike gateway gw-vpn-0a6a8b3-1 local-address 192.168.1.2
set security ike gateway gw-vpn-0a6a8b3-2 ike-policy ike-pol-vpn-0a6a8b3-2
set security ike gateway gw-vpn-0a6a8b3-2 address 172.213.89.83
set security ike gateway gw-vpn-0a6a8b3-2 dead-peer-detection interval 10
set security ike gateway gw-vpn-0a6a8b3-2 dead-peer-detection threshold 3
set security ike gateway gw-vpn-0a6a8b3-2 no-nat-traversal
set security ike gateway gw-vpn-0a6a8b3-2 external-interface xe-0/0/17.0
set security ike gateway gw-vpn-0a6a8b3-2 local-address 192.168.1.2

set security ike gateway ike-remote-office ike-policy ike-policy-remote-office
set security ike gateway ike-remote-office address 172.213.89.83
set security ike gateway ike-remote-office external-interface xe-0/0/17
set security ike gateway ike-remote-office version v1-only

set security ike gateway gw-vpn-0377bcb-1 ike-policy ike-pol-vpn-0377bcb-1
set security ike gateway gw-vpn-0377bcb-1 address 172.213.89.83
set security ike gateway gw-vpn-0377bcb-1 dead-peer-detection interval 10
set security ike gateway gw-vpn-0377bcb-1 dead-peer-detection threshold 3
set security ike gateway gw-vpn-0377bcb-1 no-nat-traversal
set security ike gateway gw-vpn-0377bcb-1 external-interface xe-0/0/17.0
set security ike gateway gw-vpn-0377bcb-1 local-address 192.168.1.2
set security ike gateway gw-vpn-0377bcb-2 ike-policy ike-pol-vpn-0377bcb-2
set security ike gateway gw-vpn-0377bcb-2 address 172.213.89.83
set security ike gateway gw-vpn-0377bcb-2 dead-peer-detection interval 10
set security ike gateway gw-vpn-0377bcb-2 dead-peer-detection threshold 3
set security ike gateway gw-vpn-0377bcb-2 no-nat-traversal
set security ike gateway gw-vpn-0377bcb-2 external-interface xe-0/0/17.0
set security ike gateway gw-vpn-0377bcb-2 local-address 192.168.1.2

--removed ike proposal algorithms--

set security ipsec vpn vpn-2e5c463c-1 bind-interface st0.1
set security ipsec vpn vpn-2e5c463c-1 df-bit clear
set security ipsec vpn vpn-2e5c463c-1 ike gateway gw-vpn-2e5c463c-1
set security ipsec vpn vpn-2e5c463c-1 ike ipsec-policy ipsec-pol-vpn-2e5c463c-1
set security ipsec vpn vpn-2e5c463c-2 bind-interface st0.2
set security ipsec vpn vpn-2e5c463c-2 df-bit clear
set security ipsec vpn vpn-2e5c463c-2 ike gateway gw-vpn-2e5c463c-2
set security ipsec vpn vpn-2e5c463c-2 ike ipsec-policy ipsec-pol-vpn-2e5c463c-2
set security ipsec vpn ipsec-vpn-it bind-interface st0.3
set security ipsec vpn ipsec-vpn-it ike gateway ike-gate-it
set security ipsec vpn ipsec-vpn-it ike ipsec-policy ipsec-policy-it
set security ipsec vpn ipsec-vpn-it establish-tunnels on-traffic
set security ipsec vpn vpn-a020c4b5-1 bind-interface st0.4
set security ipsec vpn vpn-a020c4b5-1 df-bit clear
set security ipsec vpn vpn-a020c4b5-1 ike gateway gw-vpn-a020c4b5-1
set security ipsec vpn vpn-a020c4b5-1 ike ipsec-policy ipsec-pol-vpn-a020c4b5-1
set security ipsec vpn vpn-a020c4b5-2 bind-interface st0.5
set security ipsec vpn vpn-a020c4b5-2 df-bit clear
set security ipsec vpn vpn-a020c4b5-2 ike gateway gw-vpn-a020c4b5-2
set security ipsec vpn vpn-a020c4b5-2 ike ipsec-policy ipsec-pol-vpn-a020c4b5-2
set security ipsec vpn vpn-0a6a8b3-1 bind-interface st0.6
set security ipsec vpn vpn-0a6a8b3-1 df-bit clear
set security ipsec vpn vpn-0a6a8b3-1 ike gateway gw-vpn-0a6a8b3-1
set security ipsec vpn vpn-0a6a8b3-1 ike ipsec-policy ipsec-pol-vpn-0a6a8b3-1
set security ipsec vpn vpn-0a6a8b3-2 bind-interface st0.7
set security ipsec vpn vpn-0a6a8b3-2 df-bit clear
set security ipsec vpn vpn-0a6a8b3-2 ike gateway gw-vpn-0a6a8b3-2
set security ipsec vpn vpn-0a6a8b3-2 ike ipsec-policy ipsec-pol-vpn-0a6a8b3-2
set security ipsec vpn ipsec-remote-office bind-interface st0.8
set security ipsec vpn ipsec-remote-office ike gateway ike-remote-office
set security ipsec vpn ipsec-remote-office ike ipsec-policy ipsec-remote-office
set security ipsec vpn ipsec-remote-office establish-tunnels on-traffic
set security ipsec vpn vpn-0377bcb-1 bind-interface st0.9
set security ipsec vpn vpn-0377bcb-1 df-bit clear
set security ipsec vpn vpn-0377bcb-1 ike gateway gw-vpn-0377bcb-1
set security ipsec vpn vpn-0377bcb-1 ike ipsec-policy ipsec-pol-vpn-0377bcb-1
set security ipsec vpn vpn-0377bcb-2 bind-interface st0.10
set security ipsec vpn vpn-0377bcb-2 df-bit clear
set security ipsec vpn vpn-0377bcb-2 ike gateway gw-vpn-0377bcb-2
set security ipsec vpn vpn-0377bcb-2 ike ipsec-policy ipsec-pol-vpn-0377bcb-2

set security flow tcp-mss ipsec-vpn mss 1379

set security nat source rule-set trust-untrust from zone trust
set security nat source rule-set trust-untrust to zone untrust
set security nat source rule-set trust-untrust rule internet-NAT match destination-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule internet-NAT then source-nat interface

set security nat source rule-set guest_internet-untrust from zone company_guest
set security nat source rule-set guest_internet-untrust to zone untrust
set security nat source rule-set guest_internet-untrust rule guest_to_internet match destination-address 0.0.0.0/0
set security nat source rule-set guest_internet-untrust rule guest_to_internet then source-nat interface

set security nat destination pool ssl-services address 10.1.13.2/32
set security nat destination pool ssl-services address port 443

set security policies from-zone trust to-zone untrust policy NAT-to-Internet match source-address any
set security policies from-zone trust to-zone untrust policy NAT-to-Internet match destination-address any
set security policies from-zone trust to-zone untrust policy NAT-to-Internet match application any
set security policies from-zone trust to-zone untrust policy NAT-to-Internet then permit

set security policies from-zone trust to-zone trust policy inbound-AWS match source-address any
set security policies from-zone trust to-zone trust policy inbound-AWS match destination-address any
set security policies from-zone trust to-zone trust policy inbound-AWS match application any
set security policies from-zone trust to-zone trust policy inbound-AWS then permit

set security policies from-zone untrust to-zone trust policy external_access match source-address any
set security policies from-zone untrust to-zone trust policy external_access match destination-address firewall000
set security policies from-zone untrust to-zone trust policy external_access match destination-address vdi
set security policies from-zone untrust to-zone trust policy external_access match destination-address dropbox000
set security policies from-zone untrust to-zone trust policy external_access match destination-address vsftpd000
set security policies from-zone untrust to-zone trust policy external_access match application https
set security policies from-zone untrust to-zone trust policy external_access match application junos-ssh
set security policies from-zone untrust to-zone trust policy external_access match application ssh
set security policies from-zone untrust to-zone trust policy external_access match application https-alt
set security policies from-zone untrust to-zone trust policy external_access match application ipsec-tcp
set security policies from-zone untrust to-zone trust policy external_access match application ipsec-udp
set security policies from-zone untrust to-zone trust policy external_access match application s3
set security policies from-zone untrust to-zone trust policy external_access match application sftp
set security policies from-zone untrust to-zone trust policy external_access then permit

set security policies from-zone company_guest to-zone untrust policy nat-to-internet match source-address any
set security policies from-zone company_guest to-zone untrust policy nat-to-internet match destination-address any
set security policies from-zone company_guest to-zone untrust policy nat-to-internet match application any
set security policies from-zone company_guest to-zone untrust policy nat-to-internet then permit

set security policies from-zone trust to-zone remote-office policy trust-to-remote-office match source-address any
set security policies from-zone trust to-zone remote-office policy trust-to-remote-office match destination-address lan-remote-office-192.168.2.0
set security policies from-zone trust to-zone remote-office policy trust-to-remote-office match application any
set security policies from-zone trust to-zone remote-office policy trust-to-remote-office then permit

set security policies from-zone remote-office to-zone trust policy remote-office-to-company-hq match source-address lan-remote-office-192.168.2.0
set security policies from-zone remote-office to-zone trust policy remote-office-to-company-hq match destination-address company_servers_virtual
set security policies from-zone remote-office to-zone trust policy remote-office-to-company-hq match destination-address company_servers
set security policies from-zone remote-office to-zone trust policy remote-office-to-company-hq match destination-address router
set security policies from-zone remote-office to-zone trust policy remote-office-to-company-hq match application any
set security policies from-zone remote-office to-zone trust policy remote-office-to-company-hq then permit

set security policies from-zone untrust to-zone untrust policy TEST match source-address any
set security policies from-zone untrust to-zone untrust policy TEST match destination-address phys-device
set security policies from-zone untrust to-zone untrust policy TEST match application any
set security policies from-zone untrust to-zone untrust policy TEST then permit

set security zones security-zone trust address-book address guestwifi 172.16.1.0/24
set security zones security-zone trust address-book address matchall 0.0.0.0/0
set security zones security-zone trust address-book address company_servers 10.1.50.0/24
set security zones security-zone trust address-book address company_servers_virtual 10.1.60.0/24
set security zones security-zone trust address-book address vdi 10.1.60.26/32
set security zones security-zone trust address-book address firewall000 10.1.13.2/32
set security zones security-zone trust address-book address dropbox000 10.1.60.26/32
set security zones security-zone trust address-book address router 10.1.10.1/32
set security zones security-zone trust address-book address vsftpd000 10.1.60.43/32
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols bgp
set security zones security-zone trust host-inbound-traffic protocols ospf

set security zones security-zone trust interfaces st0.2
set security zones security-zone trust interfaces st0.1
set security zones security-zone trust interfaces lo0.0
set security zones security-zone trust interfaces irb.10
set security zones security-zone trust interfaces st0.4
set security zones security-zone trust interfaces st0.5
set security zones security-zone trust interfaces st0.6
set security zones security-zone trust interfaces st0.7
set security zones security-zone trust interfaces st0.9
set security zones security-zone trust interfaces st0.10

set security zones security-zone untrust address-book address phys-device 193.168.1.4/32
set security zones security-zone untrust address-book address phys-to-device 193.168.1.2/32

set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic protocols ospf

set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces xe-0/0/17.0
set security zones security-zone untrust interfaces ge-0/0/1.0

set security zones security-zone company_guest address-book address company_guests_wifi 172.16.1.0/24
set security zones security-zone company_guest host-inbound-traffic system-services dhcp
set security zones security-zone company_guest host-inbound-traffic system-services ping
set security zones security-zone company_guest interfaces irb.1001
set security zones security-zone remote-office address-book address lan-remote-office-192.168.2.0 192.168.2.0/24
set security zones security-zone remote-office address-book address lan2-remote-office-192.168.1.0 192.168.1.0/24
set security zones security-zone remote-office interfaces st0.8

set interfaces ge-0/0/1 unit 0 family inet address 193.168.1.2/27
set interfaces xe-0/0/16 native-vlan-id 10
set interfaces xe-0/0/16 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/16 unit 0 family ethernet-switching vlan members guest_internet
set interfaces xe-0/0/16 unit 0 family ethernet-switching vlan members company_oob
set interfaces xe-0/0/17 link-mode full-duplex
set interfaces xe-0/0/17 unit 0 family inet address 192.168.1.2/30

set interfaces fxp0 unit 0 family inet

set interfaces irb unit 10 family inet address 10.1.10.1/24
set interfaces irb unit 1001 family inet address 172.16.1.1/24

set interfaces lo0 unit 0 family inet address 10.1.1.1/32

set interfaces st0 unit 1 family inet mtu 1436
set interfaces st0 unit 1 family inet address 16.25.1.118/30
set interfaces st0 unit 2 family inet mtu 1436
set interfaces st0 unit 2 family inet address 16.25.1.70/30
set interfaces st0 unit 3 family inet address 10.0.0.254/24
set interfaces st0 unit 4 family inet mtu 1436
set interfaces st0 unit 4 family inet address 16.25.1.106/30
set interfaces st0 unit 5 family inet mtu 1436
set interfaces st0 unit 5 family inet address 16.25.1.6/30
set interfaces st0 unit 6 family inet mtu 1436
set interfaces st0 unit 6 family inet address 16.25.1.38/30
set interfaces st0 unit 7 family inet mtu 1436
set interfaces st0 unit 7 family inet address 16.25.1.134/30
set interfaces st0 unit 8 family inet address 192.168.2.254/24
set interfaces st0 unit 9 family inet mtu 1436
set interfaces st0 unit 9 family inet address 16.25.1.126/30
set interfaces st0 unit 10 family inet mtu 1436
set interfaces st0 unit 10 family inet address 16.25.1.38/30

set snmp name sjc-pa-srx-01
set snmp description "Core Temp Rack"
set snmp location C202
set snmp community companyname authorization read-only

set routing-options static route 10.0.0.0/24 next-hop st0.3
set routing-options static route 10.1.0.0/16 next-hop 10.1.10.2
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
set routing-options static route 192.168.2.0/24 next-hop st0.8
set routing-options router-id 10.1.10.1

set protocols bgp group ebgp type external
set protocols bgp group ebgp neighbor 16.24.1.117 hold-time 30
set protocols bgp group ebgp neighbor 16.24.1.117 export EXPORT-DEFAULT
set protocols bgp group ebgp neighbor 16.24.1.117 peer-as 7224
set protocols bgp group ebgp neighbor 16.24.1.117 local-as 65000
set protocols bgp group ebgp neighbor 16.24.1.69 hold-time 30
set protocols bgp group ebgp neighbor 16.24.1.69 export EXPORT-DEFAULT
set protocols bgp group ebgp neighbor 16.24.1.69 peer-as 7224
set protocols bgp group ebgp neighbor 16.24.1.69 local-as 65000
set protocols bgp group ebgp neighbor 16.24.1.105 hold-time 30
set protocols bgp group ebgp neighbor 16.24.1.105 export EXPORT-DEFAULT
set protocols bgp group ebgp neighbor 16.24.1.105 peer-as 7224
set protocols bgp group ebgp neighbor 16.24.1.105 local-as 65002
set protocols bgp group ebgp neighbor 16.24.1.5 hold-time 30
set protocols bgp group ebgp neighbor 16.24.1.5 export EXPORT-DEFAULT
set protocols bgp group ebgp neighbor 16.24.1.5 peer-as 7224
set protocols bgp group ebgp neighbor 16.24.1.5 local-as 65002
set protocols bgp group ebgp neighbor 16.24.1.37 hold-time 30
set protocols bgp group ebgp neighbor 16.24.1.37 export EXPORT-DEFAULT
set protocols bgp group ebgp neighbor 16.24.1.37 peer-as 64512
set protocols bgp group ebgp neighbor 16.24.1.37 local-as 65004
set protocols bgp group ebgp neighbor 16.24.1.133 hold-time 30
set protocols bgp group ebgp neighbor 16.24.1.133 export EXPORT-DEFAULT
set protocols bgp group ebgp neighbor 16.24.1.133 peer-as 64512
set protocols bgp group ebgp neighbor 16.24.1.133 local-as 65004
set protocols bgp group ebgp neighbor 16.24.1.125 hold-time 30
set protocols bgp group ebgp neighbor 16.24.1.125 export EXPORT-DEFAULT
set protocols bgp group ebgp neighbor 16.24.1.125 peer-as 64512
set protocols bgp group ebgp neighbor 16.24.1.125 local-as 65005
set protocols bgp group ebgp neighbor 16.24.1.37 hold-time 30
set protocols bgp group ebgp neighbor 16.24.1.37 export EXPORT-DEFAULT
set protocols bgp group ebgp neighbor 16.24.1.37 peer-as 64512
set protocols bgp group ebgp neighbor 16.24.1.37 local-as 65005

set protocols ospf area 0.0.0.0 interface lo0.0
set protocols ospf area 0.0.0.1 interface xe-0/0/17.0
set protocols ospf area 0.0.0.1 interface ge-0/0/1.0
set protocols l2-learning global-mode switching

set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact
set policy-options policy-statement EXPORT-DEFAULT term default then accept
set policy-options policy-statement EXPORT-DEFAULT term reject then reject

set access address-assignment pool company_guest family inet network 172.16.1.0/24
set access address-assignment pool company_guest family inet range range_company_guest low 172.16.1.20
set access address-assignment pool company_guest family inet range range_company_guest high 172.16.1.200
set access address-assignment pool company_guest family inet dhcp-attributes server-identifier 172.16.1.1
set access address-assignment pool company_guest family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool company_guest family inet dhcp-attributes router 172.16.1.1

--removed applications/exposed ports--

set vlans company_oob vlan-id 10
set vlans company_oob l3-interface irb.10
set vlans guest_internet vlan-id 1001
set vlans guest_internet l3-interface irb.1001

 

 

Highlighted
SRX Services Gateway
Solution
Accepted by topic author christopherbradski
‎12-11-2018 08:56 PM

Re: Correct options and config for adding public routable block to existing deployment?

‎12-11-2018 10:20 AM

So ge-0/0/1 is part of untrust zone and assigned ip address 193.168.1.2/27. The WAN interface is also in untrust zone. And there is only one untrust to untrust security policy which allows communication to ge-0/0/1 (193.168.1.2) from any source.

Now let me know from where you are trying to which ip? Are you able to reach internet using source as ge-0/0/1 public ip?

 

eg: ping 8.8.8.8 source 193.168.1.2

traceroute 8.8.8.8 source 193.168.1.2 no-resolve

 

Since wan and ge-0/0/1 are part of same security zone (intra-zone), you have to allow traffic from 193.168.1.0/27 to internet and vice versa if required

 

eg:-

set security policies from-zone untrust to-zone untrust policy allow-internet match source-address  <193.168.1.0/27>

set security policies from-zone untrust to-zone untrust policy allow-internet match destination-address any

set security policies from-zone untrust to-zone untrust policy allow-internet match application any

set security policies from-zone untrust to-zone untrust policy allow-internet then permit

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Correct options and config for adding public routable block to existing deployment?

‎12-11-2018 08:58 PM

Thank you, this appears to have addressed the issue. I just noticed with a bit of patience too that it takes about 10-15 seconds before the traffic starts flowing and this could be due to having multiple routes and figuring out which route is best. I will prune and sanitize the final config to serve as an example for other readers within the next day or so. 

 

Thank you again

Feedback