SRX

I have been using 1 ipv4 address well for a while

now i have been provided another set of ipv4 address block and need to configure it on my srx240 

how do i do that?

Here is what i have so far relating to the current public ipv4 address block

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 181.140.121.98/27;
            }
        }
    }
...
...
routing-options {
    static {
        route 0.0.0.0/0 next-hop 181.140.121.97;
    }
}
...
....
nat {
        source {
            rule-set nsw_srcnat {
                from zone [ Internal Internal2 ];
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            inactive: rule-set dyn-vpn-ruleset {
                from zone Internet;
                to zone Internal;
                rule rule1 {
                    match {
                        source-address 192.168.1.0/24;
                    }
                    then {
                        source-nat {
                            pool {
                                dyn-pool;
                            }
                        }
                    }
                }
            }
        }
        static {
            rule-set ruleset1 {
                from zone Internet;
                rule rule1 {
                    match {
                        destination-address 181.140.121.100/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.1.10/32;
                            }
                        }
                    }
                }

so in above the ipv4 block is /27 with ISP gateway 181.140.121.97 and srx240 ip 181.140.121.98

but now i have been given another set of /25 ipv4 block that i need to add so i can add static NAT routes as well

/25

gateway 121.45.21.129

netmask 255.255.255.128

How do i do this?

What line of codes do i need to add to above to make this work?

This depends on how the prefix is delivered to you.

1-The carrier is adding this as a second layer 2 prefix on the same interface

Add this address to the same interface using the same commands as your first ip address

This will both addresses on the same interface in the same layer 2 domain

When you create nat rules you will add proxy-arp in the same way you do with the current interface

2-The carrier is routing the /25 prefix usiing a next-hop of your SRX interface 181.140.121.98

Here you simply start using the address range in your NAT rules as is.

no proxy-arp will be needed

Can you please provide inserted code into my above code where each #1 and #2 will look like?

WIll highly appreciate it

I am thinking number #1 will most probably be the solution

but right now if you can posts the code of how it should look, will help me a lot

Thanks!

@spuluka

Is this correct?

I don't want to brick my router with wrong code

So please let me know if this is correct

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 181.140.121.98/27;
                address 121.45.21.129/25;
            }
        }
    }
...
...
routing-options {
    static {
        route 0.0.0.0/0 next-hop 181.140.121.97;
        route 0.0.0.0/0 next-hop 121.45.21.128;
    }
}
...
....
nat {
        source {
            rule-set nsw_srcnat {
                from zone [ Internal Internal2 ];
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            inactive: rule-set dyn-vpn-ruleset {
                from zone Internet;
                to zone Internal;
                rule rule1 {
                    match {
                        source-address 192.168.1.0/24;
                    }
                    then {
                        source-nat {
                            pool {
                                dyn-pool;
                            }
                        }
                    }
                }
            }
        }
        static {
            rule-set ruleset1 {
                from zone Internet;
                rule rule1 {
                    match {
                        destination-address 181.140.121.100/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.1.10/32;
                            }
                        }
                    }
                }
            rule-set ruleset2 {
                from zone Internet;
                rule rule1 {
                    match {
                        destination-address 121.45.21.131/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.1.21/32;
                            }
                        }
                    }
                }

Thanks

Any small mistake i make can lock me out and mess my network up

I really need help with this

My suppor tis over with Juniper so anyone that can help, i don't mind paying. You can PM me to discuss further too

I seriously need this and a little urgent

I know it is a few line sof code, just need to add the new ipv4 block given to me

so just need correct syntax and correct placment of code and i will be really grateful

Thanks

Do you have a Service Activation Notice or Modification Notice from your carrier?

I'm not sure I would want to apply configuration to the SRX without confirmation on how the carrier as allocated and setup the added 121.45.21.128/25 on your service.

Assuming they are using method 1 adding the prefix as a layer two on the same interface, your configuration would need the following changes.

interface:

You are using the gateway address, this would be the address on the carrier interface, yours would be the next available one:

NOT: 121.45.21.129/25

Use: 121.45.21.130/25

Route:

You don't need a second default route there will be no change here.

But if you did you would use 121.45.21.129 as the next hop 128 is the subnet address.

NAT

For addresses in a layer 2 domain you will also need to add proxy arp to the interface in that subnet.  You won't need to do that if the subnet is routed via method 2.

Check out the examples of all the options in detail here for source, destination, static and double nat.

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

Here is what i got from the ISP

121.45.21.129 is the gateway and the next-hop for the new /25 ipv4 

so that means i need to add it then right?

Yes, you can proceed with adding the ip address to the interface.  The carrier has put the 121.45.21.129 as a secondary ip address on your existing service.

@spuluka

So is this correct now?

What else do i need to change here? 

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 181.140.121.98/27;
                address 121.45.21.130/25;
            }
        }
    }
...
...
routing-options {
    static {
        route 0.0.0.0/0 next-hop 181.140.121.97;
        route 0.0.0.0/0 next-hop 121.45.21.129;
    }
}
...
....
nat {
        source {
            rule-set nsw_srcnat {
                from zone [ Internal Internal2 ];
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            inactive: rule-set dyn-vpn-ruleset {
                from zone Internet;
                to zone Internal;
                rule rule1 {
                    match {
                        source-address 192.168.1.0/24;
                    }
                    then {
                        source-nat {
                            pool {
                                dyn-pool;
                            }
                        }
                    }
                }
            }
        }
        static {
            rule-set ruleset1 {
                from zone Internet;
                rule rule1 {
                    match {
                        destination-address 181.140.121.100/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.1.10/32;
                            }
                        }
                    }
                }
            rule-set ruleset2 {
                from zone Internet;
                rule rule1 {
                    match {
                        destination-address 121.45.21.131/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.1.21/32;
                            }
                        }
                    }
                }

For any changes, if you can edit in place of the codes

will really appreciate it

Thanks a lot

I finally did apply the changes and now works!!!

i did add the other settings like proxy-arp and other policies that are similar to the other /27 block

Everything works great now...thanks a lot @spuluka

@spuluka

Only issue am having now is my pulsesecure dynamic-cpn login is no longer working.

At first i had the two static routes and i thought that was the issue so i removed the second static route i added and kep the old one and still not working..does not even prompt for password

So i ssh into the junper srx router and via cli 

i restarted the web-management

restart web-management

And then retried to login, this time it prompts but it doesnt login and just keeps scolling trying to login

What else do i need to do here?

Thanks

You are still connecting dynamic vpn to the original address correct?

Heres the data collection procedure.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB17220

Yes dynamic vpn is still to original address

Nothing changed as far as dynamic vpn but now not working

Everything on the page you sent i passed all those stages, only thing is it shows connecting and never gets connected.

Also like i mentioned previously. I noticed i have to run `restart web-management` for it to prompt me for password at times.

So where can i get logs for the dynamic vpn?

Like i said this was working great before until i made recent changes and now not connecting anymore.

Thanks

Fixed!

I removed the address i addred in first line and now everything works 

@spuluka

Need your help here

So this my setup with NAT to map public ip to the private ip is giving me issues

https://forums.juniper.net/t5/SRX-Services-Gateway/NAT-on-multiple-network-interfaces-on-server-removes-internet/m-p/317900#M48395

So when i have multiple private ips on a vps server (eth0, eth1, eth2, eth3) and then try to use NAT to map public ip to each of the private ip on the network interfaces, then all of a suddent the vps can no longer reach the internet BUT i can reach the vps on each of the maped public ip addresses from internet to the vps(tested with telnet from internet to vps). So vps to internet does not work but internet to vps works on all the NAT ips.

What do i add or edit on my configuration to allow internet from the vps to internet in this scenario?