SRX Services Gateway
SRX Services Gateway

SRX with ISP with default gateway from different subnet

‎09-27-2018 05:45 AM

We have the SRX 320.

Our ISP provides several external static IP addresses from the 95.78.228.208/29 subnet.
ISP routes these addresses from the gateway 95.78.251.254 to the address 95.78.251.27, which also needs to be configured on our side.
ISP is connected to the interface ge-0/0/0.2018-09-27_17-06-13.png

I guess that the addresses 95.78.228.208/29 should be configured on some internal virtual interface, but I did not find anything suitable in the documentation.
I tried the configuration where address 95.78.251.27 is configured on the interface ge-0/0/0.0 by using proxy arp.

 

Something like that:

set security zones security-zone untrust-isp-1 interfaces ge-0/0/0.0

set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.209/29 primary
set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.210/29
set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.211/29
set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.212/29
set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.213/29
set interfaces ge-0/0/0 unit 0 family inet address 95.78.228.214/29

set security nat proxy-arp interface ge-0/0/0.0 address 95.78.251.27/24

set routing-instances isp-1 instance-type virtual-router
set routing-instances isp-1 interface ge-0/0/0.0
set routing-instances isp-1 routing-options static route 95.78.251.27/32 next-hop 95.78.251.254
set routing-instances isp-1 routing-options static route 0.0.0.0/0 next-hop 95.78.251.27 resolve

 

But this configuration didn't work. The list of routes to the 0.0.0.0/0 for the routing-instance isp-1 was empty.

root@orn-gw-01> show route table isp-1.inet.0 0.0.0.0/0 exact

 

Therefore pings to google dns returned a "ping: sendto: No route to host" error.

 

I suspect that I'm doing everything wrong Smiley Happy

Could you help me how to configure this in the right way?

8 REPLIES 8
SRX Services Gateway

Re: SRX with ISP with default gateway from different subnet

‎09-27-2018 06:08 AM

Are you able to ping 95.78.251.27 ? Can you share "show route detail " output for 0/0 ?

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: SRX with ISP with default gateway from different subnet

‎09-27-2018 07:16 AM

No, I can't ping 95.78.251.27.

 

root@orn-gw-01# show routing-instances isp-1 routing-options static
route 95.78.251.27/32 next-hop 95.78.251.254;
route 0.0.0.0/0 {
    next-hop 95.78.251.27;
    resolve;
}
root@orn-gw-01> ping routing-instance isp-1 95.78.251.27
PING 95.78.251.27 (95.78.251.27): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- 95.78.251.27 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Route to 0/0 also doesn't work. isp-2 is routing instance for the backup ISP.

root@orn-gw-01> show route detail 0.0.0.0/0 exact

inet.0: 144 destinations, 145 routes (144 active, 0 holddown, 0 hidden)
0.0.0.0/0 (1 entry, 1 announced)
        *Static Preference: 5
                Next table: isp-1.inet.0
                Next-hop index: 1320
                Address: 0x19a079c
                Next-hop reference count: 3
                State: <Active Int Ext>
                Age: 1w0d 22:28:28
                Validation State: unverified
                Task: RT
                Announcement bits (2): 0-KRT 2-Resolve tree 2
                AS path: I

isp-1.inet.0: 39 destinations, 46 routes (38 active, 0 holddown, 2 hidden)

isp-2.inet.0: 34 destinations, 35 routes (34 active, 0 holddown, 0 hidden)

0.0.0.0/0 (1 entry, 1 announced)
        *Static Preference: 5
                Next hop type: Router, Next hop index: 1570
                Address: 0x19a1cd0
                Next-hop reference count: 3
                Next hop: 79.140.22.1 via ge-0/0/2.0, selected
                Session Id: 0x0
                State: <Active Int Ext>
                Age: 1w0d 5:22:29
                Validation State: unverified
                Task: RT
                Announcement bits (1): 1-KRT
                AS path: I

 

SRX Services Gateway

Re: SRX with ISP with default gateway from different subnet

‎09-27-2018 09:00 AM

Hi Avanoc,

 

What will be the purpose of the 95.78.228.208/29 subnet? Is it for port-forwarding purposes, meaning that if traffic reaches the SRX on 95.78.228.210 and a specific port it will be redirected to an internal server/host?

 

The fact that your ISP gateway is 95.78.251.254 forces you to have address 95.78.251.27 configured on ge-0/0/0 so that you could have Internet connectivity. As for thee configuration of the 95.78.228.208/29 subnet, I would like to better understand its purpose so I can help you with the required config. 

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: SRX with ISP with default gateway from different subnet

‎09-27-2018 05:07 PM

This is a standard allocation format for ISP, we set these up for clients as well.  you will not need routing instances for this setup as all the connections can be in the same master or route VR.

 

ge-0/0/0 should be connected to the ISP gateway 95.78.251.254 on the address 95.78.251.27.  You don't mention the subnet mask but the interface should have that mask.

 

Your default route with a next hop of the ISP gateway 95.78.251.254.

 

For the /29 subnet you have options.

 

1- you can configure this directly on an interface in the same routing instance as your ge-0/0/0.  This then would be used directly on your devices and servers connected to this interface.  This option is typically used by VOIP systems, VPN appliances or other software that does not like to have nat applied to their connections.

 

2-you can use the /29 as a nat addresses that you can use for destination, source or static nat to other devices using private addressing on your network.  This is the more typical option.  Here you create as many internal interfaces and zones as you need.  DMZ, Internal, mgmt or whatever.  You assign these your desired zones and subnet allocations from internal space.  Then you use the available /29 addresses to setup your nat forwarding and outbound request rules as desired.

 

 

Our ISP provides several external static IP addresses from the 95.78.228.208/29 subnet.
ISP routes these addresses from the gateway 95.78.251.254 to the address 95.78.251.27, which also needs to be configured on our side.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SRX with ISP with default gateway from different subnet

‎09-27-2018 11:35 PM

Hi 

 

 

SRX Services Gateway

Re: SRX with ISP with default gateway from different subnet

‎09-27-2018 11:35 PM

 

Option two seems to be what we need. If I understand correctly, address 95.78.251.27 remains on the interface-0/0/0.0. And addresses from the 95.78.228.208/29 subnet can be used in a destination nat without any virtual interfaces, "magic routes" and etc.

 

For example:

 

set security zones security-zone untrust-isp-1 interfaces ge-0/0/0.0

set interfaces ge-0/0/0 unit 0 family inet address 95.78.251.27/24

set routing-instances isp-1 instance-type virtual-router
set routing-instances isp-1 interface ge-0/0/0.0
set routing-instances isp-1 routing-options static route 0.0.0.0/0 next-hop 95.78.251.254

set security nat destination pool orn-lb-01-tcp80 address 10.110.9.2/32
set security nat destination pool orn-lb-01-tcp80 address port 80
set security nat destination rule-set from-untrust-isp-1 from zone untrust-isp-1 set security nat destination rule-set from-untrust-isp-1 rule orn-lb-01-tcp80 match destination-address 95.78.228.210/29 set security nat destination rule-set from-untrust-isp-1 rule orn-lb-01-tcp80 match destination-port 80 set security nat destination rule-set from-untrust-isp-1 rule orn-lb-01-tcp80 then destination-nat pool orn-lb-01-tcp80

SRX Services Gateway
Solution
Accepted by topic author avanoc
‎09-28-2018 07:07 AM

Re: SRX with ISP with default gateway from different subnet

‎09-28-2018 02:57 AM

The interface configuration looks correct.

 

You don't need to put this into a routing instance.  But it will work if you do as long as you continue then to put the internal interfaces into that same routing instance and continue to build it out that way.

 

If you are using the routing instance because you expect a second ISP and want to keep them separate then you will also need to do some route leaking between the base routing instance with your site addresses and the ISP upstream ones.

 

The nat is correct so far.  But you will also need to add a security policy to permit the traffic.  You can see full examples here.

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: SRX with ISP with default gateway from different subnet

‎09-28-2018 07:09 AM