SRX

We're in the process of dropping in a new SRX240 to replace an aging Netscreen 25 device and replacing 2 bonded T1s with a new Ethernet circuit.  While there will likely be some changed to the config in the near furture, we're looking to fire up the SRX and put it in place with minimal interruption.  We'll save the clean up for later.  I'm struggling to wrap my head around the basics here...

Our NS25 is currently fed by 2 bonded T1s routed through a Cisco router and the Cisco is attached to the Untrusted interface of the NS25.  We're also making use of the DMZ on the NS25 and have a few servers on a switch there.  The DMZ is exposed to the public through the use of Mapped IPs on the NS25.  We also have have a few select machine on the private LAN that are exposed by Mapped IPs/Policies.

Service provider has given a  /30 Service Provider IP and a /27 Customer LAN block.

What should a most basic interface config look like?  Let's say the network interface device is connected to ge-0/0/15.

ge-0/0/15 {

description "WAN /30";

unit 0 {

description "WAN /30";

family inet {

address x.x.x.x/30;

}

}

}

routing-options {

interface-routes {

rib-group inet unicast-multicast-rib;

}

static {

rib-group unicast-multicast-rib;

route 0.0.0.0/0 {

next-hop x.x.x.x;

retain;

}

}

}

Seems reasonable, right?  Now, for some reason, this is where I start to brain fart...

What happens to the y.y.y.y/27 addresses?  They're routed from the Service Provider to the SRX.  I need a VLAN ?  Keep in mind that we don't have any actual switched or servers besides the Mapped IPs.

Interfaces {

vlan {

unit 1 {

description "LAN /27 Block";

family inet {

address y.y.y.y/27;

}

}

}

}

Am I on the right track here?  What am I missing that will glue this together?  And from what I've read, there isn't any easy template in the Web UI for creating those Mapped IPs?  It's all done in the CLI using NAT?  If so, can I get an example?

Any words of wisdom will be appreciated.

Hi ,

You may  refer to   SRX Getting Started - Configuration Examples & Troubleshooting KB15694, which will be very helpful .

and coming to your requirement -  Out of the 16 available ge- ports on your SRX240 , one you can use for your wan, one for your dmz and rest all as switch ports for your lan.

For example,

set interfaces ge-0/0/15.0 family inet address x.x.x.x/30 >>> wan
set interfaces ge-0/0/14.0 family inet address x.x.x.x/x >>>> dmz
set interfaces ge-0/0/13.0 family ethernet-switching
set interfaces ge-0/0/12.0 family ethernet-switching  >>> LAN - or you can use interface-range and add rest of the interface
set interfaces ge-0/0/11.0 family ethernet-switching
set interfaces ge-0/0/10.0 family ethernet-switching

set interfaces vlan.x family inet address y.y.y.y/27

set vlans vlanname vlan-id x
set vlans vlanname l3-interface vlan.x  >>> L3 Interface of your LAN
set vlans vlanname interface ge-0/0/13.0
set vlans vlanname interface ge-0/0/12.0
set vlans vlanname interface ge-0/0/11.0
set vlans vlanname interface ge-0/0/10.0

set security zones security-zone trust interface vlan.x
set security zones security-zone untrust interface ge-0/0/15.0
set security zones security-zone dmz interface ge-0/0/14.0 

For your NAT requirement (Mapped IPs) , you can refer to KB13114 

Technote with examples mapping NAT in ScreenOS to Junos: TN25 - Configuring Network Address Translation (NAT) on SRX and J Series devices [for ScreenOS Users]

Hope this helps

Thank you.  Definitely helps!  I happy to see that  wasn't completely off the mark!

I've read many of the articles in the KB and I usually get a little bit to sink in and then start to feel a bit overwhelmed.