SRX Services Gateway
SRX Services Gateway

Two public IPs on two interfaces, one not working

‎06-19-2015 01:20 PM
I have 2 public IPs, one is set for interface ge-0/0/0 and the other for ge-0/0/15 - The ge-0/0/0 interface is used for internet and is in the untrust zone. The ge-0/0/15 is in the dmz zone and is used for VPN access. Ge-0/0/0 works perfectly fine, it can send and receive traffic and can ping the gateway. Ge-0/0/15 on the other hand can do neither Here is my config: system { host-name srx240; time-zone Europe/London; root-authentication { encrypted-password "$1$lsssss8.7$xPaCQ/4jrtF7Tt./DyPNq1"; ## SECRET-DATA } name-server { 8.8.8.8; 8.8.4.4; } login { retry-options { tries-before-disconnect 5; backoff-threshold 3; lockout-period 60; } user janitor { uid 2000; class super-user; authentication { encrypted-password "$1$Cpu1ka0ssssssqVvY/u3phKdK1"; ## SECRET-DATA } } } services { ssh; telnet; xnm-clear-text; web-management { http { interface vlan.0; } https { system-generated-certificate; interface vlan.0; } } dhcp { name-server { 8.8.8.8; 8.8.4.4; } pool 10.1.1.0/24 { address-range low 10.1.1.30 high 10.1.1.254; default-lease-time 3600; router { 10.1.1.1; } propagate-settings ge-0/0/0.0; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 15; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 78.109.188.115 version 4 prefer; server 178.18.118.14 version 4; } } interfaces { ge-0/0/0 { unit 0 { family inet { filter { input ntp-traffic-filter; } address 195.xx.xx.100/28; } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/8 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/9 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/10 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/12 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/13 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/14 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/15 { unit 0 { family inet { address 195.xx.xx.101/28; } } } vlan { unit 0 { family inet { address 10.1.1.1/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 195.xx.xx.97; } } protocols { stp; } security { screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone untrust { policy default { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone dmz { policy default { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { interfaces { vlan.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; ssh; ping; ntp; tftp; snmp; } } } } } security-zone dmz { interfaces { ge-0/0/15.0 { host-inbound-traffic { system-services { ike; ping; https; dhcp; } } } } } } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }
5 REPLIES 5
SRX Services Gateway

Re: Two public IPs on two interfaces, one not working

‎06-19-2015 01:45 PM

HI,

 

can you attach your config to the forum instead of pasting it ? that will make it more readable.

 

I'm guessing you have set your default gateway over the ge-0/0/0 interface. You can set for your vpn a route for the remote ip over the gw of that interface ge-0/0/15.

If that is not what you want, you can setup a routing instance with the ge-0/0/15 interface set a default gw in the routing-instance en terminate your vpn's and dmz on that routing-instance

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
SRX Services Gateway

Re: Two public IPs on two interfaces, one not working

[ Edited ]
‎06-19-2015 05:23 PM

Oops, didn't see what a mess the paste made!

 

Thanks; I ended up using a routing instance and that did the trick. I'd be interested to see an example for your first solution as that sounds a bit more elegant.

 

I have attached my latest config. So there exists 2 more problems:

 

1. I have a windows server on 10.1.1.30 in trust zone, when I try to ping it once a VPN is up and running I get a timeout.

2. Do I need to setup NAT for the untrust to dmz? I have in the config and am not sure whether I need it.

 

Thanks for you help.

Attachments

SRX Services Gateway

Re: Two public IPs on two interfaces, one not working

‎06-20-2015 12:53 AM

Hi,

 

If I look at your config and see the default routes you have :

 

route 0.0.0.0/0 next-hop 195.xx.xx.97

In your Routing instance you also have a default that is pointing to the same gateway! is this correct ?

route 0.0.0.0/0 next-hop 195.xx.xx.97

 I see that both Ip's on both interfaces are from the same / 28, Why don't you put bot addresses on the same interface ?

 

set interface ge-0/0/0 unit 0 family inet address 195.xx.xx.100/28 primary preffered

set interface ge-0/0/0 unit 0 family inet address 195.xx.xx.101/28

 

Then you only have to set one default route.

 

You also then can use the second address as termination  / origin for your vpn's

set security ike gateway <name> local-address 195.xx.xx.101

 

That is the most easy setup

 

 

 

 

 

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
SRX Services Gateway

Re: Two public IPs on two interfaces, one not working

‎06-20-2015 05:53 AM

I want to route the VPN traffic on a seperate interface so that I can put it into a DMZ and restrict its access to trust. Can you do that via a single interface ?

SRX Services Gateway

Re: Two public IPs on two interfaces, one not working

‎06-21-2015 09:48 PM

Hi,

 

Yes you can, but you can also achieve that by using the same interfaces and keeping the interface in the untrust zone. Access restriction is done by implementing strict security policies. One way or the other you need to implement them

on both zones.

In my "little" opinion keep it as simple as possible. Making it "complex" when not really needed will kick you in the but some day.

 

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------