SRX Services Gateway
Highlighted
SRX Services Gateway

VLAN to LAN visibility

‎11-05-2018 03:50 PM

Hello,

I have workstation A connected to SRX240 on ge-0/0/5 (one of the ports that acting as a switch) for VLAN123 (zone trust)
for network A.A.A.A/24 with (LAN DHCP). Workstation A has access to the Internet.

In the same room I have unmanaged switch connected to the back of ISP modem (that setup for LAN B.B.B.B/24)
Laptop B is connected to that unmanaged switch.

Is it possible for workstation A on VLAN123 (connected to SRX) to see Laptop B connected to the switch?
With this setup how do I accomplish this result: network A.A.A.A/24 will see network B.B.B.B/24 and vise versa?
Do I need to add an extra L3 device or since I have available extra ports on SRX and access to the switch that won't be needed?
My ISP is the same for both sides.
I looked in different places for my answer but I can't find it. Smiley Sad

Thank you!

25 REPLIES 25
Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-06-2018 02:48 AM

I assume the untrust inteface of the SRX is connected to the same lan as the unmanaged switch.  This would put the untrust interface in the same subnet. 

 

So connection attempts from host A to host B will be permitted by the outbound security policy.

And they will be source nat to the SRX interface.

So B will be reachable by A

 

Inbound however there is just the default deny policy from untrust to trust.

To overcome this you create a permit policy for the B address to the trust zone addresses you want.

 

And the B device will have only a default route to the ISP modem so any attempt to reach the trust subnet will go to the ISP modem.  To overcome this you will need to install a route for the trust subnet on the PC pointing to the SRX address.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-06-2018 12:58 PM

Steve,

Thank you for the reply. I'm not able to access SRX at this moment to test it but was wondering:
I have only one interface on SRX under zone untrust and it has only public IP assigned to that (given by my ISP)

A.A.A.A/24 = VLAN123 - zone trust on SRX
I already source NAT this internal subnet to my Internet (egress) interface with a different rule-set name

B.B.B.B/24 = LAN - unmanaged switch with laptop plugged into it (switch connected to ISP modem on the back)

Will this additional configuration work? Am I on the right track?
Will A.A.A.A/24 see B.B.B.B/24 like this ?:

set security nat source rule-set NAT-SRX from zone trust
set security nat source rule-set NAT-SRX to zone untrust
set security nat source rule-set NAT-SRX rule PAT match source-address A.A.A.A/24
set security nat source rule-set NAT-SRX rule PAT match destination-address B.B.B.B/24
set security nat source rule-set NAT-SRX rule PAT then source-nat interface

 

thank you

Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-07-2018 10:17 AM

Anyone? Am I thinking it wrong? Can someone please point me to the reading material in relation to this?
I really woudl like to understand this setup and if my approach is making sence. Woman Sad

Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-07-2018 03:11 PM

I don't follow how the networks are connected then.

 

If the SRX untrust is a public address how is the b.b.b.b/24 connected and routed?

 

I guess let's start with what device and ports are connected to where and what models we are dealing with.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

[ Edited ]
‎11-07-2018 03:41 PM

Hello Steve,

Please see my drawing:
I want my workstation and laptop to be able to reach each other.

Attachments

Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-07-2018 04:54 PM

Thanks for the diagram.  I did not expect the srx untrust interface to be in the same vlan as the b.b.b.b/24 network.

 

Add a secondary ip address to the untrust interface on the srx with a b.b.b.b/24 address.

 

Add a static route on the laptop for a.a.a.a/24 next hop of the b.b.b.b address on the SRX

 

Create an untrust to trust policy on the SRX to permit the laptop source to the desktop destination address.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-09-2018 03:55 AM

Hello,

 

as per the diagram 

Please check below point:

1. when you add interfaces in zones please check   "host-inbound-traffic" configuration in "show security zones security-zone trust/untrust interfaces"

for testing: 

host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}

2. check securities policies from trust to untrust and vice-versa.  if you are doing natting please add NATed IPs in zones and policies.

3. By default, its deny in any zone so add permit first and then deny. 

 

Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-11-2018 03:45 PM

Steve,
When I try:

set interfaces ge-0/0/0 unit 0 family inet address b.b.b.b/24 secondary

I get a syntax error.
ge-0/0/0 unit 0 already has a public IP assigned to it Smiley Indifferent is this is why it fails?
What is the correct format for this command?
Thank you.

Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-11-2018 03:47 PM

cc@tifr.res.in, thank you, I will take a look at this later.

Highlighted
SRX Services Gateway
Solution
Accepted by topic author IsabellaFletcher
‎11-12-2018 09:24 AM

Re: VLAN to LAN visibility

‎11-11-2018 05:25 PM

Sorry for the confusion, there is no keyword secondary.  Simply stop after adding the ip address.

 

You can have as many ip addresses as you want on an interface.  Optionally you can add the primary designation to one of these addresses.  But it is not required.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-12-2018 09:26 AM

Thank you, Steve!
That worked! Woman Very Happy

What if another device was connected to that ISP modem and acted as a router and provided Internet access?
Same ISP, but with the different, next available public IP with the same public gateway and it would serve B.B.B.B/24 for its LAN clients.
Let's say I setup LAN B.B.B.B/24 on it and it would connect to the same switch with SRX.

If understand this correctly, it should work for this setup as well.
I do not have an extra device to test it, but was just wondering if I'm right.

Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-12-2018 04:40 PM

Whether or not it would work will depend on the make/model of your ISP modem and how they have their network configured upstream. 

 

Most consumer ISP will restrict home connections to getting a single public ip address so only one device will succussfully use the modem bridge and get a working address.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

[ Edited ]
‎11-13-2018 10:20 AM

Let's say it is not an issue with my ISP and I will assign next available public IP with the same public gateway to another device - Router X and it will serve B.B.B.B/24 for its LAN clients.
Router X is now connected to the ISP modem via WAN port and to the switch using its LAN port.
Laptop is still connected to the switch.

Will workstation and laptop still be able to reach each other?
Using my previous configuration is there is anything else special to consider?

Please take a look at my updated diagram.

Attachments

Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-13-2018 05:07 PM

Well, that is an unusual setup.  But yes, adding the other router won't change reability between the laptop and the original SRX in this setup.

 

For any routing through a firewall all you need to do is start at the device initiating the traffic. 

Then find where the next hop will be towards the destination. 

On each device consult the route table and security policy to see if it allows the traffic and where the next hop is.

Once at the destination we reverse the process for the reply packet.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-14-2018 10:38 AM

Thank you, Steve!
I will defiantly give it go once I get an extra router. Woman Happy

Would this work with a VPN in place when remote side (remote LAN) reaches my A.A.A.A/24 on SRX?
Will remote LAN also see B.B.B.B/24 since I already added policy to allow traffic from B.B.B.B/24 to A.A.A.A/24 on SRX and added secondary IP address with a B.B.B.B/24 address to my untrust interface (plus the rest of the configuration)?
I do not see any need to add anything else to my existing configuration, but I could be wrong.

Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-14-2018 05:06 PM

With a VPN site to site connection the tunnel transports specifc prefixes that are configured across the tunnel.  So if you want both prefixes to be visible to the remote site both would need to be part of the vpn routing or policy vpn setup to be sent across the tunnel.

 

In addition on the b.b.b.b subnet a return path route for the remote lan segment on the other side of the vpn would need to be added pointing to the local srx in the same way the a.a.a.a/24 subnet was added.  Otherwide the remote vpn lan will hit the b.b.b.b default route out and not return to the originator.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-14-2018 05:30 PM

Steve, thank you for all your help! Woman Happy

Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-15-2018 05:31 AM

Let's see if I understood this correctly..
So after ike gateway, ike and ipsec proposals and policies I will need to add not just proxy-identity local A.A.A.A/24 (SRX side) on my end, I will need to add an additional proxy-identity local for B.B.B.B/24 as well into my VPN config for my side?
And the remote side will need to add not just A.A.A.A/24 for my end but an additional B.B.B.B/24 on their end as well?

Highlighted
SRX Services Gateway

Re: VLAN to LAN visibility

‎11-15-2018 05:04 PM

Basically yes, to connect the B subnet to the remote site via vpn the subnet needs to be configured on the site to site vpn.  The remote site needs to know that subnet is reachable via this tunnel.

 

One option is as you note proxy id or traffic selectors.  These are used generally when the other side is not an SRX or some other brand that allows route based vpn with open proxy id.  This will use  a route based vpn and you need a tunnel interface and the route to the remote site pointed at that tunnel interface.

 

Second option in that case is to create policy based  vpn which generates those proxy id via security policy with the tunnel option.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback