SRX Services Gateway
Highlighted
SRX Services Gateway

ZONE to VLAN routing instances not working

‎05-22-2020 08:59 AM

Good morning!

 

I am currently working on a SRX1500, and I am trying to bridge the gap in communication from one interface to another on my device. 

 

ge-0/0/2 has been assigned to a zone called LR23 and i am trying to get it to communicate with a device on port ge0/0/12.99. From the SRX device i can send a icmp packet from ge-0/0/2.0 to my device on the other side of the ge-0/0/12.99. When i send a icmp packet from ge-0/0/12.99 to a client machine on the other side of ge-0/0/2 i get 100 percent replys. The users on the other side of ge-0/0/12.99 report that they cannot ping the 192.168.99.x address of the device they are trying to access. But they are able to hit the gateway address established on port ge-0/0/2.

 

If icmp can work its way from one end to the other within this boundary of the network why would their clients not be able to reach beyond the external interface ge-0/0/2 into ge-0/0/12.99?

 

here is a snippet fro mthe SRX1500 modified slightly to protect specific information. 

 

set security nat source rule-set vlan99-to-LR23 from routing-instance LR23

set security nat source rule-set vlan99-to-LR23 to interface ge-0/0/2.0

set security nat source rule-set vlan99-to-LR23 rule vlan99-NAT match source address 192.168.99.0/24

set security nat source rule-set vlan99-to-LR23 rule vlan99-NAT then source-nat interface

set security nat source rule-set LR23-to-vlan99 from routing-instance LR23

set security nat source rule-set LR23-to-vlan99 to interface ge-0/0/12.99

set security nat source rule-set LR23-to-vlan99 rule LR23-NAT match source address 10.45.45.0/24

set security nat source rule-set LR23-to-vlan99 rule LR23-NAT  then source-nat interface

set security policies from-zone vlan99 to-zone LR23 policy allow-outbound match source-address vlan99

set security policies from-zone vlan99 to-zone LR23 policy allow-outbound match destination-address any

set security policies from-zone vlan99 to-zone LR23 policy allow-outbound match application any

set security policies from-zone vlan99 to-zone LR23 policy allow-outbound then permit

set security policies from-zone LR23 to-zone vlan99 policy allow-inbound match source-address any

set security policies from-zone LR23 to-zone vlan99 policy allow-inbound match destination-address any

set security policies from-zone LR23 to-zone vlan99 policy allow-inbound match application any

set security policies from-zone LR23 to-zone vlan99 policy allow-inbound then permit

set security zones security-zone LR23 host-inbound-traffic system-services all

set security zones security-zone LR23 host-inbound-traffic protocols all

set security zones security-zone LR23 interfaces ge-0/0/2.0

set security zones security-zone vlan99 host-inbound-traffic system-services all

set security zones security-zone vlan99 host-inbound-traffic protocols all

set security zones security-zone vlan99 interfaces ge-0/0/12.99

set interfaces ge-0/0/2 description "  "

set interfaces ge-0/0/2 unit 0 description " "

set routing-options rib-groups RIB_LR23 import-rib LR23.inet.0

set routing-options rib-groups RIB_LR23 import-rib Repository.inet.0

set routing-options rib-groups RIB_LR23 import-rib Virtual.inet.0

set routing-options rib-groups RIB_Virtual import-rib LR23.inet.0

set routing-instances LR23 description " Words are here "

set routing-instances LR23 instance-type virtual router

set routing-instances LR23 interface ge-0/0/2.0

set routing-instances LR23 interface ge-0/0/12.99

set routing-instances LR23 routing-options interface-routes rib-group inet RIB_LR23

set routing-instances LR23 routing-options static route 0.0.0.0/0 next-hop 192.168.99.0

 

I look forward to any replys to this post Smiley Happy. I am eager to see what others might thing the issue might be. 

 

- David 

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: ZONE to VLAN routing instances not working

‎06-03-2020 07:50 AM

Hi,

 

Apologies if I've not quite understood your traffic flow here, but if you are source NATing on both the inbound and outbound interfaces I think this will cause you issues, as the original destination address would be altered on the return traffic surely.

Highlighted
SRX Services Gateway

Re: ZONE to VLAN routing instances not working

‎06-11-2020 11:59 AM

Sorry if what i posted didnt make any sense. I am still pretty green when it comes to Juniper. It might help if i state what i am trying to do for better contextualization. 

 

I have a single port say is ge0/0/2.0 

           This port was setup with an IP address 192.168.1.254

           This port is part of a ZONE called LR23

I have another single port say is ge0/0/3.40

           This port is configured as a subinterface and part of VLAN40

           This port was setup with an IP address 192.168.40.254

I have another single port say is ge0/0/3.99

           This port is configured as a subinterface and part of VLAN99

           This port was setup with an IP address 192.168.99.254

 

I want to get clients on subnet 192.168.1.0/24 to talk with both the 192.168.99.0/24 subnet and the 192.168.40.0/24 subnet. 

 

set routing-instances LR23 description " Words are here "

set routing-instances LR23 instance-type virtual router

set routing-instances LR23 interface ge-0/0/2.0

set routing-instances LR23 interface ge-0/0/3.99

set routing-instances LR23 interface ge-0/0/3.40

 

Per previously existing configuration i understood that NAT statements would be necessary even if there is a Routing Instance in place that covers LR23. 

 

set security nat source rule-set vlan99-to-LR23 from routing-instance LR23

set security nat source rule-set vlan99-to-LR23 to interface ge-0/0/2.0

set security nat source rule-set vlan99-to-LR23 rule vlan99-NAT match source address 192.168.99.0/24

set security nat source rule-set vlan99-to-LR23 rule vlan99-NAT match source address 192.168.40.0/24

set security nat source rule-set vlan99-to-LR23 rule vlan99-NAT then source-nat interface

set security nat source rule-set LR23-to-vlan99 from routing-instance LR23

set security nat source rule-set LR23-to-vlan99 to interface ge-0/0/12.99

set security nat source rule-set LR23-to-vlan99 rule LR23-NAT match source address 10.45.45.0/24

set security nat source rule-set LR23-to-vlan99 rule LR23-NAT  then source-nat interface

Highlighted
SRX Services Gateway

Re: ZONE to VLAN routing instances not working

[ Edited ]
‎06-11-2020 07:26 PM

Hello , 

 

The best way to test is that , when you try to send the ICMP from client , check for the session on the firewall :

 

> show security flow session source-prefix < source IP >  destination-prefix < destination-ip> protocol icmp 

 

If the session is getting established then it not the flow that is blocking . 

 

But you mentioned :

 

The users on the other side of ge-0/0/12.99 report that they cannot ping the 192.168.99.x address of the device they are trying to access. But they are able to hit the gateway address established on port ge-0/0/2.

 

So this means that users who are behind VLAN99 could not reach the ge-0/0/3.99 but they can reach ge-0/0/2.0 . Correct me if I am wrong . 

 

In that case it looks to be a routing issue , that those traffic is hitting the firewall without reaching the corret VLAN . Or some other host is responding to ge-0/0/32.99 IP . 

 

Can you check the routing on the host behind VLAN99 to see if the route for ge-0/0/2.0 is via VLAN99 ? 

Also you need to have the routing for those hostIPs on SRX via VLAN99 , if they falls in diff subnet than VLAN99 

 

This is what I make of your topology :

 

192.168.1.X ----------- (ge-0/0/2.0) SRX (ge-0/0/3.99 ) ------- L3 device ------ Host  ( where ping is generated ) 

 

Can you clarify the subnet of the host from where you are pining . They are not part of VLAN99 subnet right . 

 

 


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Feedback