Hey all,
I had a thread about two weeks ago where a lot of you jumped in and helped. We moved away from that for a second and I had to start over entirely so now I need your help again.
So, first off, Is it possible to make a default route ONLY for the fxp0 management interface?
For isntance, we have a management network that I've put the NIC 0 on, however I can only SSH into the vSRX if i have a static route pointing to that management's network interface.
Obviously, traffic orginating from routing-instances need to have a default route out to the NAT "outside" interface.
So, basically, is there a form of policy based routing that I can apply to the fxp0 interface to manage via SSH but have a secondary static route for each routing-instance (and therefore security zone?) I have the following so far if anyone sees any glaring problems.
nat {
source {
rule-set NAT {
from zone HIB-Inside;
to zone Outside;
rule A {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Outside to-zone HIB-Inside {
policy DenyOutSideIn {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone HIB-Inside to-zone Outside {
policy AllowInsideOut {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone MonroeAerospace-Inside to-zone Transport {
policy Permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Outside to-zone MonroeAerospace-Inside {
policy Deny {
match {
source-address any;
destination-address any;
application any;
}
then {
reject;
}
}
}
}
zones {
functional-zone management;
security-zone Outside {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone HIB-Inside {
interfaces {
ge-0/0/1.1066;
ge-0/0/2.1066;
}
}
security-zone MonroeAerospace-Inside {
interfaces {
ge-0/0/1.1011;
}
}
security-zone Transport {
interfaces {
ge-0/0/1.993;
}
}
}
}
interfaces {
ge-0/0/0 {
description WAN;
unit 0 {
family inet {
address x.x.x.6/24;
}
}
}
ge-0/0/1 {
description SD-Wan-Handoff;
flexible-vlan-tagging;
unit 993 {
description Transport-To-Denver;
vlan-id 993;
family inet {
address 10.99.3.1/24;
}
}
unit 1001 {
vlan-id 1001;
family inet {
address 10.100.1.1/24;
}
}
unit 1066 {
description HIB-Edge-Handoff;
vlan-id 1066;
family inet {
address 10.100.66.1/24;
}
}
}
ge-0/0/2 {
description Customer-Resources;
flexible-vlan-tagging;
unit 1066 {
disable;
description HIB-Resources;
vlan-id 1066;
family inet {
address 172.25.3.1/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.99.9.2/24;
}
}
}
}
policy-options {
policy-statement DefaultRoute {
term A {
from {
instance master;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term B {
then reject;
}
}
policy-statement HIB-Resources {
from interface ge-0/0/2.1066;
then accept;
}
}
}
}
routing-instances {
HIB {
instance-type virtual-router;
interface ge-0/0/1.1066;
interface ge-0/0/2.1066;
}
instance-import DefaultRoute;
}
protocols {
bgp {
group HIB {
type external;
local-address 10.100.66.1;
export HIB-Resources;
peer-as 1066;
local-as 1000;
neighbor 10.100.66.2;
}
}
}
}
MonroeAerospace {
instance-type virtual-router;
interface ge-0/0/1.1001;
routing-options {
static {
route 10.4.3.0/29 next-hop 10.99.3.2;
}
}
protocols {
bgp {
group MonroeAerospace {
type external;
local-address 10.100.1.1;
peer-as 1001;
local-as 1000;
neighbor 10.100.1.2;
}
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop [ 10.99.9.1 x.x.x.1 ];
}
}