[j-nsp] Static Routing - SRX
OBrien, Will
ObrienH at missouri.edu
Wed Nov 3 14:07:16 EDT 2010
Do you have an intrazone policy? Trust to trust, allow all for example.
Sent from my iPad
On Nov 3, 2010, at 1:04 PM, "Paul Stewart" <paul at paulstewart.org> wrote:
> Thanks... yeah, pretty much.
>
> We installed the static route and were unable to reach anything on the
> 172.30.200.0/24 network from a machine in the 192.168.20.0/24 subnet. On
> that actual machine (Windows 7) we installed a route in Windows and were
> able to communicate no problem (bypassing the route statement on the SRX).
>
> This seems to imply that by using a default route you can't take traffic
> into an interface and route it back out the SAME interface - an issue we
> used to face on the Cisco PIX boxes at one time.
>
> Looking for a workaround to this - our solution at this point is to bring
> the 192.168.20.121 device (which is a VPN appliance that connects us to our
> billing platforms) in via a subnet on a directly connected interface. The
> downside to this is that it involves some routing changes on the VPN portion
> which we're trying to avoid as it involves a third party.
>
> Literally on the Cisco 2800 in place it's "ip route 172.30.200.0
> 255.255.255.0 192.168.20.121". On the SRX we have "set routing-options
> static route 172.30.200.0/24 next-hop 192.168.20.121".
>
> Thanks,
>
> Paul
>
>
>
> -----Original Message-----
> From: Michael Damkot [mailto:mdamkottwc at gmail.com]
> Sent: Wednesday, November 03, 2010 1:55 PM
> To: Paul Stewart
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Static Routing - SRX
>
> Paul-
>
> Just to make sure I'm tracking correctly, you've tried installing a static
> route and it didn't work?
>
>
> On Nov 3, 2010, at 11:48 , Paul Stewart wrote:
>
>> Hi there.
>>
>>
>>
>> Can anyone give any suggestion/guidance on the following.
>>
>>
>>
>> I'm trying to do a static route *out* the same interface that the traffic
>> came *in* on. This is on an SRX-240
>>
>>
>>
>> Here are the details:
>>
>> "Private": 192.168.20.0/24
>>
>> "Public": 216.168.x.x/32
>>
>>
>>
>> Static route: 172.30.200.0/24 to <gateway - 192.168.20.224> to
>> 192.168.20.121
>>
>>
>>
>> 192.168.20.121 is the IP on a VPN appliance.
>>
>>
>>
>> Traffic from a client computer never gets routed to the VPN appliance.
> This
>> works on a Cisco 2800 without a problem, but I can't get it working on the
>> SRX.
>>
>>
>>
>> So, to walk this through a bit more - a computer sitting on the
> 192.168.20.0
>> subnet has a default gateway of 192.168.20.224. We want a route on the
> SRX
>> that routes any traffic coming into 192.168.20.224 that is destined to
>> 172.30.200.0/24 to be sent to 192.168.20.121. In Cisco 2800 it's just a
>> static route.
>>
>>
>>
>> Ran across this challenge in the Cisco PIX world as well..
>>
>>
>>
>> Thanks for any input..
>>
>>
>>
>> Paul
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list