[j-nsp] Static Routing - SRX

OBrien, Will ObrienH at missouri.edu
Wed Nov 3 14:07:16 EDT 2010 

Do you have an intrazone policy? Trust to trust, allow all for example.

Sent from my iPad

On Nov 3, 2010, at 1:04 PM, "Paul Stewart" <paul at paulstewart.org> wrote:

> Thanks... yeah, pretty much.
> 
> We installed the static route and were unable to reach anything on the
> 172.30.200.0/24 network from a machine in the 192.168.20.0/24 subnet.  On
> that actual machine (Windows 7) we installed a route in Windows and were
> able to communicate no problem (bypassing the route statement on the SRX).
> 
> This seems to imply that by using a default route you can't take traffic
> into an interface and route it back out the SAME interface - an issue we
> used to face on the Cisco PIX boxes at one time.
> 
> Looking for a workaround to this - our solution at this point is to bring
> the 192.168.20.121 device (which is a VPN appliance that connects us to our
> billing platforms) in via a subnet on a directly connected interface.  The
> downside to this is that it involves some routing changes on the VPN portion
> which we're trying to avoid as it involves a third party.
> 
> Literally on the Cisco 2800 in place it's "ip route 172.30.200.0
> 255.255.255.0 192.168.20.121".  On the SRX we have "set routing-options
> static route 172.30.200.0/24 next-hop 192.168.20.121".
> 
> Thanks,
> 
> Paul
> 
> 
> 
> -----Original Message-----
> From: Michael Damkot [mailto:mdamkottwc at gmail.com] 
> Sent: Wednesday, November 03, 2010 1:55 PM
> To: Paul Stewart
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Static Routing - SRX
> 
> Paul-
> 
> Just to make sure I'm tracking correctly, you've tried installing a static
> route and it didn't work? 
> 
> 
> On Nov 3, 2010, at 11:48 , Paul Stewart wrote:
> 
>> Hi there.
>> 
>> 
>> 
>> Can anyone give any suggestion/guidance on the following.
>> 
>> 
>> 
>> I'm trying to do a static route *out* the same interface that the traffic
>> came *in* on.  This is on an SRX-240
>> 
>> 
>> 
>> Here are the details:
>> 
>> "Private": 192.168.20.0/24
>> 
>> "Public": 216.168.x.x/32
>> 
>> 
>> 
>> Static route: 172.30.200.0/24 to <gateway - 192.168.20.224> to
>> 192.168.20.121
>> 
>> 
>> 
>> 192.168.20.121 is the IP on a VPN appliance.
>> 
>> 
>> 
>> Traffic from a client computer never gets routed to the VPN appliance.
> This
>> works on a Cisco 2800 without a problem, but I can't get it working on the
>> SRX.
>> 
>> 
>> 
>> So, to walk this through a bit more - a computer sitting on the
> 192.168.20.0
>> subnet has a default gateway of 192.168.20.224.  We want a route on the
> SRX
>> that routes any traffic coming into 192.168.20.224 that is destined to
>> 172.30.200.0/24 to be sent to 192.168.20.121.  In Cisco 2800 it's just a
>> static route.
>> 
>> 
>> 
>> Ran across this challenge in the Cisco PIX world as well..
>> 
>> 
>> 
>> Thanks for any input..
>> 
>> 
>> 
>> Paul
>> 
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list