[j-nsp] Static Routing - SRX

Michael Damkot mdamkottwc at gmail.com
Wed Nov 3 14:08:42 EDT 2010 

That's going to be required too, I forgot about that 


On Nov 3, 2010, at 14:07 , OBrien, Will wrote:

> Do you have an intrazone policy? Trust to trust, allow all for example.
> 
> Sent from my iPad
> 
> On Nov 3, 2010, at 1:04 PM, "Paul Stewart" <paul at paulstewart.org> wrote:
> 
>> Thanks... yeah, pretty much.
>> 
>> We installed the static route and were unable to reach anything on the
>> 172.30.200.0/24 network from a machine in the 192.168.20.0/24 subnet.  On
>> that actual machine (Windows 7) we installed a route in Windows and were
>> able to communicate no problem (bypassing the route statement on the SRX).
>> 
>> This seems to imply that by using a default route you can't take traffic
>> into an interface and route it back out the SAME interface - an issue we
>> used to face on the Cisco PIX boxes at one time.
>> 
>> Looking for a workaround to this - our solution at this point is to bring
>> the 192.168.20.121 device (which is a VPN appliance that connects us to our
>> billing platforms) in via a subnet on a directly connected interface.  The
>> downside to this is that it involves some routing changes on the VPN portion
>> which we're trying to avoid as it involves a third party.
>> 
>> Literally on the Cisco 2800 in place it's "ip route 172.30.200.0
>> 255.255.255.0 192.168.20.121".  On the SRX we have "set routing-options
>> static route 172.30.200.0/24 next-hop 192.168.20.121".
>> 
>> Thanks,
>> 
>> Paul
>> 
>> 
>> 
>> -----Original Message-----
>> From: Michael Damkot [mailto:mdamkottwc at gmail.com] 
>> Sent: Wednesday, November 03, 2010 1:55 PM
>> To: Paul Stewart
>> Cc: juniper-nsp at puck.nether.net
>> Subject: Re: [j-nsp] Static Routing - SRX
>> 
>> Paul-
>> 
>> Just to make sure I'm tracking correctly, you've tried installing a static
>> route and it didn't work? 
>> 
>> 
>> On Nov 3, 2010, at 11:48 , Paul Stewart wrote:
>> 
>>> Hi there.
>>> 
>>> 
>>> 
>>> Can anyone give any suggestion/guidance on the following.
>>> 
>>> 
>>> 
>>> I'm trying to do a static route *out* the same interface that the traffic
>>> came *in* on.  This is on an SRX-240
>>> 
>>> 
>>> 
>>> Here are the details:
>>> 
>>> "Private": 192.168.20.0/24
>>> 
>>> "Public": 216.168.x.x/32
>>> 
>>> 
>>> 
>>> Static route: 172.30.200.0/24 to <gateway - 192.168.20.224> to
>>> 192.168.20.121
>>> 
>>> 
>>> 
>>> 192.168.20.121 is the IP on a VPN appliance.
>>> 
>>> 
>>> 
>>> Traffic from a client computer never gets routed to the VPN appliance.
>> This
>>> works on a Cisco 2800 without a problem, but I can't get it working on the
>>> SRX.
>>> 
>>> 
>>> 
>>> So, to walk this through a bit more - a computer sitting on the
>> 192.168.20.0
>>> subnet has a default gateway of 192.168.20.224.  We want a route on the
>> SRX
>>> that routes any traffic coming into 192.168.20.224 that is destined to
>>> 172.30.200.0/24 to be sent to 192.168.20.121.  In Cisco 2800 it's just a
>>> static route.
>>> 
>>> 
>>> 
>>> Ran across this challenge in the Cisco PIX world as well..
>>> 
>>> 
>>> 
>>> Thanks for any input..
>>> 
>>> 
>>> 
>>> Paul
>>> 
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> 
>> 
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list