[j-nsp] Static Routing - SRX
Crist Clark
Crist.Clark at globalstar.com
Wed Nov 3 14:20:55 EDT 2010
Does an SRX get confused when you have asymetric routing like
that on a single zone? Does it confuse the stream processing?
The SRX will only ever see the one way traffic from the host
on your local network to the remote network. The return traffic
(I assume) will go straight from the VPN gateway back to the
host on the same LAN.
Have you turned on some trace options to see what's going on?
security {
flow {
traceoptions {
file vpn_problem;
flag basic-datapath;
packet-filter vpn_traffic {
destination-prefix 172.30.200.0/24;
}
}
}
On 11/3/2010 at 11:02 AM, "Paul Stewart" <paul at paulstewart.org> wrote:
> Thanks... yeah, pretty much.
>
> We installed the static route and were unable to reach anything on the
> 172.30.200.0/24 network from a machine in the 192.168.20.0/24 subnet. On
> that actual machine (Windows 7) we installed a route in Windows and were
> able to communicate no problem (bypassing the route statement on the SRX).
>
> This seems to imply that by using a default route you can't take traffic
> into an interface and route it back out the SAME interface - an issue we
> used to face on the Cisco PIX boxes at one time.
>
> Looking for a workaround to this - our solution at this point is to bring
> the 192.168.20.121 device (which is a VPN appliance that connects us to our
> billing platforms) in via a subnet on a directly connected interface. The
> downside to this is that it involves some routing changes on the VPN portion
> which we're trying to avoid as it involves a third party.
>
> Literally on the Cisco 2800 in place it's "ip route 172.30.200.0
> 255.255.255.0 192.168.20.121". On the SRX we have "set routing-options
> static route 172.30.200.0/24 next-hop 192.168.20.121".
>
> Thanks,
>
> Paul
>
>
>
> -----Original Message-----
> From: Michael Damkot [mailto:mdamkottwc at gmail.com]
> Sent: Wednesday, November 03, 2010 1:55 PM
> To: Paul Stewart
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Static Routing - SRX
>
> Paul-
>
> Just to make sure I'm tracking correctly, you've tried installing a static
> route and it didn't work?
>
>
> On Nov 3, 2010, at 11:48 , Paul Stewart wrote:
>
>> Hi there.
>>
>>
>>
>> Can anyone give any suggestion/guidance on the following.
>>
>>
>>
>> I'm trying to do a static route *out* the same interface that the traffic
>> came *in* on. This is on an SRX-240
>>
>>
>>
>> Here are the details:
>>
>> "Private": 192.168.20.0/24
>>
>> "Public": 216.168.x.x/32
>>
>>
>>
>> Static route: 172.30.200.0/24 to <gateway - 192.168.20.224> to
>> 192.168.20.121
>>
>>
>>
>> 192.168.20.121 is the IP on a VPN appliance.
>>
>>
>>
>> Traffic from a client computer never gets routed to the VPN appliance.
> This
>> works on a Cisco 2800 without a problem, but I can't get it working on the
>> SRX.
>>
>>
>>
>> So, to walk this through a bit more - a computer sitting on the
> 192.168.20.0
>> subnet has a default gateway of 192.168.20.224. We want a route on the
> SRX
>> that routes any traffic coming into 192.168.20.224 that is destined to
>> 172.30.200.0/24 to be sent to 192.168.20.121. In Cisco 2800 it's just a
>> static route.
>>
>>
>>
>> Ran across this challenge in the Cisco PIX world as well..
>>
>>
>>
>> Thanks for any input..
>>
>>
>>
>> Paul
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Crist Clark
Network Security Specialist, Information Systems
Globalstar
408 933 4387
More information about the juniper-nsp
mailing list