[j-nsp] Static Routing - SRX

Ben Dale bdale at comlinx.com.au
Wed Nov 3 16:31:26 EDT 2010


Hi Paul,

Router-on-a-stick with SRX will break unless you have the following:

set security policy from-zone Private to-zone Private policy 1ARM match source-address n192.168.20.0/24
set security policy from-zone Private to-zone Private policy 1ARM match destination-address n172.30.200.0/24
set security policy from-zone Private to-zone Private policy 1ARM match application any
set security policy from-zone Private to-zone Private policy 1ARM then permit


Cheers,

Ben

On 04/11/2010, at 1:48 AM, Paul Stewart wrote:

> Hi there.
> 
> 
> 
> Can anyone give any suggestion/guidance on the following.
> 
> 
> 
> I'm trying to do a static route *out* the same interface that the traffic
> came *in* on.  This is on an SRX-240
> 
> 
> 
> Here are the details:
> 
> "Private": 192.168.20.0/24
> 
> "Public": 216.168.x.x/32
> 
> 
> 
> Static route: 172.30.200.0/24 to <gateway - 192.168.20.224> to
> 192.168.20.121
> 
> 
> 
> 192.168.20.121 is the IP on a VPN appliance.
> 
> 
> 
> Traffic from a client computer never gets routed to the VPN appliance.  This
> works on a Cisco 2800 without a problem, but I can't get it working on the
> SRX.
> 
> 
> 
> So, to walk this through a bit more - a computer sitting on the 192.168.20.0
> subnet has a default gateway of 192.168.20.224.  We want a route on the SRX
> that routes any traffic coming into 192.168.20.224 that is destined to
> 172.30.200.0/24 to be sent to 192.168.20.121.  In Cisco 2800 it's just a
> static route.
> 
> 
> 
> Ran across this challenge in the Cisco PIX world as well..
> 
> 
> 
> Thanks for any input..
> 
> 
> 
> Paul
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 




More information about the juniper-nsp mailing list