[j-nsp] Static Routing - SRX

Andrew Jones aj at jonesy.com.au
Wed Nov 3 23:15:48 EDT 2010


I did this once on an SRX240, and (as someone mentioned earlier) the fact
that the SRX only sees the packets in one direction will mean that TCP
sessions establish and work for a little while, but as soon as the flow
record on the SRX expires, it will stop passing the traffic mid-stream.

I ended up terminating the second subnet (172.30.200.0/24 in your example)
on a separate interface on the SRX.

-Jonesy 


On Wed, 3 Nov 2010 16:52:48 -0400, "Paul Stewart" <paul at paulstewart.org>
wrote:
> Thanks very much....  we had no policy between private and private ;)
> 
> Appreciate everyone's replies... take care..
> 
> Paul
> 
> 
> -----Original Message-----
> From: Ben Dale [mailto:bdale at comlinx.com.au] 
> Sent: Wednesday, November 03, 2010 4:31 PM
> To: Paul Stewart
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Static Routing - SRX
> 
> Hi Paul,
> 
> Router-on-a-stick with SRX will break unless you have the following:
> 
> set security policy from-zone Private to-zone Private policy 1ARM match
> source-address n192.168.20.0/24
> set security policy from-zone Private to-zone Private policy 1ARM match
> destination-address n172.30.200.0/24
> set security policy from-zone Private to-zone Private policy 1ARM match
> application any
> set security policy from-zone Private to-zone Private policy 1ARM then
> permit
> 
> 
> Cheers,
> 
> Ben
> 
> On 04/11/2010, at 1:48 AM, Paul Stewart wrote:
> 
>> Hi there.
>> 
>> 
>> 
>> Can anyone give any suggestion/guidance on the following.
>> 
>> 
>> 
>> I'm trying to do a static route *out* the same interface that the
traffic
>> came *in* on.  This is on an SRX-240
>> 
>> 
>> 
>> Here are the details:
>> 
>> "Private": 192.168.20.0/24
>> 
>> "Public": 216.168.x.x/32
>> 
>> 
>> 
>> Static route: 172.30.200.0/24 to <gateway - 192.168.20.224> to
>> 192.168.20.121
>> 
>> 
>> 
>> 192.168.20.121 is the IP on a VPN appliance.
>> 
>> 
>> 
>> Traffic from a client computer never gets routed to the VPN appliance.
> This
>> works on a Cisco 2800 without a problem, but I can't get it working on
>> the
>> SRX.
>> 
>> 
>> 
>> So, to walk this through a bit more - a computer sitting on the
> 192.168.20.0
>> subnet has a default gateway of 192.168.20.224.  We want a route on the
> SRX
>> that routes any traffic coming into 192.168.20.224 that is destined to
>> 172.30.200.0/24 to be sent to 192.168.20.121.  In Cisco 2800 it's just
a
>> static route.
>> 
>> 
>> 
>> Ran across this challenge in the Cisco PIX world as well..
>> 
>> 
>> 
>> Thanks for any input..
>> 
>> 
>> 
>> Paul
>> 
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list