[j-nsp] SRX asymmetric routing on WAN side
Ivan Ivanov
ivanov.ivan at gmail.com
Fri Nov 13 11:24:15 EST 2015
Hi Rolf,
The traffic in your case will be accepted by default regardless of the
interface. You don't need to do anything to permit it.
You have to permit explicitly only if the traffic is transmitted between
two interfaces even they are in the same zone.
I cannot find a link for a proof, though.
HTH,
Ivan,
On Wed, Nov 11, 2015 at 4:07 PM, "Rolf Hanßen" <nsp at rhanssen.de> wrote:
> Hi,
>
> I have a quite simple setup, SRX with a WAN connection and some LAN stuff.
> WAN is single-homed.
> I now want to add a second uplink interface and put it into the existing
> WAN/untrust zone.
> So the traffic may flow async (interface point of view) but sync (zone
> point of view).
> Will this require any other changes or break functions?
> I especially think of the connection tracking because I see that flows
> contain interface information (looking at "show security flow session") as
> well as zones.
>
> I found dozens of sites related to similar topics telling to set
> no-syn-check / no-sequence-check but always with some special setups (like
> 2 WAN zones). So I am unsure if this is related to my setup at all.
> If this is related to a minimum software version please let me know.
>
> kind regards
> Rolf
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
Best Regards!
Ivan Ivanov
More information about the juniper-nsp
mailing list