Solved

Juniper SRX NOOBIE

Posted on 2011-09-29
12
1,124 Views
Last Modified: 2012-06-27

I am complete noob to JunOS and SRX so I am trying to use the J-Web interface to configure a new SRX240.  Of course I cannot figure out how to do the most basic thing.  I need to configure the outside "untrust" interface to have the IP of 1.2.3.4/30 with the gateway of 1.2.3.5.  But I cannot see where to add the gateway for the external facing interface (ge 0/0/0.0).  Thus I cannot get connectivity to the internet.  Perhaps I need to add services or protocols to the untrust zone; I have not made any changes to this zone since the intial config wizard set this up.  Any help would be great
0
Comment
Question by:bruce8024
  • 6
  • 6
12 Comments
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 36890949


under routing options,

CLI:
routing-options {
    static {
        route 0.0.0.0/0 next-hop 1.2.3.4;
       
JWEB:
http://www.juniper.net/techpubs/en_US/junos11.3/topics/task/configuration/routing-policy-ex-series-j-web.html

harbor235 ;}

0
 

Author Comment

by:bruce8024
ID: 36893180
Do I need to add the external gateway for 1.2.3.4?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36893188

substitute your gateway for 1.2.3.4, it was just an example.

harbor235 ;}
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:bruce8024
ID: 36893206
Ok just to be clear 1.2.3.4/32 is the IP the ISP has provisioned me, 1.2.3.5 is the gateway the ISP has given me for that IP.  Should the route be for 1.2.3.4 or 1.2.3.5?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36893207

You know i did not even see you used that address, so you would add 1.2.4.5 as your gateway.

it must have been in my head but did not realize it, DOH?  but that range is not your real range anyway, it was an example as well, correct?

harbor235 ;}
0
 

Author Comment

by:bruce8024
ID: 36893344
Yes these were example IPs.  For some reason I didn't want to use my actual IPs ... :)
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36893362


I have configured several SRXs, let me know how it goes.

harbor235 ;}
0
 

Author Comment

by:bruce8024
ID: 36921026
Harbor You still there?

I am trying to setup just a basic NAT and policy.  I want to nat port 3389 from 65.x.x.115 to 192.x.x.5.  I am using J-web again, I setup up the NAT, I added to the 65.x.x.115 to the untrust interface (ge/0/0/0), and I added a firewall policy that goes from untrust/any to untrust/65.x.x.115 and it allows 3389.  Am I missing something cause it won't work...
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36924276


I do not use J-WEB so it is hard to say, can you post teh resulting NAT config J-WEB generated?

Here is an example of command line destination NAT:

security {
    nat {
        static {
            rule-set SERVERS {
                from zone untrust;
                rule server1 {
                    match {
                        destination-address 1.2.3.4/32;
                    }
                    then {
                        static-nat prefix 172.22.210.50/32;
                    }
                }
                rule server2 {
                    match {
                        destination-address 1.2.3.5/32;
                    }
                    then {
                        static-nat prefix 172.22.210.51/32;
                    }
                }
            }
        }
        proxy-arp {
            interface fe-0/0/0.0 {
                address {
                    1.2.3.4/32;
                    1.2.3.5/32;
                }
            }
        }
    }
0
 

Author Comment

by:bruce8024
ID: 36925430
yes this helps because I was trying to use destination nats, ill try using static nats... thanks again
0
 

Author Comment

by:bruce8024
ID: 36925440
although where do you designate which ports are allowed on that specific nat?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36926566


my eample is a one to one NAT, you can allow whatever ports through with your security policy,
remember this is not PAT

harbor235 ;}
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
There's a better way to communicate time sensitive or critical info.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now