Juniper SRX240 Routing Private IP over bonded T-1's

Hi Community,

I'm a long time Sonicwall/CiscoASA guy but I now have to dive into Juniper.
My situation...

remote SRX240  <----> main SRX240 <---->  Internet

I have dual SRX240's connected over a Dual Bonded T-1 circuit.  The T-1 circuit's are point to point with no internet traffic from AT&T.  

The edge SRX240 is a branch office (IP 192.168.200.x for testing) and all traffic (including internet traffic) is to go over the bonded T-1 (only service available at the remote location).
The main SRX240 is on a 10.0.x.x network

I have everything running, but I noticed that the edge SRX (test lan 192.168.200.x) is NATing the T-1's ip address when I ping out to the internet.  I get traffic after fixing some routing issues, but the main SRX240's traffic logs indicate the I'm sending ICMP from the remote SRX240's T-1 circuit ip.  I've disabled NATing on the remote SRX240, but I don't understand why I don't see traffic from 192.168.200.x vs T-1's IP.

Is this a function of Juniper OS T-1 setup or is there something I'm missing.  I believe with Cisco's you can turn on/off routing of private ip ranges.  Is something similar going on.

Any insight would be helpful.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soulja53 6F 75 6C 6A 61 Commented:
If you are routing between these two sites, why wouldn't the T1 ip not be the source?
Sanga CollinsSystems AdminCommented:
That is normal behavior if you connect remote srx Wan to main Srx lan. since outbound traffic has to pass through T1 gateway to get to main srx that will always be the source ip
FizicistAuthor Commented:
Hi Sangamc,

If the remote SRX T-1 was setup as a traditional WAN, I can understand that.  But the T-1 is configured in the Trusted Zone.  I'm trying to get the point - to - point T-1 to behave like a long ethernet cable between the two Junipers.  I've done this with Cisco where I use an intermediary network to route between private LANs.

In the public internet,  If I ping Google DNS the DNS server knows that it came from my home CableModem X.Y.Z.A no matter how many routers it has to go through (this is for Soulja).  It doesn't think it came from the internet address of my ISPs gateway address.

The packet should be passed across the Point-to-Point circuit unchanged.  If Juniper says I can't pass an unmolested packet out a T-1 circuit, I'll award the points to Sangamc.
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Soulja53 6F 75 6C 6A 61 Commented:
Sorry Fizicist,
I overlooked that you disabled Nat on the remote firewall,  so yes your source shouldn't change.
Soulja53 6F 75 6C 6A 61 Commented:
That being said yes this is normal behavior for srx's. It will show the last interface the traffic left as the source. This is one of the biggest complaints from my security guy when they view the juniper logging.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FizicistAuthor Commented:
Thanks Soulja.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.