Juniper SRX240 Routing Private IP over bonded T-1's

Hi Community,

I'm a long time Sonicwall/CiscoASA guy but I now have to dive into Juniper.
My situation...

remote SRX240  <----> main SRX240 <---->  Internet

I have dual SRX240's connected over a Dual Bonded T-1 circuit.  The T-1 circuit's are point to point with no internet traffic from AT&T.  

The edge SRX240 is a branch office (IP 192.168.200.x for testing) and all traffic (including internet traffic) is to go over the bonded T-1 (only service available at the remote location).
The main SRX240 is on a 10.0.x.x network

I have everything running, but I noticed that the edge SRX (test lan 192.168.200.x) is NATing the T-1's ip address when I ping out to the internet.  I get traffic after fixing some routing issues, but the main SRX240's traffic logs indicate the I'm sending ICMP from the remote SRX240's T-1 circuit ip.  I've disabled NATing on the remote SRX240, but I don't understand why I don't see traffic from 192.168.200.x vs T-1's IP.

Is this a function of Juniper OS T-1 setup or is there something I'm missing.  I believe with Cisco's you can turn on/off routing of private ip ranges.  Is something similar going on.

Any insight would be helpful.

Who is Participating?
SouljaConnect With a Mentor Commented:
That being said yes this is normal behavior for srx's. It will show the last interface the traffic left as the source. This is one of the biggest complaints from my security guy when they view the juniper logging.
If you are routing between these two sites, why wouldn't the T1 ip not be the source?
Sanga CollinsSystems AdminCommented:
That is normal behavior if you connect remote srx Wan to main Srx lan. since outbound traffic has to pass through T1 gateway to get to main srx that will always be the source ip
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

FizicistAuthor Commented:
Hi Sangamc,

If the remote SRX T-1 was setup as a traditional WAN, I can understand that.  But the T-1 is configured in the Trusted Zone.  I'm trying to get the point - to - point T-1 to behave like a long ethernet cable between the two Junipers.  I've done this with Cisco where I use an intermediary network to route between private LANs.

In the public internet,  If I ping Google DNS the DNS server knows that it came from my home CableModem X.Y.Z.A no matter how many routers it has to go through (this is for Soulja).  It doesn't think it came from the internet address of my ISPs gateway address.

The packet should be passed across the Point-to-Point circuit unchanged.  If Juniper says I can't pass an unmolested packet out a T-1 circuit, I'll award the points to Sangamc.
Sorry Fizicist,
I overlooked that you disabled Nat on the remote firewall,  so yes your source shouldn't change.
FizicistAuthor Commented:
Thanks Soulja.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.