Juniper SRX240 Routing Private IP over bonded T-1's
Hi Community,
I'm a long time Sonicwall/CiscoASA guy but I now have to dive into Juniper.
My situation...
remote SRX240 <----> main SRX240 <----> Internet
I have dual SRX240's connected over a Dual Bonded T-1 circuit. The T-1 circuit's are point to point with no internet traffic from AT&T.
The edge SRX240 is a branch office (IP 192.168.200.x for testing) and all traffic (including internet traffic) is to go over the bonded T-1 (only service available at the remote location).
The main SRX240 is on a 10.0.x.x network
I have everything running, but I noticed that the edge SRX (test lan 192.168.200.x) is NATing the T-1's ip address when I ping out to the internet. I get traffic after fixing some routing issues, but the main SRX240's traffic logs indicate the I'm sending ICMP from the remote SRX240's T-1 circuit ip. I've disabled NATing on the remote SRX240, but I don't understand why I don't see traffic from 192.168.200.x vs T-1's IP.
Is this a function of Juniper OS T-1 setup or is there something I'm missing. I believe with Cisco's you can turn on/off routing of private ip ranges. Is something similar going on.
Any insight would be helpful.
Thanks,
I'm a long time Sonicwall/CiscoASA guy but I now have to dive into Juniper.
My situation...
remote SRX240 <----> main SRX240 <----> Internet
I have dual SRX240's connected over a Dual Bonded T-1 circuit. The T-1 circuit's are point to point with no internet traffic from AT&T.
The edge SRX240 is a branch office (IP 192.168.200.x for testing) and all traffic (including internet traffic) is to go over the bonded T-1 (only service available at the remote location).
The main SRX240 is on a 10.0.x.x network
I have everything running, but I noticed that the edge SRX (test lan 192.168.200.x) is NATing the T-1's ip address when I ping out to the internet. I get traffic after fixing some routing issues, but the main SRX240's traffic logs indicate the I'm sending ICMP from the remote SRX240's T-1 circuit ip. I've disabled NATing on the remote SRX240, but I don't understand why I don't see traffic from 192.168.200.x vs T-1's IP.
Is this a function of Juniper OS T-1 setup or is there something I'm missing. I believe with Cisco's you can turn on/off routing of private ip ranges. Is something similar going on.
Any insight would be helpful.
Thanks,
Soulja
If you are routing between these two sites, why wouldn't the T1 ip not be the source?
That is normal behavior if you connect remote srx Wan to main Srx lan. since outbound traffic has to pass through T1 gateway to get to main srx that will always be the source ip
ASKER
Hi Sangamc,
If the remote SRX T-1 was setup as a traditional WAN, I can understand that. But the T-1 is configured in the Trusted Zone. I'm trying to get the point - to - point T-1 to behave like a long ethernet cable between the two Junipers. I've done this with Cisco where I use an intermediary network to route between private LANs.
In the public internet, If I ping Google DNS 8.8.8.8 the DNS server knows that it came from my home CableModem X.Y.Z.A no matter how many routers it has to go through (this is for Soulja). It doesn't think it came from the internet address of my ISPs gateway address.
The packet should be passed across the Point-to-Point circuit unchanged. If Juniper says I can't pass an unmolested packet out a T-1 circuit, I'll award the points to Sangamc.
If the remote SRX T-1 was setup as a traditional WAN, I can understand that. But the T-1 is configured in the Trusted Zone. I'm trying to get the point - to - point T-1 to behave like a long ethernet cable between the two Junipers. I've done this with Cisco where I use an intermediary network to route between private LANs.
In the public internet, If I ping Google DNS 8.8.8.8 the DNS server knows that it came from my home CableModem X.Y.Z.A no matter how many routers it has to go through (this is for Soulja). It doesn't think it came from the internet address of my ISPs gateway address.
The packet should be passed across the Point-to-Point circuit unchanged. If Juniper says I can't pass an unmolested packet out a T-1 circuit, I'll award the points to Sangamc.
Sorry Fizicist,
I overlooked that you disabled Nat on the remote firewall, so yes your source shouldn't change.
I overlooked that you disabled Nat on the remote firewall, so yes your source shouldn't change.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Soulja.