We help IT Professionals succeed at work.

Juniper SRX inter security zone routing

YorkData
YorkData asked
on
Medium Priority
833 Views
Last Modified: 2015-03-23
We are configuring a SRX firewall to terminate multiple offices with seperate vlans and security zones for each office.

We have the config correct for each office having its own vlan and /24 subnet however we are unable to allow one office to talk to another, as below I can ping the gateway within another vlan however I am unable to contact a device within the network after the juniper. see below and config attached.

I thought that configuring multiple security policies permitting the traffic would do the trick.

Thanks.
j-srx-config.txt
Comment
Watch Question

CERTIFIED EXPERT
Commented:
Looking briefly at your config all your policies are from inside to out and no untrust to inside. This will allow inside to out established traffic to return however outside to in requires a separate security policy to allow that type of flow. Additionally,
you have source nat configured so you will need to accommodate the new flows arriving at the untrusted interface and then ensuring they map to the correct internal resource.

So, static nat and a untrust to <internal_net> policy and traffic definitions will help.


harbor235 ;}

Author

Commented:
I need the traffic from one of the internal zones to talk to another internal zone which I've configured. I'm not looking to allow untrust traffic into each zone at the moment.

I will be setting up the inbound nat to the correct public IP's but I've not quite got that far yet.. That shouldn't have an affect on routing between the internal zones?

Sorry I'm not quite sure what you're suggesting for this exact issue. I have two policies below which allow any, permit. Should they not allow conversations between the two zones?

from-zone haxby to-zone servatech
from-zone servatech to-zone haxby

Thanks

Author

Commented:
But I see what you are saying about the static nat, I need to static nat the appropriate IP to the right internal zone using the pool as the subnet.

Thanks
CERTIFIED EXPERT

Commented:
I see, so you want flows between

from-zone haxby to-zone servatech
from-zone servatech to-zone haxby

Everything looks ok, what can't you do?  I assume any host based firewall and routing is configured properly? default route set?

ping
traceroute - both directions?


should work,

harbor235 ;}
CERTIFIED EXPERT

Commented:
ge-0/0/3 {
        description Haxby_LAN;
        unit 0 {
            description Haxby_LAN;
            family ethernet-switching {
                vlan {
                    members vlan-haxby;

Change unit 0 to unit 127 - for vlan 127 as defined, and servatech to unit 128, unit 0 does not allow the proper vlan to forward the correct traffic to the correct interface, hence you cannot route outside you net.


harbor235 ;}

Author

Commented:
I've done this before but it doesn't allow me to change the unit to anything other than 0.. See below. I can ping the gateway in the other zone so I'm wondering if it's something further downstream, i.e. a switch playing up but I can ping from the juniper into a device in each zone so it doesn't seem like it could be that.

  'unit 128'
    Only unit 0 is valid for this encapsulation
error: configuration check-out failed

Thanks.
CERTIFIED EXPERT

Commented:
My fault , I meant add,

Hmm, I would have used layer 3 ports instead of the SVIs but ...
So the problem is that frames tagged as vlan 127 are being dropped as they traverse the port.
See if you can remove unit 0?

ge-0/0/3 {
        description Haxby_LAN;
        unit 0 {
        }  
        unit 127 {
            description Haxby_LAN;
            family ethernet-switching {
                vlan {
                    members vlan-haxby;
     }
}
}

harbor235 ;}

Author

Commented:
Is there a guide for L3 ports?

I don't think the frames are being dropped as devices within each network can access the untrust zone fine. I could try changing the port mode to trunk and the Cisco switch it plugs into a trunk to rule that out.

Still not working, only allows unit 0 in the interfaces.

  'unit 128'
    Only unit 0 is valid for this encapsulation

Thanks.
CERTIFIED EXPERT

Commented:
Backup your config,

Try this,

1) edit interfaces ge-0/0/3 unit 0

2) delete description
    delete family ethernet-switching
  delete vlan

3) up

4) delete unit 0

5) edit unit 127
    description Haxby_LAN;
            family ethernet-switching {
                vlan {
                    members vlan-haxby;

does that work?   use commit confirmed for auto rollback

harbor235 ;}

Author

Commented:
Same error unfortunately,  I think its because I'm using RVI's instead?
CERTIFIED EXPERT

Commented:
once you issue "delete family ethernet-switching" the remaining sub config is removed,  then go up and remove the unit, it works.


harbor235 ;}
CERTIFIED EXPERT

Commented:
You may need to remove the RVI first, then add it back after the ge-0/0/3 port is configured


harbor235 ;}
CERTIFIED EXPERT

Commented:
Vlan-id and logical interface number must match

Configure the RVI:
    Create a Layer 2 VLAN by assigning it a name and a VLAN ID:
    user@switch# set vlans vlan-name vlan-id vlan-id
    Assign an interface to the VLAN by naming the VLAN as a trunk member on the logical interface, thereby making the interface part of the VLAN’s broadcast domain:
    user@switch# set interfaces interface-name unit logical-unit-number family ethernet-switching vlan members vlan-name
    Create a logical Layer 3 RVI (its name will be vlan.logical-interface-number, where the value for logical-interface-number is the value you supplied for vlan-id in Step 1; in the following command, it is the logical-unit-number) on a subnet for the VLAN’s broadcast domain:

    user@switch# set interfaces vlan unit logical-unit-number family inet address inet-address
    Link the Layer 2 VLAN to the logical Layer 3 interface:
 
    user@switch# set vlans vlan-name l3-interface vlan.logical-interface-number

http://www.juniper.net/documentation/en_US/junos13.2/topics/task/configuration/bridging-routed-vlan-interfaces-ex-series-cli.html
CERTIFIED EXPERT

Commented:
Do you have it working?


harbor235 ;}

Author

Commented:
We do, we did some more troubleshooting from here and the config is right.. We noticed in the flows that the session was sending packets but not recieveing them back. We queried and queried the external company that looks after the servers in the destination zone and they had a different gateway configured. Once they added a static route to the Juniper it started working.. Thanks for your help.

Author

Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for YorkData's comment #a40677656
Assisted answer: 500 points for harbor235's comment #a40673362

for the following reason:

resolved the issue ourselves. Not a configuration issue on the Juniper
CERTIFIED EXPERT

Commented:
I am glad its working out, but my second post did ask checking basic network configuration in the beginning.
Also, based on the config I reviewed it would not work until some of the changes I presented were implemented, such as van-id and unit number matching.

Please review your decision to close without assigning points.


harbor235 ;}

Author

Commented:
Sorry I did assign points to you.. Will re-submit now.