Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Configuring SRX to Connect To Sky Enterprise via Custom Routing Instance

0

0

Article ID: KB35376 KB Last Updated: 17 Jan 2021Version: 3.0
Summary:

This article provides the configuration needed for adding an SRX device to Sky Enterprise, when the SRX communicates via a custom routing-instance.

 

Symptoms:

Example Topology

[LAN]---------------------------ge-0/0/1 [SRX] ge-0/0/0--------------------------------ISP
           192.168.1.0/24                                                    10.1.1.1/24

SRX Configuration

  • DNS is configured as follows:

set system name-server 8.8.8.8
  • Configuration from Sky Enterprise, when adding a device is provided below:

set system services ssh protocol-version v2
set system login user skyenterprise class super-user authentication encrypted-password $ABC123
set system services outbound-ssh client skyenterprise-ncd01 device-id srx320-r003-junipernetworks secret <secret>
set system services outbound-ssh client skyenterprise-ncd01 services netconf keep-alive retry 3 timeout 5
set system services outbound-ssh client skyenterprise-ncd01 skyent01.juniper.net port 4087 timeout 60 retry 1000
set system services outbound-ssh client skyenterprise-ncd02 device-id srx320-r003-junipernetworks secret <secret>
set system services outbound-ssh client skyenterprise-ncd02 services netconf keep-alive retry 3 timeout 5
set system services outbound-ssh client skyenterprise-ncd02 skyent02.juniper.net port 4087 timeout 60 retry 1000
  • The routing-instance configuration is as follows:

set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.10/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.10/24
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set routing-instances custom-vr instance-type virtual-router
set routing-instances custom-vr interface ge-0/0/0.0

As you can see in the above configuration, the SRX device is able to reach out to the Internet via a custom routing instance.

However, when the SRX firewall attempts to connect to Sky Enterprise, the Routing Engine generates the request from the default routing instance. Because there is no Internet connectivity via the default routing instance, the connection to Sky Enterprise fails.

Cause:

When each device attempts to communicate to Sky Enterprise, it will send the connection from the default routing table (inet.0). This is expected behavior.

Solution:

If your default routing instance does not have an interface or does not have Internet connectivity via inet.0, as a workaround, you can create a loopback interface to source the packet and route it to the custom routing instance.

A sample configuration is as follows:

  • Configuring the interface

set interfaces lo0 unit 0 family inet address 192.168.10.1/24
Note: Make sure you do not use a martian route for the lo0 address (for example, 127.0.0.1/32). For more information on martian routes, please refer to Understanding Martian addresses
  • Assigning security zones

set security zones security-zone trust interfaces lo0.0 

  • Adding a route in inet.0 to use custom-vr.inet.0

set routing-options static route 0.0.0.0/0 next-table custom-vr.inet.0

  • Policy statements to import routes from the default routing instance to a custom routing instance

set policy-options policy-statement master-to-custom term 1 from instance master
set policy-options policy-statement master-to-custom term 1 then accept
set routing-instances custom-vr routing-options instance-import master-to-custom

  • NAT configuration

When a license update request is generated by the Routing Engine (RE), it will use the loopback IP address as the source. Hence, a source NAT is required to translate this to an IP address that is routed over the Internet.

set security nat source rule-set interfacebasednat from zone junos-host
set security nat source rule-set interfacebasednat to routing-instance custom-vr
set security nat source rule-set interfacebasednat rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set interfacebasednat rule 1 then source-nat interface

With the above change, you will see the following route in inet.0:

root> show route 0.0.0.0

inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 5d 19:23:31
                       to table custom-vr.inet.0

custom-vr.inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 5d 19:23:31
                    >  to 10.1.1.1 via ge-0/0/0.0
 

Confirming Connectivity with Sky Enterprise

  • You can verify connectivity by looking at the Sky Enterprise device list.  If successful, it will show the device as being "Online"

  • You can verify connection from the device by issuing the command "show system connections | match 4087" 

root@s10-23> show system connections | match 4087  
tcp4       0      0  192.168.1.1.56945                             xx.xx.xx.21.4087                            ESTABLISHED
tcp4       0      0  192.168.1.1.62095                             xx.xx.xx.108.4087                           ESTABLISHED

root@s10-23> 

Modification History:
2021-01-16: Added note to not use a martian route for lo0.0. 
2020-02-23: Changed passwords.
2020-01-12: Added note regarding not using martian routes for lo0 interface.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search