Hello,
I have 2 SRX5800 chassis in a HA cluster, active/passive. I am new to juniper equipment (NEVER WORKED WITH ANY TYPE OF FIREWALL) and I have to get solution together within a week. I have been reading and looking at examples online but I need some expert assistance like to know if 1) automatic failover can be done, 2) defining interfaces in a zone or zones and 3) natting some internal subnets to another subnet that is actually provided by an ISP.
First is the automatic failover if one of my reth interfaces (to Primary firewall).
All my interfaces show up when excecute the "show chassis cluster interfaces" command, which shows the following output.
root@test> show chassis cluster interfaces
Control link status: Up
Control Interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 et-7/0/0 Up / Up
fab0 et-8/0/0 Up / Up
fab1 et-19/0/0 Up / Up
fab1 et-20/0/0 Up / Up
Redundant-ethernet Information:
Name Status Redundany-group
reth0 Up 1
reth1 Up 1
reth2 Up 1
Redundant-psuedo-interface Information:
Name Status Redundancy-group
lo0 Up 0
Interface Monitoring:
Interface Weight Status Redundancy-group
et-8/0/1 255 Up 1
et-20/2/0 255 Up 1
et-8/2/0 255 Up 1
et-19/0/1 255 Up 1
et-7/0/1 255 Up 1
et-20/0/1 255 Up 1
et-19/2/0 255 Up 1
et-7/2/0 255 Up 1
{primary:node0}
root@test>
So what I tried was deactiviating one of the primary interface in reth0 but no failover occured. Is there anything I need to do with my configuration???
Second, defining interfaces in zones correctly.
As you can see I have 3 reths, reth0 (et-20/0/1, 7/0/1, 8/0/1 and 19/0/1) to my Qfabric (many switches which are configured to be 1 giant switch), which is my internal network. So this reth0 will be in my TRUST zone.
Reth1 (et-7/2/0 and 19/2/0) and reth2 (et-8/2/0 and 20/2/0) will connect to 2 seperate UNTRUST zones. What is happening is we are homerunning a pair of clustered ASAs to one vlan (UNTRUST 1) on the QFabric and the other pair to another vlan (UNTRUST 2) on the QFab. Reth1 will connect to one vlan (UNTRUST 1) and reth2 will connect to the other vlan (UNTRUST 2). So what we want to do is have our SRX clusters provide all policies for packets traversing in/out. So can you have 2 UNTRUST zones and for each zone defined on the SRX does it have to be layer2 or layer3???
Third Natting
The reth0 interface as you know connects to my internal network (Qfabric) and it is in the TRUST zone. So there are about six networks, layer 2, on my Qfab that need to be natted to an address/subnet that the ISP has provided. This subnet we are natting to is off of one of the ASA clusters. What I did was enabled vlan tagging on reth0 and defined those subnets as a layer 3 address. For the natting, I need only specific addresses in each of the 6 subnets natted and when translated, it is forwarded to the vlan/subnet that is on one of the ASA clusters??
I can attach configuration if need be. Please let me know.