Junos is a very powerful networking operating system, and by harnessing it we can perform more unusual tasks than we could with other alternatives. Today I will discuss a more unusual scenario to utilize conditional router advertisements and NAT to provide access to services. When the network is unavailable then the SRX will automatically disable its advertised routes.

Conditional Route Advertising allows a network engineer to put in criteria on route advertisements before they are installed in the route table or advertised to peers/neighbors. More information on this can be found here. In the example below I will configure conditional route advertisement on an SRX.

conditional_route_advertisement

In the scenario above the SRX must advertise the route 1.1.1.0/24 to AS1111 if the route 192.168.1.0/24 exists on the SRX which is advertised from the iBGP neighbor. Moreover the SRX will NAT 1.1.1.1 to 192.168.1.1 to make a Web Application available publicly. Below is the basic configuration for interfaces, zones, and BGP:

interfaces {
    ge-0/0/4 {
        description Untrust;
        unit 0 {
            family inet {
                address 200.200.200.2/30;
            }
        }                               
    }
    ge-0/0/8 {
        description Trust;
        unit 0 {
            family inet {
                address 172.16.0.1/24;
            }
        }
    }
}
protocols {
    bgp {
        group partner {
            export conditional_route;
            peer-as 1111;
            neighbor 200.200.200.1;
        }
        group wan {
            peer-as 65100;
            neighbor 172.16.0.2;
        }
    }
}
routing-options {
    autonomous-system 65100;
}   
security {             
    zones {
        security-zone untrust {
            interfaces {
                ge-0/0/4.0 {
                    host-inbound-traffic {
                        protocols {
                            bgp;
                        }
                    }
                }
            }
        }
        security-zone trust {                 
            interfaces {
                ge-0/0/8.0 {
                    host-inbound-traffic {
                        protocols {
                            bgp;
                        }
                    }
                }
            }
        }
    }
}

Let us take a look at the export policy conditional_route:

policy-options {
    policy-statement conditional_route {
        term 1 {
            from {
                route-filter 1.1.1.0/24 exact;
                condition check_route;
            }
            then accept;
        }
        then reject;
    }
}

As you can see above the SRX will advertise 1.1.1.0/24 based on the condition labeled check_route. Let us take a look into the condition:

policy-options {
    condition check_route {                    
        if-route-exists {
            192.168.1.0/24;
            table inet.0;
        }
    }
}

From here, we need to add 1.1.1.0/24 into the route table somehow. In this case I used a discard route to install it in the routing table:

routing-options {
    static {
        route 1.1.1.0/24 discard;
    }
}

The condition will look for the route 192.168.1.0/24 exists in the table inet.0, and if it exists then the condition is true. Since the condition is true the route will be advertised:

root@SRX-1> show route protocol bgp 192.168.1.0/24

inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/24     *[BGP/170] 11w1d 04:31:28, MED 1376000, localpref 100
                      AS path: ?
                    > to 172.16.0.2 via ge-0/0/8.0

root@SRX-1> show route advertising-protocol bgp 200.200.200.1 

inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)
  Prefix		  Nexthop	       MED     Lclpref    AS path
* 1.1.1.0/24              Self                                    I

If we stop receiving the 192.168.1.0/24 route for whatever reason, then advertised route to AS1111 will disappear:

root@SRX-1> edit 
Entering configuration mode

[edit]
root@SRX-1# set interfaces ge-0/0/8 disable  

[edit]
root@SRX-1# commit      
configuration check succeeds 
commit complete 

[edit]
root@SRX-1# exit  
Exiting configuration mode 

root@SRX-1> show route protocol bgp 192.168.1.0/24 

root@SRX-1> show route advertising-protocol bgp 200.200.200.1

When I roll back the configuration the route reappears:

root@SRX-1> edit 
Entering configuration mode

[edit]
root@SRX-1# rollback 1 
load complete 

[edit]
root@SRX-1# commit      
configuration check succeeds 
commit complete 

[edit]
root@SRX-1# exit  
Exiting configuration mode 
root@SRX-1> show route protocol bgp 192.168.1.0/24  
inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 

192.168.1.0/24     *[BGP/170] 11w1d 04:31:28, MED 1376000, localpref 100
                       AS path: ?
                     > to 172.16.0.2 via ge-0/0/8.0 

root@SRX-1> show route advertising-protocol bgp 200.200.200.1   
inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)
   Prefix                  Nexthop             MED     Lclpref     AS path
 * 1.1.1.0/24              Self                                    I

From here, let’s configure the NAT and policies:

security {
    nat {
        static {
            rule-set untrust {
                from zone untrust;
                rule app {
                    match {
                        destination-address 1.1.1.1/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.1.1/32;
                            }
                        }
                    }
                }
            }                           
        }
        proxy-arp {
            interface ge-0/0/4.0 {
                address {
                    1.1.1.1/32;
                }
            }
        }
    }
    policies {
        from-zone untrust to-zone trust {
            policy allow-app {
                match {
                    source-address any;
                    destination-address server-192.168.1.1/32;
                    application any;
                }
                then {
                    permit;
                }
            }                           
        }
    }                                   
    zones {
        security-zone trust {
            address-book {
                address server-192.168.1.1/32 192.168.99.1/32;
            }                           
        }
    }
}

In a typical Junos-based router, usually setting the discard route would drop all traffic in the 1.1.1.0/24 network. So why does it work on the SRX? The key point here is to review when flow-based Junos performs the route lookup:

session

Route lookups are performed after the Static NAT is applied. In this case the SRX will first NAT to the destination address of 192.168.1.1, and then perform the route lookup! Because of this the packet is treated as routable, and the SRX will forward the packet.

Please feel free to leave comments and questions below.

Tags: , , , ,

Clay is a recovering server guy that has learned how networks and security worked and used it to his advantage. He is always eager to learn a new technology or technique as there are never enough tools in the toolbox for solving problems in modern networking and server environment. Clay is always striving to make the "more perfect" network available to peers and users. He currently an active Juniper Ambassador, and has contributed to multiple Juniper Day One guides to solve both old and new problems that engineers face in their networks. Clay is a talented individual that enjoys the new challenges that are facing next generation networks, both large and small.

Clay has achieved two of the highest certifications from Juniper Networks: the JNCIE-SEC (Certification Number #69) for his proficiency in Juniper Networks security platforms, and the JNCIE-ENT (Certification Number #492) for his proficiency in Juniper Networks enterprise routing and switching platforms. He is also certified as a Pulse Secure Certified Instructor and Palo Alto Networks Certified Network Security Instructor. Outside of the of the certifications above, Clay also has experience with securing cloud-provider networks while ensuring the highest levels of performance to serve its users.

2 comments

  2. what about source nat,does srx do reverse route lookup for incoming source nat packets ? if it doesnt it should work.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.