2 LAN subnets, each subnet go throu 1 public IP

hksbrian · ‎12-02-2010

device: SRX220H. My situation here is, a local office, with 2 companies, same boss, we would like to config 2 LAN subnets, say like 192.168.20.0/24 (ge-0/0/7.0) and 192.168.30.0/24 (ge-0/0/6.0).

In ge-0/0/0.0, which is untrust zone, I have config 2 public IP addresses in same interface. we would like to config that all the traffic from subnet 1 will pass thru first public IP address and the traffic from subnet 2 will pass thru the second public IP address. Any suggestion how to config in this case? thanks

SvenH · ‎02-19-2009

The way I would do this is to use source-nat on the firewall policy that allows traffic to the outside.

So traffic from 192.168.20.0/24 would get nat'ed to, for example, 10.10.10.1/24 and traffic from 192.168.30.0/24 would get nat'ed to 10.10.10.3/24.

There's some documentation on the juniper site, such as this: http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf that may give you a good starting point.

HTH

colemtb · ‎09-30-2009

I don't think you would need the proxy arp for IP 76.76.76.1 since it's probably already setup as the Ip on your untrust interface.

ALSO, question if anyone has the answer... I thought proxy-arp was for destination nat only, however; this seems the only way I can get the SRX to source from another IP on the same subnet as the external interface...

WOULD adding a secondary IP to the interface on the ontrust be better practice then proxy-arp?

Cheers!

admin@SRX240# show | compare
[edit interfaces vlan]
+    unit 20 {
+        family inet {
+            address 192.168.20.254/24;
+        }
+    }
+    unit 30 {
+        family inet {
+            address 192.168.30.254/24;
+        }
+    }
[edit security nat source]
+     pool ISPIPOne {
+         address {
+             76.76.76.1/32;
+         }
+     }
+     pool ISPIPTwo {
+         address {
+             76.76.76.2/32;
+         }
+     }
[edit security nat source]
      rule-set interface-nat { ... }
+     rule-set company1 {
+         from zone company1;
+         to zone untrust;
+         rule nat-pat {
+             match {
+                 source-address 192.168.20.0/24;
+                 destination-address 0.0.0.0/0;
+             }
+             then {
+                 source-nat {
+                     pool {
+                         ISPIPOne;
+                     }
+                 }
+             }
+         }
+     }
+     rule-set company2 {
+         from zone company2;
+         to zone untrust;
+         rule nat-pat-2 {
+             match {
+                 source-address 192.168.30.0/24;
+                 destination-address 0.0.0.0/0;
+             }
+             then {
+                 source-nat {
+                     pool {
+                         ISPIPTwo;
+                     }
+                 }
+             }
+         }
+     }
[edit security nat]
+    proxy-arp {
+        interface ge-0/0/0.0 {
+            address {
+                76.76.76.1/32;
+                76.76.76.2/32;
+            }
+        }
+    }
[edit security zones]
     security-zone vpn { ... }
+    security-zone company1 {
+        host-inbound-traffic {
+            system-services {
+                any-service;
+            }
+        }
+        interfaces {
+            vlan.20;
+        }
+    }
+    security-zone company2 {
+        host-inbound-traffic {
+            system-services {
+                any-service;
+            }
+        }
+        interfaces {
+            vlan.30;
+        }
+    }
[edit security policies]
     from-zone untrust to-zone vpn { ... }
+    from-zone company1 to-zone untrust {
+        policy default-permit {
+            match {
+                source-address any;
+                destination-address any;
+                application any;
+            }
+            then {
+                permit;
+            }
+        }
+    }
+    from-zone company2 to-zone untrust {
+        policy default-permit {
+            match {
+                source-address any;
+                destination-address any;
+                application any;
+            }
+            then {
+                permit;
+            }
+        }
+    }
[edit vlans]
+   v20 {
+       vlan-id 20;
+       interface {
+           ge-0/0/4.0;
+       }
+       l3-interface vlan.20;
+   }
+   v30 {
+       vlan-id 30;
+       interface {
+           ge-0/0/5.0;
+       }
+       l3-interface vlan.30;
+   }

[edit]

hksbrian · ‎12-02-2010

it works.. thank you so much about the idea you have given me, i am able to go to next config step

keithr · ‎09-10-2009

colemtb wrote:
ALSO, question if anyone has the answer... I thought proxy-arp was for destination nat only, however; this seems the only way I can get the SRX to source from another IP on the same subnet as the external interface...

WOULD adding a secondary IP to the interface on the ontrust be better practice then proxy-arp?

I suppose you could do it either way. Personally I would use a secondary IP. The idea behind proxy-arp is that the security device can answer ARP requests on behalf of another device... in this case, there is no "other device" -- the IP in questions "belongs" to the security device.

-kr
JNCIS-SEC, JNCIA-ER, JNCIA-EX

---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.

2 LAN subnets, each subnet go throu 1 public IP

Re: 2 LAN subnets, each subnet go throu 1 public IP

Re: 2 LAN subnets, each subnet go throu 1 public IP

Re: 2 LAN subnets, each subnet go throu 1 public IP

Re: 2 LAN subnets, each subnet go throu 1 public IP