SRX

I have a feeling this is really obvious...

My setup is as follows:

I have a comcast business device upstream of my SRX that is configured to give me IPs on a /28. I've assigned those IPs to ge-0/0/0.0

I would like to use one of those IPs for management of the SRX (via HTTPS and SSH), one for VPN (dynamic vpn), and the rest for servers (I'd NAT the public IPs to separate internal IPs on a DMZ zone to which ge-0/0/3.0 belongs).

The web management setup looks like this:

web-management {
    management-url jweb;
    https {
        pki-local-certificate star_<domain-name redacted>;
        interface [ vlan.0 ge-0/0/0.0 ];
    }
}

The public interface looks like this (IPs have been redacted)

ge-0/0/0 {
    unit 0 {
        family inet {
            address 96.89.xxx.xx1/28;
            address 96.89.xxx.xx2/28;
            address 96.89.xxx.xx3/28;
            address 96.89.xxx.xx4/28;
            address 96.89.xxx.xx5/28;
            address 96.89.xxx.xx6/28;
            address 96.89.xxx.xx7/28;
            address 96.89.xxx.xx8/28;
            address 96.89.xxx.xx9/28;
            address 96.89.xxx.xy0/28;
            address 96.89.xxx.xy1/28;
            address 96.89.xxx.xy2/28;
         }
    }
}

Currently, I can ssh, vpn to, or access the web management interface from any of these IPs. I'd like to actually segment things. What would be the best way to accomplish this? When I tried adding a logical unit to the interface, it gave me some error about only allowing the one unit 0 on the interface.

Hello ,

Whats you can actually do is that , configure only the IP used for web management and IPSEC  to ge-0/0/0 interface . Rest of the NAT IPs , remove it from the ge-0/0/0 configuration . Just add them in Destination or static NAT configuration and add them to proxy-ARP ( since they are in same subnet as that of ge-0/0/0 interface IP) . This will save you from accessing  those IPs from externally and they will be only dedicated for internal server/service access .

I hope this helps .