SRX

I am switching ISPs and the new ISP is giving me a WAN IP (/30) and then the rest of my IP block (/29) behind it. I have normally seen ISPs just set the block on my WAN and I would just place a switch in front to direct to my four independent networks and their firewalls.

What I would like to do is set the ge-0/0/0 to the WAN (/30) and the ge-0/0/1-4 to be the /29 subnet that would lead to their respective routers.

How can I set up my SRX to route the /29 subnet behind the /30? Also I would like to disable most of the firewall functionality since each of the networks behind it already have firewalls.

I have never had to route public IPs before, looking for some guidance and suggestions.

Thanks,

David

Hi David,

If you want to SRX to act as a router and not a firewall then you can issue the command:

set security forwarding-options family mpls mode packet-based

You will need to reboot after this. You will also need to protect the control plane to ensure you are not attacked.

Regarding the configuration, I am assuming you are assiging 5 IP addresses of your /29; 1 for the SRX and 4 for each firewall. If so you could configure the 4 ports as access switchports for the 4 firewalls and create a vlan ineterface on the SRX all within the same VLAN. Routing will occur between the vlan interface and the ge-0/0/0 interface.

Ideally in this scenarios you just need to advertise the /29 subnet to ISP and rest all is normal routing on SRX. You may a configure a default policy to permit all traffic "set security policies default-policy permit-all"

Thanks for your response. How would you advertise the subnet through the SRX?

Thanks,

David

Hi

I had the same issues with one of my customers.

If you have a small business firewall SRX### and not SRX####

you can do layer 2 and layer 3

the srx behaves like an ethernet switch with a vlan interface as entry point into the firewall.

thus you can use the same network outside and inside of the firewall

!the only drawback is that the remaining public addresses are layer2 switched through the firewall WITHOUT any security

so you define the interface towards the provider as layer 2, and also the interfaces towards your rest /29network

and then for all layer 3 traffic into and through the firewall you define an vlan interface with the address(es) needed to be forwarded via firewall.

ae9 goes to a switch and to the devices using the remaining addresses of our public net

here some code snippets: ( some curly brackets } are missing !!!! )

interfaces {

   ge-6/0/0 {                      <---ge-6/0/0 goes to the internet
        unit 0 {
          family ethernet-switching {
               vlan {
                  members PUBLIC;
               }
     ae9 {     <---ae9 goes to a switch and to the devices using the remaining addresses of our public net
          aggregated-ether-options {
             lacp {
               active;
                  }
        unit 0 {
             family ethernet-switching {
                   port-mode trunk;
                       vlan {
                       members PUBLIC;
                    }...}

          vlan {

                unit 9 {
                      family inet {
                            address xx.xx.xx.xx/29;  <---- this is the main address of the firwall, but also used for destination translation to forward into DMZ
}..}
}
security {

             nat {
             proxy-arp {
                    interface vlan.9 {
                              address {
                       xx.xx.xx.xx1/32 to xx.xx.xx.xx2/32;      <--those are further addresses going through the firewall with dest-NAT
} ...}

the other possibility is to do a completely transparent layer2 firewall, which is also possible and in that case you have full security possible. but for your problem the above stated solution is best

regards

alexander marhold

INDC

note: that if you have a cluster you also need the SWFAB interfaces enabled

Thanks for your response Alexander. I am looking to use our older SRX220h, I am unfortunately I'm not very skilled with Juniper as our network guy who did is no longer with the company, what is the ae9? Also if I give you example IPs could you update the config with what you are describing?

70.1.1.120/29 (.121-126 useable) 174.2.2.240/30 (.241 gateway, .242 WAN)

Thanks,

David

So I was over thinking it a bit, the ISP is already pointing the /29 behind the /30 so I didn't need to advertise. In the end I setup the /30 on the WAN (0/0/0) and the rest of the ports (0/0/1-7) on vlan.0 using the /29, disabled NAT, opened the firewall, and made sure my route was correctly pointing from 0.0.0.0/0 to the ISP gateway and the SRX did the rest.

Thanks for all of your help!

David