SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Use THIS IP address when going on untrust for THIS host.

    Posted 10-10-2012 07:57

    Hi !

    My firewall (SRX-240 10.4R7.5 ) have 3 address on the Untrust interface (A.B.C.74 - A.B.C.76)

    What i want : everything use the 74 when going to untrust, but 2 servers should use ip 75 and 76.



    I tried like that for the first server (server MY-SERVER should use A.B.C.75/29)

    set interfaces ge-0/0/2 unit 0 family inet address A.B.C.74/29
    set interfaces ge-0/0/2 unit 0 family inet address A.B.C.75/29

    set interfaces ge-0/0/2 unit 0 family inet address A.B.C.76/29

     

    set groups MY-GROUP-75 interfaces ge-0/0/2 unit 0 family inet address A.B.C.75/29 primary

    set groups MY-GROUP-75 interfaces ge-0/0/2 unit 0 family inet address A.B.C.75/29 preferred

     

    set security policies from-zone DMZ to-zone untrust policy MY-POLICY match source-address MY-SERVER

    set security policies from-zone DMZ to-zone untrust policy MY-POLICY match destination-address any

    set security policies from-zone DMZ to-zone untrust policy MY-POLICY match application any

    set security policies from-zone DMZ to-zone untrust policy MY-POLICY then apply-groups MY-GROUP-75

    set security policies from-zone DMZ to-zone untrust policy MY-POLICY then permit


    That is not working, my server still use the A.B.C.74 IP address.



  • 2.  RE: Use THIS IP address when going on untrust for THIS host.

    Posted 10-11-2012 07:20

    No one knows ?

    There should be a way to specify witch prefereed IP you should use on a interface, based on filters or policies ?

    Plesae ?



  • 3.  RE: Use THIS IP address when going on untrust for THIS host.
    Best Answer

    Posted 10-11-2012 08:11

    Are you talking about NAT?

     

    You can specify an outside address in your 'security nat source' section. You presumably already have a rule translating outbound connections from your DMZ to A.B.C.74. Try adding a second NAT rule above this specifying A.B.C.75 or .76 as follows:

     

    set security nat source pool PUBLIC_75 A.B.C.75/32

    set security nat source rule-set dmz_to_untrust (or whatever) rule server1_outbound match source-address 10.11.12.13/32

    set security nat source rule-set dmz_to_untrust rule server1_outbound match destination-address 0.0.0.0/0

    set security nat source rule-set dmz_to_untrust rule server1_outbound then source-nat pool PUBLIC_75

     

    (edit rule-set, ruleNAT pool and source-address as appropriate)



  • 4.  RE: Use THIS IP address when going on untrust for THIS host.

    Posted 10-11-2012 09:30

    That is exactly what i wanted to do. I didn't think about that using nat rules, that's perfect, thank you so much Spud !