Routing
Routing

Using Routing Instances for Two Different External Networks

[ Edited ]
‎11-06-2019 08:29 AM

We are setting up a DR location and we need help setting up proper instances and routing on our SRX 1500 so that a second external network is accessible.

 

We currently have a firewall with internet access through Centurylink. We use 4.7.68.104/30 for our internet access on the external side of the firewall. We also own IPs that we would like to use for externally NATing some servers and services. This network is 199.91.146.0/27

 

We have already asked CenturyLink to advertise 199.91.146.0/27 so that these IPs will be accessible from our network.

 

We are struggling with how to design the firewall setup so that all internet still goes out the 4.7.68.104/30 but we can also externally expose servers using our IPs in the 199.91.146.0/27 network.

 

I can attach a network diagram or the FW config if that helps at all. Thanks in advance!

3 REPLIES 3
Routing

Re: Using Routing Instances for Two Different External Networks

a month ago

It is a combination of routing, security zones, security policies, an nat (poosibly routing instances). If you can provide a diagram I can try to help you. Specify which addresses are actually configured on devices and whivh addreses they are supposed to be seen on the internet.  For example users are 10.1.1.x/24 and they sent traffic to the internet as 4.7.68.x, While servers addresses are 172.16.1.x and they should be accessible as if they had 199.91.146.x.

 

Regards,

 

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
Routing

Re: Using Routing Instances for Two Different External Networks

a month ago

Thanks ylara! I have attached a network diagram with the FW in question in a big blue oval. I've also attached the FW config and replaced any of the secret data in it.

 

In regards to your questions we have about 5 or 6 servers that will need to be externally exposed and have the corresponding 199.91.146.X/27 NAT IP. Other than those, any of the other VLANs can go out of the 4.7.68. ISP IP. So just as an example, lets say the IPs of the 5 servers are:

 

10.14.0.50-54 and will need a NAT IP of 199.91.146.10-14 respectively.

 

Thanks again! If theres any other information I can provide please let me know. 

Attachments

Highlighted
Routing

Re: Using Routing Instances for Two Different External Networks

a month ago

I think these would help you get started. 

NAT_INTERNET_IPSEC_1.pngNAT_INTERNET_IPSEC_2.pngNAT_INTERNET_IPSEC_3.pngNAT_INTERNET_IPSEC_4.png

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps