SRX

Hi all,

I'm relatively new to Juniper and networking in general, so bear with me if this seems trivial (easy kudos in it for you).

I'm trying to set up some new time clocks for my company. These need, according to the vendor static externally-visible IP addresses (due to laziness on their part).

I'd like to set the clocks on a VLAN of their own, give them IP adresses (they are smart enough to get one themselves) then open that VLAN up to the outside, allowing communication only to a given range of IP addresses on certain ports. I have the VLAN set and configured on my core SRX550 and connected to a few access-level EX4200s. In the SRX, what would be the best way to accomplish this? Should I NAT the external IPs to internal, or can I simply open the VLAN up to be externally visible (I don't know if a NAT will break their protocol, I was told it would, and I'm not overly concerned about additional security, with the VLAN separating them from the rest of the network and por-restricted).

Thanks in advance!

EDIT: I should add the SRX sits behind a NetScreen 25, I'm not sure how much that will make a difference.

Having the netscreen in front makes it more complicated and is probably not needed if you are leveraging an SRX550.

I did something very similar with a 550 a few years ago.  Basically I had a few devices that were replacing ISDN for radio broadcasts.  They were on their own VLAN with private IPs but needed to be publicly accessible and wide open with no ports blocked or filtered.  Here is what I did:

set security nat static rule-set ISDN-mock from zone untrust

set security nat static rule-set ISDN-mock rule device1 match destination address 88.8.8.8/32  <-- your outside IP

set security nat static rule-set ISDN-mock rule device1 match destination-port 0 to 65535 <-- all ports

set security nat static rule-set ISDN-mock rule device1 then static-nat prefix 10.15.16.22/32 <-- private IP of your device

Then setup a standard security policy so incoming traffic coming through the NAT above is permitted.

When using static NAT, the source IP when going outbound will be the 88.8.8.8 address.  So the source and destination NAT addresses match. 

It's hard to say what will be needed on the NS.  How do you have the configured to work with your SRX?

SRX,

Thanks for that. I took a look and it appears the NetScreen isn't doing very much above Layer2, so I ought to be all set with that.

I did notice your solution makes use of private and public static IPs and NATs across them. Is there a way this can be done without a NAT? The vendor tells me they don't support a many-to-one or even one-to-one NAT (I may try anyway, I think their IT people are just lazy). I'd like to have their stuff touch nothing above the copper on my side, and just expose it to get the static IP the ISP has reserved.

Thanks!

If you want the clocks to have an actual public IP address then you have a few options.

A. put it completely naked with a public IP on the Internet.  This is usually done by putting a switch between your ISP and firewall.  You are able to plug in other devices to that switch that will use a public IP.  There are 2 downsides to that:

1. Your only line of defense is an ACL (firewall filter) on the switch it's attached to.

2. You will have to remember the public IPs being used outside the firewall so you don't use duplication IPs down the road.

B. Assign a second group of public IPs on your firewall and have them routed to the ones already in use on your firewall.  This is the best way to do if you can get more IPs as it gives you flexiblity/protection from your SRX.  More details about this setup are here:

http://www.skullbox.net/publicipaddressfirewall.php

SRX,

That's a great resource, thank you!

I have a folow-up (which I may open a new thread for), I have this new VLAN configured on the SRX and access-switches. My problem is that the other VLANs have a gateway (x.x.x.1 address) which all point back to the same core SRX. They are pingable and manageable from J-web, but they are all on the same physical device. How would i go about setting up a gateway for my new VLAN in the SRX?

Thanks again!

I'm confused by your question.  Do you have more than 1 SRX?  Can you post a diagram of how things are setup?

Sorry - I'll try to be more clear.

I'm creating a new VLAN, which will need a gateway. I have one SRX which has two virtual chassis members and several (~20) VLANs on it. The SRX serves as the gateway for each VLAN. I can access each gateway from J-Web, and they are all pingable, but they are all on the same host (the singular SRX550). My new VLAN doesn't appear to have such a gateway, though it needs one.

I've attached the SRX config, in case that helps.

Ah, I figured it out. Thanks again!

If you have the vlan assigned on your switches, then your gateway setup on the SRX would be as follows: (I'm doing this out of my head so snytax might not be 100% correct):

1. Setup a new vlan (let's say vlan called clowns):

set vlans CLOWNS description "vlan for clowns" vlan-id 260 l3-interface vlan.260

2. Setup the L3 interface:

set interfaces vlan unit 260 family inet address x.x.x.x <-- the gateway address you want to use

3. Add vlan to your AE group:

set interfaces ae0 unit 0 family ethernet-switching vlan members CLOWNS

commit and then you should be able to the ping the gateway from devices on that VLAN.

Once setting up policies make sure you add the vlan interface to a security zones.  You have 17 or so already assigned to the trust zone.

Actually got thatbefore I saw your reply, but that make it much more clear to me (and I assume anyone else looking for this).

Thank you!

Hi,

Back again - I've got everything set (I think), I can ping the gateway from inside the VLAN, and I have a security policy inplace to allow traffic across it, I've hit an issue in that I can now not ping anything outside the VLAN (loopback interface included).

Any tips?