SRX

Hey everyone. Today, my company switched providers and along with this they have assigned up 5 static IP's. Currently we have only one. Is the SRX-210 able to have all these address on one port (ge-0/0/0) and forward traffic based on the particular vlan I want to assign a new external IP address? For instance, I have a data, phone system IP-PBX, and a guest internet that I want each of these to have their own public IP and rules to route traffic between the phone and data network and not allow any traffic from the guest network between the phone and data. Thank you much for any advice as I am struggling with this concept.

The 5 static IPs from your provider are going to be within the same subnet.  You can have your SRX answer for multiple IP addresses off of a single interface, but what you're describing (separate VLANs for each address) isn't going to be possible in this scenario.  You would need to work up your design to utilize internal addressing and VLANs where necessary, but your public IPs would only be usable as NAT (source, destination, or static) to tie into your internal design.  You wouldn't base your design around the 5 public IPs.

Hello,

Small correction: there is no single subnet/netmask combo which covers 5 and only 5 contiguous IPv4 addresses, let alone non-contiguous.

So what OP is most likely to end up with in his design is two subnets (1x/30 + 1x/32).

Or maybe 5x/32 

HTH

Rgds

Alex

If you have static IP's with AT&T Uverse, a /29 gives the end user 5 usable IP's.  They take the highest usable IP, and use that as your default gateway address.

For example

108.149.208.72/29

108.149.208.72 -- Network ID

108.149.208.73 -- Usable IP

108.149.208.74 -- Usable IP

108.149.208.75 -- Usable IP

108.149.208.76 -- Usable IP

108.149.208.77 -- Usable IP

108.149.208.78 -- Gateway Address

108.149.208.79 -- Broadcast Address

---

@aarseniev wrote:

Hello,

Small correction: there is no single subnet/netmask combo which covers 5 and only 5 contiguous IPv4 addresses

---

Sure there is, /29.

29 network bits, 3 host bits.  2^3 = 8 IP addresses.  -1 for network address (lowest), -1 for broadcast address (highest), -1 for the upstream router (default gateway) = 5 usable IP addresses.

*edit -- Looks like dscott beat me to it... guess I should refresh the page next time. 

5 "usable IP addresses" != subnet which covers only 5 IPaddresses, no less no more

HTH

Rgds

Alex 

---

@aarseniev wrote:

5 "usable IP addresses" != subnet which covers only 5 IPaddresses, no less no more

HTH

Rgds

Alex 

 

---

... all I said was that the 5 IP addresses he was getting from his ISP were most likely in a single subnet.  I never said anything about non-contiguous or that the 5 IP addresses were the entire subnet.

Not sure why there's any contention here...

ok so can you go into greater detail on how to accomplish this please? I am afraid that I don't understand the concept you are describing. Thanks.

---

@MR. C wrote:

ok so can you go into greater detail on how to accomplish this please? I am afraid that I don't understand the concept you are describing. Thanks.

---

Actually, it would be easier if we approached it from the other direction... could you describe in more detail what you're looking to accomplish, and we can help you figure out how best to design the solution?

It's hard to design solutions to undefined problems. 

ok I will try. As of right now my configuration consists of one static IP address from our old internet provider. That is my untrust zone/gateway for my LAN to the internet and all my VLAN's connect to that port for internet access (ge-0/0/0). Just recently, we switched providers (Comcast) and with our service , they provide 5 static IP's.

As of now I have three vlans on my network.

1. Data network (this has all my client PC's and Servers) ge-0/0/1

2. Phone network (this is our IP based PBX system) fe-0/0/7 and fe-0/0/6

3. Guest network (basically allows our guests to have internet access and not on our data network) fe-0/0/5

My goal is to setup the SRX-210 in such a way that each of these VLAN's are associated with with one static external IP a piece so I can set up port forwarding rules to a particular VLAN based on those addresses. For instance, I want POP3 IMAP and such on the data network but I need the same port forwards to the phone network that conflict with the port forwards I need on the data network (they share some of the same ports). Also I want to have routing setup so that the data and phone network can communicate to each other but the guest internet can only go to the internet and not the other VLAN's. I am running IDP on the machine as well and would like if all traffic coming in still scanned. The data network is on a 192.168.0.0/24 and the phone is on a 10.1.1.0/24 and the guest has DHCP on the router with a 192.168.2.0/24.

I hope this clears some things up. Thank you much for your responses and consideration!

---

@MR. C wrote:

ok I will try. As of right now my configuration consists of one static IP address from our old internet provider. That is my untrust zone/gateway for my LAN to the internet and all my VLAN's connect to that port for internet access (ge-0/0/0). Just recently, we switched providers (Comcast) and with our service , they provide 5 static IP's.

 

As of now I have three vlans on my network.

 

1. Data network (this has all my client PC's and Servers) ge-0/0/1

2. Phone network (this is our IP based PBX system) fe-0/0/7 and fe-0/0/6

3. Guest network (basically allows our guests to have internet access and not on our data network) fe-0/0/5

 

My goal is to setup the SRX-210 in such a way that each of these VLAN's are associated with with one static external IP a piece so I can set up port forwarding rules to a particular VLAN based on those addresses. For instance, I want POP3 IMAP and such on the data network but I need the same port forwards to the phone network that conflict with the port forwards I need on the data network (they share some of the same ports). Also I want to have routing setup so that the data and phone network can communicate to each other but the guest internet can only go to the internet and not the other VLAN's. I am running IDP on the machine as well and would like if all traffic coming in still scanned. The data network is on a 192.168.0.0/24 and the phone is on a 10.1.1.0/24 and the guest has DHCP on the router with a 192.168.2.0/24.

 

I hope this clears some things up. Thank you much for your responses and consideration!

---

OK, this shouldn't be too bad.

For your incoming port forwarding traffic, you can set up two destination NAT pools, one for your data VLAN and one for your phone VLAN.  You can then set your match rules for one static IP/port(s) to map to the proper server(s) in the data network, and the second static IP/port(s) to map to the proper phone network server(s).

You can use 1 static IP as the actual SRX interface IP, and then use 3 additional to map to your VLANs, that makes it easier for doing the port forwarding stuff so you don't have any issues with port forwarding rules conflicting with services on the SRX itself.  Then just add the 3 additional IPs you're using to proxy-arp on the external (untrust) interface.

You can then set three source NAT pools, to the three static IPs you're using, and set the match rules to match each internal VLAN and map to the appropriate public static IP that you want to use for that VLAN.

To control which VLANs can and cannot talk to each other, you'll do that with security policies. Your three VLANs should be in separate zones, so then if you don't want the guest network to communicate to the data or phone networks, you just don't create "allow" policies between those zones.  For zones that you do want to communicate with each other, you set security policies to allow the traffic that you want to go between zones.  Your security policies also define which traffic is to be scanned by IDP rules.

Hey Keith. I applied everything that you suggested and it all worked rather easily after some intense late night research:) The only thing that I cannot get to work is the port forwarding for the different VLANS. I set up the proxy arp and it works but only for one VLAN at a time. For instance, if I set up RDP for xx.xx.xx.65 (public IP) it works no problem. Then if if I change it to xx.xx.xx.66 (public IP) again it works fine except I can't separate it. What I mean is that I can have my port forwards for on;y one VLAN at a time. If I try to have a separate instance of port 80 lets say, then I get an error saying that I can't overlap. Any ideas? Thanks again for your help.

If you post your current config (as an attachment, please, it's easier to read) and the errors your receiving, I will take a look.  I assume others will look, too, but I don't want to speak for anyone. 

here it is thanks again.

First thing I noticed was that your static NAT config is... well, for lack of a better term -- wrong.

You don't want to static NAT to/from the same address space.  Also, static NAT is bi-directional, meaning you only define it in one direction and it is transitive.  You also don't need your interface ge-0/0/1.0 in your trust zone, since it's a L2 interface.  Semantics.

For your destination NAT, you will need a separate pool for your different internal hosts, and then match on your different public IPs.  For example, if I have 3 internal VLANs:

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

.. and I have 3 public IPs:

1.1.1.1

1.1.1.2

1.1.1.3

And I want to map Microsoft RDP (Terminal Services -- TCP 3389) such that each public IP corresponds to one of my internal IPs, for example:

1.1.1.1 (3389) -> 192.168.1.30 (3389)

1.1.1.2 (3389) -> 192.168.2.46 (3389)

1.1.1.3 (3389) -> 192.168.3.88 (3389)

I would do it like this:

security {
  nat {
    destination {
      pool RDP-192.168.1.30 {
        address 192.168.1.30/32 port 3389;
      }
      pool RDP-192.168.2.46 {
        address 192.168.2.46/32 port 3389;
      }
      pool RDP-192.168.3.88 {
        address 192.168.3.88/32 port 3389;
      }
      rule-set From-Untrust {
        from zone untrust;
        rule RDP-1.1.1.1 {
          match {
            destination-address 1.1.1.1/32;
            destination-port 3389;
          }
          then {
            destination-nat pool RDP-192.168.1.30;
          }
        }
        rule RDP-1.1.1.2 {
          match {
            destination-address 1.1.1.2/32;
            destination-port 3389;
          }
          then {
            destination-nat pool RDP-192.168.2.46;
          }
        }
        rule RDP-1.1.1.3 {
          match {
            destination-address 1.1.1.3/32;
            destination-port 3389;
          }
          then {
            destination-nat pool RDP-192.168.3.88;
          }
        }
      }
    }
    proxy-arp {
      interface ge-0/0/0.0 {
        address {
          1.1.1.1/32 to 1.1.1.3/32;
        }
      }
    }
  }
}

Hope that helps.

You nailed it bud. Thank you much for all your help. Works like a charm!