@MR. C wrote:
ok I will try. As of right now my configuration consists of one static IP address from our old internet provider. That is my untrust zone/gateway for my LAN to the internet and all my VLAN's connect to that port for internet access (ge-0/0/0). Just recently, we switched providers (Comcast) and with our service , they provide 5 static IP's.
As of now I have three vlans on my network.
1. Data network (this has all my client PC's and Servers) ge-0/0/1
2. Phone network (this is our IP based PBX system) fe-0/0/7 and fe-0/0/6
3. Guest network (basically allows our guests to have internet access and not on our data network) fe-0/0/5
My goal is to setup the SRX-210 in such a way that each of these VLAN's are associated with with one static external IP a piece so I can set up port forwarding rules to a particular VLAN based on those addresses. For instance, I want POP3 IMAP and such on the data network but I need the same port forwards to the phone network that conflict with the port forwards I need on the data network (they share some of the same ports). Also I want to have routing setup so that the data and phone network can communicate to each other but the guest internet can only go to the internet and not the other VLAN's. I am running IDP on the machine as well and would like if all traffic coming in still scanned. The data network is on a 192.168.0.0/24 and the phone is on a 10.1.1.0/24 and the guest has DHCP on the router with a 192.168.2.0/24.
I hope this clears some things up. Thank you much for your responses and consideration!
OK, this shouldn't be too bad.
For your incoming port forwarding traffic, you can set up two destination NAT pools, one for your data VLAN and one for your phone VLAN. You can then set your match rules for one static IP/port(s) to map to the proper server(s) in the data network, and the second static IP/port(s) to map to the proper phone network server(s).
You can use 1 static IP as the actual SRX interface IP, and then use 3 additional to map to your VLANs, that makes it easier for doing the port forwarding stuff so you don't have any issues with port forwarding rules conflicting with services on the SRX itself. Then just add the 3 additional IPs you're using to proxy-arp on the external (untrust) interface.
You can then set three source NAT pools, to the three static IPs you're using, and set the match rules to match each internal VLAN and map to the appropriate public static IP that you want to use for that VLAN.
To control which VLANs can and cannot talk to each other, you'll do that with security policies. Your three VLANs should be in separate zones, so then if you don't want the guest network to communicate to the data or phone networks, you just don't create "allow" policies between those zones. For zones that you do want to communicate with each other, you set security policies to allow the traffic that you want to go between zones. Your security policies also define which traffic is to be scanned by IDP rules.