SRX

Hi all

I need help to achieve this

I have one line from mi isp where i´m receiving 15 public ip addresses. I want to publish multiple web services in diferent internal server with multiple public addresses

example:

ext ip 10.10.10.1 NAT to int ip 192.168.1.1 port 80 & 443

ext ip 10.10.10.2 NAT to int ip 192.168.1.2 port 80 & 443

How can I achieve that?

Thanks

Hi Funi,

You'll need Destination NAT - there are some examples here:

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

You don't actually configure the 15 addresses on the external interface, but instead use proxy-arp so that the interface responds to ARP requests for those IPs, then Dest-NATs them to your internal server.

Hi dfex,

Thanks for your reply but the link doesn't work.

Did you have any other?

Thanks

Since you are translating one IP to another (one-to-one), I would use Static NAT.  Destination nat is great if you are trying to use one public IP to translate to multiple internal servers by desitnation port or translate an inbound port to another.  But there is alway more than one way to do this; whichever works best for your specific scenario.

I attached the PDF that dfex linked to.

Attachment(s)

Junos_NAT_Examples.pdf   468 KB 1 version

Funi,

Supposing your servers are less than 15, so you can correspond each public ip address to separate web server. This is example configuration for just one server ..

set security nat destination pool pool-1 address 192.168.1.1/32
set security nat destination rule-set rs1 from interface ge-0/0/X.Y
set security nat destination rule-set rs1 rule r1 match destination-address 10.10.10.1/32
set security nat destination rule-set rs1 rule r1 match destination-port 80
set security nat destination rule-set rs1 rule r1 then destination-nat pool pool-1
set security nat proxy-arp interface ge-0/0/X.Y address 10.10.10.1/32

Howver, if you have large server farm, then you can do two things

- Do the PAT to meet the requirement

- increase destination pool from /32 provided your servers (however, it is not workable if servers are hosting different websites)

regards

Hi all and thanks for replies.

I tried many configurations but nothing works, maybe i'm forgetting something....

Mi config have:

R0- internal lan

R1- isp (only 1 ip address)

R2- isp 2 (14 ip addresses)

R3 DMZ

I have all working, and many published services but my problem is when i try to publish with isp 2 and services coming from some IP that is not the principal IP ( the one configured in the interface).

I attached my config (modify names and real IP`s). Could be someone can find the mistake on my config.

Thanks in advance...

Attachment(s)

Nuevo documento de texto (2).txt   19 KB 1 version

Hi

Did you have any success with this in the end?

I'm also trying to NAT a second IP address on RETH0 (untrust) to an internal server over https.

I imagined this world be quite easy but was wrong.

Thanks

If your bringing in new IP address you need to insure the following

1 - Use Proxy-Arp to make the srx listen for the ip address.

Once you have configured the above you need to move to the attaching / mapping devices.

Two ways of configuring this.

1- if you want a single ip address to use seperate external ports and connect to lots of different servers you need to use destination nat.

2- if you have lots of IPs and want to use a single ip address to each server u want static map.