SRX Services Gateway
Highlighted
SRX Services Gateway

NAT VLAN trunk directly to untrust statics?

‎12-04-2017 09:47 AM

I'm trying to NAT off a VLAN trunk directly to public static interface on an SRX-345, is that possible? Do I have to create ge-0/0/0.0 and ge-0/0/0.1 etc for each subnet or something like that, and can I do that on a trunk interface? Here's a diagram of what I'm trying to do:

vlan_trunk_nat.jpg

6 REPLIES 6
SRX Services Gateway

Re: NAT VLAN trunk directly to untrust statics?

‎12-04-2017 06:00 PM

while doing natting, your private subnets should be rechable to srx..

 

it can be trunk or L3 tagging or via interface ip..as long as they are reachable, this is achievable..


*************************************
HTH.
Accept this as solution if it resolved your issue.
Kudos would be appreciated too.
SRX Services Gateway

Re: NAT VLAN trunk directly to untrust statics?

[ Edited ]
‎12-05-2017 02:21 PM

Okay, I created a trunk on ge-0/0/1.0 and then created 2 VLAN's and added them as members to the trunk interface, but now where do I configure IP's for my VLAN's so that VLAN traffic has a gateway like 10.30.1.1/24 that's reachable from the trunk port traffic, since I'm not defining that on a normal inet interface and the trunk port doesn't seem like it allows multiple per-VLAN IP addresses?

 

Interestingly, when I started my VLAN configuration I got this message

warning: Interfaces are changed from route mode to mix mode. Please use the command request system reboot on current node or all nodes in case of HA cluster!

So wouldn't I need to somehow change ge-0/0/1.0 to be a routed interface, or am I not understanding?

SRX Services Gateway

Re: NAT VLAN trunk directly to untrust statics?

[ Edited ]
‎12-06-2017 03:05 AM

If you want the ip address of these on the SRX you would change your port from family ethernet switching to family inet.

 

Then on each subinterface you can put the default gateway address you want.

 

set interfaces ge-0/0/0 flexible-vlan-tagging
set interfaces ge-0/0/0 unit 1 vlan-id 10
set interfaces ge-0/0/0 unit 1 family inet address 10.10.1.1/24
set interfaces ge-0/0/0 unit 2 vlan-id 20
set interfaces ge-0/0/0 unit 2 family inet address 10.20.1.1/24

set interfaces ge-0/0/0 unit 3 vlan-id 30
set interfaces ge-0/0/0 unit 3 family inet address 10.30.1.1/24

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: NAT VLAN trunk directly to untrust statics?

‎12-06-2017 09:37 AM

Okay, but my ge-0/0/0 is my untrust headed to public statics, my ge-0/0/1 is supposed to be the VLAN trunk, so can I add these unit X inet addresses somehow also on the trunk port too? I thought the trunk had to be set ethernet-switching only?

SRX Services Gateway

Re: NAT VLAN trunk directly to untrust statics?

‎12-07-2017 02:33 AM

Just change ge-0/0/0 to what ever interface is facing the switch.

 

family ethernet switching is for when you want the tagged port layer 2

 

The above configuration puts a layer 3 address on the tagged interface port facing the switch.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: NAT VLAN trunk directly to untrust statics?

[ Edited ]
‎12-07-2017 10:45 AM

Thanks, I was having a hard time figuring out how L2 and L3 ports worked on this box, that really helps, will try it.