SRX

Hello,

Device: SRX240

I ran out of public IPs that were provisioned by my ISP. I have ordered an additional IP block, but the addresses are from a completely different subnet so I cannot simply change the mask on my untrust interface.

My question is, what is the best way to add the new IP block to my Untrust interface?

Do I need to create a sub interface and configure it with an IP address from the new block?

Instead of creating a sub interface, can I just add the new block to the proxy-arp list?

    I have had this scenario before with a ScreenOS device (SSG) and was just able to "add" the new block to my existing   Untrust interface. Not sure if this is valid for JunOS devices.

Thank you in advance.

We just use proxy-arp and NAT the addresses to where they need to be, no need for another interface or even for the SRX to use any of the IP addresses directly.

Dear 

Creating sub-interface means you need to vlan tag each sub-interface (called unit in junos language) , you can also create secondary address on the same old interface ,just assign an address from the new subnet to your interface ,  but be aware , that if you need to send traffic sourced from the device , it will use the primary address , see below definition of primary address:

• Whether this address is the primary address—Each interface has a primary local address. If an interface has more than one address, the primary local address is used by default as the source address when you send packets from an interface where the destination provides no information about the subnet (for example, some ping commands). By default, the primary address on an interface is the lowest-numbered non-127 (in other words, non-loopback) preferred address on the interface. To override the default and explicitly configure the preferred address, include the primary statement when configuring the address.

for proxy-arp , you can use it in case of using NAT , when NAT pool address (es) is/are part of the upstream interface subnet (untrust interface for your case) only, it depends what you want to do with this new subnet , if you want to use them for NAT (source/ destination / static) , you don't need to configure any address from new subnet on interface , just routing will do the job, if you want to assign the public IPs on your machine , in this case , you must configure the new address on your firewall.

Regards

It appears I can only mark one entry as a solution, however both Red1 and mwdmeyer's are correct.

The additional block was needed for NATing only. We did not have to assign the Untrust interface with an additional IP address, instead just added the new public block to our proxy-arp list on the Untrust interface.

From there we had our ISP route ttraffic for the new blcok to the existing IP of the Untrust interface (provisiond from the initial public IP block) and we were off like a herd of turtles.

Thank you both for the replies.

Hello 

You don't need to configure it in the proxy-arp , as there is no IP configured part of new block between your untrust interface and upstream router , only routing is necessary for your case.

please read the below link :

http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-security/configuring-proxy-arp-on-srx-series-services-gateways.html

Regards