vSRX
Highlighted
vSRX

A server with, on the server network card, a public ip x.x.x.107/32 - without using nat.

‎07-03-2018 04:46 AM

We use SRX320 and have the following interfaces set up.

 

ge 0/0/0 – ge 0/0/0.0 – public ip x.x.x.106/29

ge 0/0/1 – ge 0/0/1.0 – private ip 192.168.1.0/16

 

We would like to setup:

A server with, on the server network card, a public ip x.x.x.107/32 - without using nat. 

Should I spilt up the x.x.x.106/29 to 2 x /30 and setup ethernet switching on another physicial port or is there a smarter way to make it work, with out nat? don’t go around the nat, I’m know how it works and I need another solution. Thanks.

4 REPLIES 4
Highlighted
vSRX

Re: A server with, on the server network card, a public ip x.x.x.107/32 - without using nat.

[ Edited ]
‎07-03-2018 07:06 AM
Assign .106 to an irb interface and plug the server and ISP handoffs into layer 2 ports on the same vlan.
Highlighted
vSRX

Re: A server with, on the server network card, a public ip x.x.x.107/32 - without using nat.

‎07-04-2018 03:18 AM

Hi and thank you very much for your reply.

It would work fine for the isp and server, but I didn't describe my need for nat for my private lan at all.

I've been trying to read up on irb cause I'm not familiar with this and found that my private lan can't  be nat'd and routed through an irb interface to a ethernet switched layer 2 interface:

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-mixed-mode-understanding.h...

Would vlan tagging and two logical interfaces be a way to get around this? E.g:

# ISP uplink
ge 0/0/0         vlan-tagging
ge 0/0/0.0        familiy inet x.x.x.106/32
ge 0/0/0.89        familiy ethernet switched vlan 89 trunk

# Private LAN
ge 0/0/1.0         familiy inet 192.168.1.0/16
#  ... Lots of source and destination NAT rules to ISP uplink

# Server interface
ge 0/0/2        vlan-tagging
ge 0/0/2.89     familiy ethernet switched vlan 89

 

thank you.

Highlighted
vSRX

Re: A server with, on the server network card, a public ip x.x.x.107/32 - without using nat.

[ Edited ]
‎07-04-2018 01:30 PM

Hello,

This is possible to do with FBF, I briefly tested it in my lab with VSRX 15.1X49-D50.

General idea:

1/ configure 1 Virtual Router (called "inside-vr" in this example) and assign there the SRX interface that is connected to Your server (ge-0/0/2.89 in Your case)

2/ assign Your ISP' gateway IP to ge-0/0/2.89

3/ configure a filter like below and assign it as input to ge-0/0/0.89. Don't forget proxy ARP for .107!

set firewall family inet filter f1 term t1 from destination-address x.x.x.107/32
set firewall family inet filter f1 term t1 then count to-svr
set firewall family inet filter f1 term t1 then routing-instance inside-vr
set firewall family inet filter f1 term t2 then accept
set interfaces ge-0/0/0.89 family inet filter input f1
set security nat proxy-arp interface ge-0/0/0.89 address x.x.x.107/32

4/ add a security policy to allow incoming traffic to x.x.x.107

5/ if You would like to allow outgoing traffic from Your server to internet, then You need to add another filter similar to the above to ge-0/0/2.89 and write yet another security policy.

HTH

Thx

Alex

[Edited] - Forgot to mention proxy ARP, it is added in the code above. Also used correct .107 server address in my code. 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
vSRX

Re: A server with, on the server network card, a public ip x.x.x.107/32 - without using nat.

[ Edited ]
‎08-13-2018 02:11 AM

Hi, thank you very much for helping me. I've been on vacation and I'm ready to try it out this upcoming weekend. This is new to me and I've got these rules that I will try out to make it work: What du you think? I would be really gratefull for your feedback:

_______________________

 

1/ configure 1 Virtual Router (called "inside-vr" in this example) and assign there the SRX interface that is connected to Your server (ge-0/0/2.89)

[edit routing-instances]
set inside-vr instance-type virtual-router
set inside-vr interface ge-0/0/2.89

set security zones security-zone Internet interfaces ge-0/0/2.89


2/ assign Your ISP' gateway IP to ge-0/0/2.89

[edit interfaces]
set ge-0/0/2.89 unit 0 family inet address x.x.x.105/30



3/Add filter

[edit interfaces]
set firewall family inet filter server-in term t1 from destination-address x.x.x.107/32
set firewall family inet filter server-in term t1 then count to-svr
set firewall family inet filter server-in term t1 then routing-instance inside-vr
set firewall family inet filter server-in term t2 from  trusted-networks then accept
set interfaces ge-0/0/0 family inet filter input server-in
set security nat proxy-arp interface ge-0/0/0 address x.x.x.107/32



4/ add a security policy to allow incoming traffic to x.x.x.107/32


add ge-0/0/2.89 to exesting policy


5/ if You would like to allow outgoing traffic from Your server to internet, then You need to add another filter similar to the above ge-0/0/0 to ge-0/0/2.89

set firewall family inet filter server-out term t1 from source-address x.x.x.107/32
set firewall family inet filter server-out term t1 then count from-svr
set firewall family inet filter server-out term t1 then routing-instance inside-vr
set firewall family inet filter server-out term t2 from trusted-networks then accept
set interfaces ge-0/0/2.89 family inet filter input server-out
set security nat proxy-arp interface ge-0/0/2.89 address x.x.x.107/32

 

commit confirmed 5

 

____________________________________

 

 

Thank you.

Feedback