SRX

 View Only
last person joined: 19 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

  • 1.  DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 12-21-2012 13:53

    Ok, now here is my situation. I went from having a /28 network and requested two more pulls from our provider and they set me up with a /30 block and then setup routing to point to two ips on that /30 block for /28 block. The issue is I was using DNAT to a vlan private network (let's say 10.0.0.0/24) and how would I go about getting things back how they were? I've contacted jtac directly and they just went cross eyed when I tried to explain what I wanted to do.

     

    The only thing I can think of doing is changing the 10.0.0.0/24 network into the previously used /28 block. but then I lose all my dnat ACL's which just sucks to be honest. In that case I think I would have to purchase some EX line switches to get any sort of ACL going then. Should I request my provider just move my /28 network over? Is there someway I can use my ips on a redundant interface? Toss some ideas please!


    #srx240clusteringlayer2


  • 2.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 12-27-2012 19:20

    It took me a minute to understand what exactly you meant.

     

    Your internet connection was using the /28 and it was migrated to a /30 and the /28 is routed to your SRX's IP in the /30. Is this correct? This should not affect your destination NATs, you would not need any proxy-arp configuration for the /28 network any longer, however, but it would not prevent your NAT's from working.

     

    Could you paste a destination NAT rule or Static NAT you have set up and explain why you don't believe it's working?

     

    Thanks

     



  • 3.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 12-28-2012 06:09

    Yes exactly.

     

    I'm natting that /28 network however into a private IP. I think its rather a lost cause to get it working on the /28 network and I think I am just going to change the private network ips that need to be public as public and redo all my IPsec tunnels so I can route the public network over the tunnel as well as for the few private ips that are left.



  • 4.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 12-28-2012 07:16

    Well, I'm not sure if this is what you're trying to do but you can set up static one to one NAT's from your public /28 to your private network, or port forward traffic from your public block just as you would have before.

     

    If you are NAT'ing the public IP's and terminating tunnels on the internal private network, this should still work, provided you enabled NAT Traversal on both end points of the tunnel, which you would have needed before.



  • 5.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 12-28-2012 07:24

    Let me give a little more background maybe it'll make sense then. I originally only had one SRX240 All the servers are connected directly to the switch on vlan1 (lets say 10.0.0.1/24).

     

    The switch died so in that case I RMA'd the old one and brought up another switch and thats where I am now. My network provider has set me up with two /30 networks one of each switch that has the /28 network staticly routed to both client ips on the SRX240s. I have them setup in clustering with the management port setup as the two /30 networks. Now I attempted to setup a redundant interface for the /28 block so I could use that dNAT to server ips on the vlan1 again but as the /28 is a management interface it doesn't allow me to setup a reth interface.

     

    So thats where I am now, I figured my best course of action is to change the servers that have public ips to those ips directly and setup a reth on that network and assign some ports for that new public vlan so everything will instantly failover incase of another failure.



  • 6.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 12-28-2012 07:42

    Okay,

     

    So you have a /28 public network and you assigned this to the SRX fxp(management) interface? Note the management interface cannot pass data traffic. Did you need the SRX to maintain the same IP you had before for management purposes? Why not use the new /30 IP assigned to your external interface? 

     

    You could set up a loopback interface with a public IP from your old /28 with a /32 mask for external connectivity to the SRX (ssh/https etc), or use this to terminate VPN's on the SRX.

     

    I'm just confused why the old /28 is assigned to any interfaces, it sounds like you want to use it specifically for NAT'ing. The private VLAN can terminate to a default gateway on the SRX and the SRX will map your public /28 to internal servers as your DNAT rules are defined.



  • 7.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 12-28-2012 07:46

    I am using the new /30 subneted ips for the interface. I didn't know it would work if I assigned the ip to a local interface like that, I'll give that a try. Can a lo interface have redundancy between the two SRXs though? I'll see what I can find thanks...



  • 8.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 12-31-2012 06:09

    How do I map them exactly when they aren't on any of the interfaces? I already have the NATs I previously defined and they are not working...



  • 9.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 12-31-2012 06:16

    With a NAT rule, or static

    match destination A.A.A.A/32

    then destination-nat pool etc.

     

    An IP does not need to be configured on your public interface in order for you to use it for DNAT, the public range does need to be routed to your new public IP address by your ISP however, which I suspect is not happening.

     

    You will need traffic routed to your SRX, since you own those IP's.

    You will need a destination NAT/Static to translate the public IP to private.

    You will need a security policy to allow the source (probably "any") to the real post-nat Ip of your server, likely from untrust to trust.



  • 10.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 12-31-2012 06:21

    ah yes, I think the zones may be screwed up now that you mention it. I'll see what is going on there...

     

    What about a ipsec tunnel? I was using one of the ips from the /28 range, guessing that has to be changed?



  • 11.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 12-31-2012 06:26

    Was the tunnel terminating on the SRX? Or an internal device? You could configure that IP as a loopback to terminate it on the SRX, as mentioned before. if it's an internal device you would just NAT like normal traffic, but configure the IPSEC tunnel for nat traversal since the SRX is an intermediary nat device.



  • 12.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 12-31-2012 06:27

    it was on the SRX...



  • 13.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 12-31-2012 08:39

    yup, just use a loopback with a /32 mask and the SRX will respond for the traffic,  you will need to add the loopback to zone untrust, and make sure that either untrust zone or loopback interface allows IKE traffic to it. 



  • 14.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)
    Best Answer

    Posted 12-31-2012 09:06

    not a good idea to put it in the same zone as the external interface?



  • 15.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 01-01-2013 18:15

    I would configure a route based tunnel, put the loopback into a new zone, the only purpose here is to allow host-inbound-traffic protocols ike to allow VPN traffic to this interface.

     

    I would then put the tunnel interface into a new zone called "VPN", the same new zone you put your loopback.

     

    This will give you the most granular control of your policies so you don't have to mix them with trust to untrust rules etc.

     

    When you specify the external interface when configuring the gateway you would reference the loopback interface.



  • 16.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 01-02-2013 08:59
    Perfect thanks ChoWZa have a happy new year!


  • 17.  RE: DNAT on /28 block of ips to vlan network behind two SRX240h (in clustered mode)

    Posted 01-02-2013 19:38

    You too GL 🙂