We are running a clustered Junos SRX550. Our ISP has assgined us two subnets of public IP addresses. Currently the primary subnet is configured and working. This includes static and dynamic NAT. The issue I am running into is trying to get the second subnet to be usable.
Here is some configuration info.
reth0 is our trust zone (10.x.y.z)
reth1 is our DMZ zone
reth2 is our untrust zone (64.x.y.z/28)
The two subnets from our isp are as follows.
I have attempted to add an IP from the second subnet to the reth2 interface, but this doesn't seem to help. The way I have been testing is by having a computer with a static IP in the trust zone setup to NAT to a 67.x.y.z address. Once I setup the NAT, the computer seems to lose connection to the internet.
Is there an article I could be pointed to that has this?
Am I missing someing simple?
Please let me know if there is additional information that is needed.
you need to know how your isp has there end setup.
i usually ask for the second block to be routed to my external ip, then i can use the second block as needed.
how did your isp setup there side?
Typically when we add a second subnet to an existing client we simply route this subnet to the first available address on the clients first assigned range. The client can also request that a different address be the route destination.
Generally you can confirm how the second subnet is configured by your ISP by consulting your Service Activation Notice or Service Modification Notice. These are generally sent to the technical contact or the person who placed the order. If you don't have the notice you can open a ticket with the ISP to confirm the configuration.
If it is a routed subnet you will NOT place any address from the range on the interface. You will create NAT rules to use the addresses with a matching security policy that will permit the traffic.
If you are adding a secondary address for the subnet you will also need to configure proxy-arp for addresses outside the interface itself once the NAT and security rules are in place.
Once I got a response from our ISP to find out that they had both subnets on their router, it was just a matter of setting the appropriate NAT and proxy. For some reason, I thought I had done that multiple times. Only thing I can think of is that I mistyped the IP addresses at one point. They are fairly close in their numbering scheme.
Thanks for the help all!
NP, glad you got it working.
I have just been given a second subnet by my ISP. It's a /29. I would this subnet to be routed. What I would like to do is give the clients one of these IPs for their firewalls. We are using an srx300. Is this possible, or would I need to use NAT?
I have just been given a second subnet by my ISP. It's a /29. I would this subnet to be routed.What I would like to do is give the clients one of these IPs for their firewalls. We are using an srx300. Is this possible, or would I need to use NAT?
You would use one of the addresses in that /29 as the gw for the subnet and configure this on the interface of your SRX that faces your downstream customers.
If you have enough interfaces this could be an irb interface with a physical interface in that vlan assigned to each customer firewall.
Or you put the ip address on a single physical interface and create a vlan on a switch to distribute this to the multiple downstream firewalls.
Each customer is assigned one of the remaining addresses and uses the address you put on the SRX as the gateway or default route.
You will also need to decide how to handle the security policy. You could but the downstream interface into a new zone or keep it in the untrust zone. Whichever way you do this a policy allowing this new interface to the untrust zone without any nat configured would be put in place. So that would be new_zone to untrust or untrust to untrust.
Thanks Steve. I understand now.