We have a hosting system with an SRX5800 as a frontend firewall. We have multiple virtual routers in this device and normally we use static SNATs and DNATs.
We give the client a public IP address on which they can reach their servers in the "cloud".
We create a static route for these server with the next hop being the private address of the destination server in the client's VR, so something like this:
set routing-options static route 22.214.171.124/32 next-hop 172.16.1.2
set routing-options static route 126.96.36.199/32 no-resolve
Then this route is advertised into the Internet VR and that is how the server becomes reachable from the Internet. (also, fw policies and NAT polices)
But yesterday another client told us that they didn't want NAT, they want to give the public IP address directly to their server and it should be reachable from the Internet just like the other servers in this VLAN. (there are a few other servers in this VLAN with private addresses.)
Unfortunately, I couldn't figure out how to do this.
I have a test server available so I gave it a public address and then created some test firewall policies. Also I tried to create a static route but without a next hop it didn't show up in the client's routing table nor in the Internet routing table.
So how should I go about it? What should be the next hop? What's the recommended solution for this? Is it even possible?
Thanks in advance.
You won't be able to do this in the same segment you are using for the nat servers.
In order to use the public addresses directly on the server you will need a public subnet with that subnet gateway configured on the SRX. You can put this in any zone you want but likely it would want to be its own zone to make rule management easier.
No nat will be needed because the addresses are directly on the SRX but you can still create and limit traffic via firewall rules.
Thank you, this worked fine!
This solution flew right over my head. 🙂
I've tried the first confiuration of Tihi without success. I've tried with the configuration of Spuluka, but still I can access the public IP. I included the Next-hop part in the configuration.
Any idea of why I can't reach the destination ?
What are you interface configurations and which subnet is your server located in?
To avoid nat you need your server vlan to be in the same subnet as an SRX interface with that same public range configured. Use this SRX address as the gateway address for the server.
Since the subnets are configured on the SRX there is no next-hop because there is no static route they are direct routes on configured interfaces.
I wanted to establish a kind of NAT so that service can flow from either sides.
Is it by NAT or it's by using the public IP directly from the SRX that it's gonna be possible ?
Most applications can use NAT just fine. You can configuration NAT and allow sessions to work either initiated inbound to the server our outbound from the server or both.
But there are some applications that won't work on NAT traffic. This question was how to configure the SRX to use the public address directly on the server so NAT is not used at all.
Thanks a lot for your reply.Very clear.
I need to this for an Arena that we look after. If I did have a "Public Zone" with external IPs, am I able to impliment bandwidth limit policer?
Yes the bandwidth policer can be used in a setup where you have public ips directly on the devices. There is no difference in that setup.