SRX

Expand all | Collapse all

Public IP address for a server behind an SRX5800

Jump to Best Answer
  • 1.  Public IP address for a server behind an SRX5800

    Posted 11-01-2017 11:23

    Hi all!

     

    We have a hosting system with an SRX5800 as a frontend firewall. We have multiple virtual routers in this device and normally we use static SNATs and DNATs. 

    We give the client a public IP address on which they can reach their servers in the "cloud".  

    We create a static route for these server with the next hop being the private address of the destination server in the client's VR, so something like this: 

     

     

    set routing-options static route 99.99.99.99/32 next-hop 172.16.1.2
    set routing-options static route 99.99.99.99/32 no-resolve

    Then this route is advertised into the Internet VR and that is how the server becomes reachable from the Internet. (also, fw policies and NAT polices)

     

    But yesterday another client told us that they didn't want NAT, they want to give the public IP address directly to their server and it should be reachable from the Internet just like the other servers in this VLAN. (there are a few other servers in this VLAN with private addresses.)

     

    Unfortunately, I couldn't figure out how to do this. 

    I have a test server available so I gave it a public address and then created some test firewall policies. Also I tried to create a static route but without a next hop it didn't show up in the client's routing table nor in the Internet routing table. 

     

    So how should I go about it? What should be the next hop? What's the recommended solution for this? Is it even possible? 

     

    Thanks in advance.

     

     


    #srxnonatpublicipaddressservernat


  • 2.  RE: Public IP address for a server behind an SRX5800
    Best Answer

     
    Posted 11-02-2017 02:57

    You won't be able to do this in the same segment you are using for the nat servers.

     

    In order to use the public addresses directly on the server you will need a public subnet with that subnet gateway configured on the SRX.  You can put this in any zone you want but likely it would want to be its own zone to make rule management easier.

     

    No nat will be needed because the addresses are directly on the SRX but you can still create and limit traffic via firewall rules.

     



  • 3.  RE: Public IP address for a server behind an SRX5800

    Posted 11-02-2017 06:22

    Thank you, this worked fine!

    This solution flew right over my head. 🙂



  • 4.  RE: Public IP address for a server behind an SRX5800

    Posted 02-04-2019 03:44

    Hello All,

    I've tried the first confiuration of Tihi without success. I've tried with the configuration of Spuluka, but still I can access the public IP. I included the Next-hop part in the configuration.

    Any idea of why I can't reach the destination ?

     

    Thanks...



  • 5.  RE: Public IP address for a server behind an SRX5800

     
    Posted 02-04-2019 16:38

    What are you interface configurations and which subnet is your server located in?

     

    To avoid nat you need your server vlan to be in the same subnet as an SRX interface with that same public range configured.  Use this SRX address as the gateway address for the server.

     

    Since the subnets are configured on the SRX there is no next-hop because there is no static route they are direct routes on configured interfaces.

     



  • 6.  RE: Public IP address for a server behind an SRX5800

    Posted 07-21-2019 18:19

    Hello,

    I wanted to establish a kind of NAT so that service can flow from either sides.

    Is it by NAT or it's by using the public IP directly from the SRX that it's gonna be possible ?

    Thanks.



  • 7.  RE: Public IP address for a server behind an SRX5800

     
    Posted 07-22-2019 03:11

    Mimsy,

     

    Most applications can use NAT just fine.  You can configuration NAT and allow sessions to work either initiated inbound to the server our outbound from the server or both.

     

    But there are some applications that won't work on NAT traffic.  This question was how to configure the SRX to use the public address directly on the server so NAT is not used at all.

     



  • 8.  RE: Public IP address for a server behind an SRX5800

    Posted 07-24-2019 04:19

    Hello Puluka,

    Thanks a lot for your reply.
    Very clear.

    MSY



  • 9.  RE: Public IP address for a server behind an SRX5800

    Posted 11-20-2019 01:30

    Hi spuluka,

    I need to this for an Arena that we look after. If I did have a "Public Zone" with external IPs, am I able to impliment bandwidth limit policer?

    KR
    Baz



  • 10.  RE: Public IP address for a server behind an SRX5800

     
    Posted 11-20-2019 02:57

    Yes the bandwidth policer can be used in a setup where you have public ips directly on the devices.  There is no difference in that setup.