SRX

 View Only
last person joined: 11 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Public IP Definition through private Network

    Posted 07-30-2019 10:19

    Hello All,

    I'd like to know what kind of design is better to set up a service like this Design.

    Server 1, Server 2, Server 3 are behind a router of the customer and I would like them to be reachable from the internet.

    Need suggestion to either use : 

    • Static NAT
    • Public Subnet
    • Or something else...

    Thanks in advance

    MIMSY



  • 2.  RE: Public IP Definition through private Network
    Best Answer

    Posted 07-30-2019 11:22
    Hey Mimsy,

    As per me, the ideal solution is to configure Destination NAT on the SRX.

    You can go for regular Destination NAT with port forwarding, or for Static NAT if you have the traffic to be initiated from the server as well.

    Please refer to the Juniper documentation for Destination NAT - https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-nat-destination.html


  • 3.  RE: Public IP Definition through private Network

    Posted 07-30-2019 19:37

    Hello noobmaster,

    First Come, First Served ! You've got the solution accepted, and it's the same as epaniagua who brought a clear one.

    Thanks a lot for the support.

    Regards,

    MIMSY



  • 4.  RE: Public IP Definition through private Network

    Posted 07-30-2019 12:15

    MIMSY,

     

    Buying different public IPs (Public Subnet option) usually has a higher cost than using just one public IP. I would go with 1 public IP and will use Destination NAT to permit external users to reach the internal servers. Now, this option will only work if the communications are always initiated from the external users. External users will be contacting the SRX's public IP address and based on the destination port of the packets they will be redirected to a specific internal server (Port-Forwarding):

     

          https://rtodto.net/port-forwarding-in-srx/

          https://www.fir3net.com/Firewalls/Juniper/juniper-srx-destination-nat-port-forwarding.html 

     

    If having multiple Public addresses is not a problem, then you could use Static NAT. This will create a 1-to-1 mapping between your public addresses and your internal servers. In summary, anytime an external user contacts a specific public addresses it will be redirected to a specific internal server, no matter the destination port of the packets. Likewise, when an internal server initiate a connection to an external user, the packets from that server will be translated to the public address related to that server:

     

          https://rtodto.net/static-nat-in-srx/

     

    I hope this helps you.

     

     



  • 5.  RE: Public IP Definition through private Network

    Posted 07-30-2019 19:34

    Hello 



  • 6.  RE: Public IP Definition through private Network

    Posted 07-31-2019 05:56

    Hello



  • 7.  RE: Public IP Definition through private Network

    Posted 08-03-2019 10:12

    Hi Mimsy,

    The router is just going to perform route lookup and I don't think there is any reason to bypass the Router.

    However, it totally depends on your comfort whether to include the router or not. Because keeping a Router in between will include more administrative tasks.



  • 8.  RE: Public IP Definition through private Network

    Posted 08-06-2019 04:09

    Hello noobmaster,

    Thanks a lot for these explanations.

    Really helpful !

    Regards,

    MIMSY