SRX

Expand all | Collapse all

how to create DMZ network

  • 1.  how to create DMZ network

    Posted 03-12-2021 01:49
    I have 2 networks created in my SRX240 router

    10.1.0.0/16
    172.21.0.0/16

    and the 2 networks can talk to each other on the LAN

    i will like to add a third network that will not be able to access these LAN networks

    10.11.0.0/16

    this will be like a DMZ network. It will ONLY be able to connect to the internet and not be able to reach any of the other LAN networks

    I will like to be able to access the network via VPN ofcourse...all i just want is that the 10.11.0.0/16 DMZ network will not be able to connect to LAN network. Only internet that is all


    here is what i have, looking for some guidance on what code to add to this current setup


            dhcp {
                pool 10.1.0.0/16 {
                    address-range low 10.1.1.10 high 10.1.255.254;
                    maximum-lease-time 6048000;
                    default-lease-time 6048000;
                    router {
                        10.1.0.1;
                    }
                }
                pool 172.21.0.0/16 {
                    address-range low 172.21.0.1 high 172.21.255.254;
                    router {
                        172.21.0.1;
                    }
                }
            }
    
    ...
    ...
    ...
    
    
        dynamic-vpn {
            access-profile dyn-vpn-access-profile;
            clients {
                all {
                    remote-protected-resources {
                        10.1.0.0/16;
                        172.21.0.0/16;
                    }
                    remote-exceptions {
                        0.0.0.0/0;
                    }
                    ipsec-vpn dyn-vpn;
                    user {
                        vpn-user;
                    }
                }
            }
        }​


  • 2.  RE: how to create DMZ network

    Posted 03-15-2021 13:21
    you need to put your DMZ network into its own Zone, you will then make a Zone rule from that DMZ zone to your "internet" zone 

    since the default is deny, traffic between zone DMZ and your "internal" zone will not be allowed