Expand all | Collapse all

public ip without nat

  • 1.  public ip without nat

    Posted 01-04-2021 09:15

    I have a srx-320 with 2 x /29.

    First /29 i use to static/dest NAT and it's working egress and ingress as desired.

    Second /29 i want to use for public ips behind the firewall without using NAT. This is working egress but no traffic is received from internet. How do i set this up?

    I've tried to setup some static NAT prefixed with the public ip and rules allowing the this respective untrust zone to access a trust zone defined by the second public /29  range but that's not working. Any one knows how to get this traffic flowing?

    Thank you.

  • 2.  RE: public ip without nat

    Posted 01-04-2021 17:55
    The two subnets you get for this purpose should be configured as follows.
    • First /29 for NAT
      • Option 1 - Configured on the untrust public interface
        • Use per the documentation with security and nat policies
        • configure proxy-arp for any address not on the actual interface
      • Option 2 - routed to the public address configured on the untrust interface by the upstream router
        • Use as pool addresses in nat policy and configure matching security policy
        • no proxy-arp is needed
    • Second /29 direct usage
      • Upstream router must route the subnet to the address physically configured on the SRX untrust interface
      • Configure directly on the downstream srx interface using one as the gateway address for the subnet on the SRX
      • Use the remaining addresses for the desired servers or devices needing a direct public address
      • Configure the untrust to trust security policy on the required ports to allow the connection through the SRX
      • Do NOT configure any NAT policy

    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)

  • 3.  RE: public ip without nat

    Posted 01-04-2021 18:43
    One approach would be to use a dumb switch in front of the SRX and use that as an "internet blob" with all of the addresses available there.  Doing this of course, eliminates any controls that the SRX might provide for any of the other public addresses at your disposal.  The idea is that it's no worse than connecting to ANY public address.

    Conversely, if you want to control traffic in and out of one of your public addresses (which, in some sense seems a contradiction in terms but so be it), then I wonder if you might not want to consider different firewall rules for each one or for groups of them?   Likely not all devices using public addresses would have the same requirements.
    I suppose you might make separate rules on a per-address basis or you might create separate zones.  I don't know which is best.

    I mention these things out of curiosity because I really don't know what common practices might be....

  • 4.  RE: public ip without nat

    Posted 01-19-2021 04:57
    Just wanted to let you know i got to work with proxy arp. Thank you.