Expand all | Collapse all

public ip without nat

  • 1.  public ip without nat

    Posted 01-04-2021 09:15

    I have a srx-320 with 2 x /29.

    First /29 i use to static/dest NAT and it's working egress and ingress as desired.

    Second /29 i want to use for public ips behind the firewall without using NAT. This is working egress but no traffic is received from internet. How do i set this up?

    I've tried to setup some static NAT prefixed with the public ip and rules allowing the this respective untrust zone to access a trust zone defined by the second public /29  range but that's not working. Any one knows how to get this traffic flowing?

    Thank you.

  • 2.  RE: public ip without nat

    Posted 01-04-2021 11:00
    Are your endpoints in the same subnet as SRX with the public ip range and firewall  and interface policies allowing inbound traffic? Did you check the  flow logs to see if the traffic is hitting the public interface on the firewall?  Also check if there is a "No NAT" rule that excludes the endpoint directly on public ip.


  • 3.  RE: public ip without nat

    Posted 01-04-2021 17:55
    The two subnets you get for this purpose should be configured as follows.
    • First /29 for NAT
      • Option 1 - Configured on the untrust public interface
        • Use per the documentation with security and nat policies
        • configure proxy-arp for any address not on the actual interface
      • Option 2 - routed to the public address configured on the untrust interface by the upstream router
        • Use as pool addresses in nat policy and configure matching security policy
        • no proxy-arp is needed
    • Second /29 direct usage
      • Upstream router must route the subnet to the address physically configured on the SRX untrust interface
      • Configure directly on the downstream srx interface using one as the gateway address for the subnet on the SRX
      • Use the remaining addresses for the desired servers or devices needing a direct public address
      • Configure the untrust to trust security policy on the required ports to allow the connection through the SRX
      • Do NOT configure any NAT policy

    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)