Hi
I had the same issues with one of my customers.
If you have a small business firewall SRX### and not SRX####
you can do layer 2 and layer 3
the srx behaves like an ethernet switch with a vlan interface as entry point into the firewall.
thus you can use the same network outside and inside of the firewall
!the only drawback is that the remaining public addresses are layer2 switched through the firewall WITHOUT any security
so you define the interface towards the provider as layer 2, and also the interfaces towards your rest /29network
and then for all layer 3 traffic into and through the firewall you define an vlan interface with the address(es) needed to be forwarded via firewall.
ae9 goes to a switch and to the devices using the remaining addresses of our public net
here some code snippets: ( some curly brackets } are missing !!!! )
interfaces {
ge-6/0/0 { <---ge-6/0/0 goes to the internet
unit 0 {
family ethernet-switching {
vlan {
members PUBLIC;
}
ae9 { <---ae9 goes to a switch and to the devices using the remaining addresses of our public net
aggregated-ether-options {
lacp {
active;
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members PUBLIC;
}...}
vlan {
unit 9 {
family inet {
address xx.xx.xx.xx/29; <---- this is the main address of the firwall, but also used for destination translation to forward into DMZ
}..}
}
security {
nat {
proxy-arp {
interface vlan.9 {
address {
xx.xx.xx.xx1/32 to xx.xx.xx.xx2/32; <--those are further addresses going through the firewall with dest-NAT
} ...}
the other possibility is to do a completely transparent layer2 firewall, which is also possible and in that case you have full security possible. but for your problem the above stated solution is best
regards
alexander marhold
INDC
note: that if you have a cluster you also need the SWFAB interfaces enabled