Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
I am utilizing a SRX 380. The SRX currently has a /30 IP that is only routable across the Agency WAN. I am being assigned a /24 for backend devices that need access to internet. The backend IP space is RFC 1918 that gets nat'd to /30. There is a BGP peering between the /30 IP and uplink. What is the best route to allow backend devices utilize the /24 with the one uplink?
You would assign a vlan for the internal /24 subnet and then determine if you want to have multiple ports on the SRX assigned to this or just a single port that is connecting to a down stream switch.
With multiple ports these all get assigned to the vlan and then an irb interface created as the layer 3 gateway of the subnet.
With a single port you simply configure that port as layer three for the gateway.
Once the layer 3 interface is created that needs to be added at a zone for security and nat policy to be created.
With the nat policy you write a policy from that internal zone to the existing wan link zone with a source nat interface policy.
Then a security policy either allow all or a set of policies to restrict traffic are created from the internal zone to the wan interface zone for outbound initiated traffic. The nat will then apply to any traffic that is permitted by policy.
This sound almost like the factory config you get on low end SRXs. It will have a default inside network ( something like 192.168.1./24 ) and config will NAT this /24 to whatever you have on the outside. ( typically a service provider /31 or /30 network )