Hi all!
We have a hosting system with an SRX5800 as a frontend firewall. We have multiple virtual routers in this device and normally we use static SNATs and DNATs.
We give the client a public IP address on which they can reach their servers in the "cloud".
We create a static route for these server with the next hop being the private address of the destination server in the client's VR, so something like this:
set routing-options static route 99.99.99.99/32 next-hop 172.16.1.2
set routing-options static route 99.99.99.99/32 no-resolve
Then this route is advertised into the Internet VR and that is how the server becomes reachable from the Internet. (also, fw policies and NAT polices)
But yesterday another client told us that they didn't want NAT, they want to give the public IP address directly to their server and it should be reachable from the Internet just like the other servers in this VLAN. (there are a few other servers in this VLAN with private addresses.)
Unfortunately, I couldn't figure out how to do this.
I have a test server available so I gave it a public address and then created some test firewall policies. Also I tried to create a static route but without a next hop it didn't show up in the client's routing table nor in the Internet routing table.
So how should I go about it? What should be the next hop? What's the recommended solution for this? Is it even possible?
Thanks in advance.
#srxnonatpublicipaddressservernat