I don't know of documentation for this scenario but the default configuration for the trust vlan.
You can look at the default configuration at any time by running this in configuration mode. Just be sure not to commit the change and to rollback when done looking
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
Original Message:
Sent: 03-09-2023 12:13
From: Jerry
Subject: public ip without nat
Thank you for the detailed reply. I see what you're suggesting here. It is a little outside of my experience with the SRX, but I'm sure I can work it out. I found a similar question on Stack Exchange (https://networkengineering.stackexchange.com/questions/20732/srx-routed-subnet-no-nat), and I can see that a solution given there is going down the same path that you're suggesting. Unfortunately, they point to an example on Juniper's site that is now a dead link: http://www.juniper.net/documentation/en_US/junos12.1/topics/example/security-zone-layer2-configuring.html
Are you aware of any other good example pages?
Currently, the ISP has added a static ARP entry at their router to make this work. My workload has grown a lot since this problem came up, and I don't know when I'll get back to this issue, but I wanted to reply so you knew that I read and appreciate your response.
------------------------------
Jerry
Original Message:
Sent: 03-07-2023 20:09
From: spuluka
Subject: public ip without nat
So what is happening is there is no broadcast domain between the interface connected to the public device and the ISP interface because they are in two different layer 3 domains. Based on your description it seems the lack of arp is a problem for the new ISP device that it was able to ignore previously.
To get these into the same broadcast domain you would need to make the following changes.
- Move the ip address on the interface facing the ISP to an irb interface
- Remove the existing interface from the internet zone and add the new irb interface instead
- Place both interfaces into the same vlan
- Change the default route on the device to be to the SRX public ip address and remove the old one to the private address
- Remove the route to the public ip of the device from the SRX
- Security policy check
- If both the internet and internal device interfaces are assigned to the same zone then no changes are needed
- If these are different zones they need to change to be both to and from the same internet zone
This process will create a normal broadcast domain so the arp will be forwarded through the SRX to the ISP.
Since the traffic has to go through the SRX between the ISP and the public device on different interfaces security policies will still be enforced. Any devices in the same broadcast domain need to connect to different interfaces on the SRX. If they were connected to the same layer 2 switch the SRX could be cut out of the loop and all traffic allowed between the devices.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 03-03-2023 11:00
From: Jerry
Subject: public ip without nat
I'm sorry if I didn't explain it well. The device is not dual-addressed. It is simply given a public address and I do not do any NAT translation at the SRX. The device is connected to SRX interface ge-0/0/6.0, and this interface is given a private IP address, which is also the default gateway for the device. I have no issues pinging the gateway from the device or sending data from the device out to the internet through the SRX.
The issue is getting data back, and according to the ISP, it's because there is no ARP information for the device's IP address advertised to their router that the SRX is connected to, so the router doesn't know where to send the data. As you said in an earlier post, "If you are using a public address on a device without any NAT you cannot use the same address with proxy arp for NAT on the SRX. This would be an address conflict for that broadcast domain."
So, I need to know how to get the ARP information for the device out to the router, or find some other way of making this work.
Jerry
Original Message:
Sent: 02-28-2023 12:54
From: spuluka
Subject: public ip without nat
I'm not sure I follow the setup here so forgive me if this is not right.
It sounds like you are dual addressing a server with both a public and private ip address but do NOT over lap the two broadcast domains. This would be none standard configurations so I could see why it might stop working after an upgrade.
For the server arp to reach the upstream ISP device both would need to be in an interface configured with the same broadcast domain. If both are connected to different SRX interfaces then policy from untrust to untrust zone (or whatever that external zone name is) could be used to control traffic and nat behavior.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 02-18-2023 14:51
From: Jerry
Subject: public ip without nat
The ISP is directly connected to ge-0/0/0.0, and the public addressed resource is connected to ge-0/0/6.0 through a couple of network switches. The default gateway for the resource is a private IP address assigned to the ge-0/0/6.0 interface. There are other devices using this interface as their default gateway, too, but they are setup with NAT. The ge-0/0/0.0 interface is assigned a public IP address as the next hop for the ISP router. The resource, the ISP interface, and the ge-0/0/0.0 interface are all in the same subnet.
I use a rule under security -> nat to disable NAT for the resource (x.x.x.x):
rule no-nat-security-rule {
match {
source-address x.x.x.x/32;
}
then {
source-nat {
off;
}
}
}
I set a static route to direct the SRX to send traffic to the ge-0/0/6.0 for the resource as well as the default route to the ISP router (x.x.x.y):
routing-options {
static {
route 0.0.0.0/0 next-hop x.x.x.y;
route x.x.x.x/32 next-hop ge-0/0/6.0;
}
}
Do I need to have a rule to allow the ARP from the resource pass through the SRX to the ISP? I'm not sure if that should just happen, or if I could be unintentionally blocking that with my security policies due to a lack of understanding on my part.
Thanks for continuing to stick with me here!
Original Message:
Sent: 02-18-2023 11:02
From: spuluka
Subject: public ip without nat
Could you confirm how the physical cabling is setup?
It sounds like you have the SRX interface, the public addressed resource interface and the ISP interface in the same broadcast domain.
I assume the resource is using the SRX interface as the default gateway.
So for the SRX to control traffic both the ISP and the resource would need to be physically connected to an SRX interface.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 02-17-2023 15:50
From: JERRY GIACINTO
Subject: public ip without nat
To expand... I have a device behind the firewall that I need to not apply NAT to. I have had that configured and connectivity established from outside the firewall for a good year and a half. The connectivity stopped working a couple of weeks ago, but I haven't changed any configs on the firewall or the other device. In the end, I talked to my ISP, and they said they don't have an ARP table entry for the device. I am not an expert at the SRX (one man shop), but I did find out a year and half ago that I could not use proxy arp for NAT for this device, and I figured it was an IP conflict. I reminded myself of that earlier this week when I tried it again. The ISP has currently added a static entry to the ARP table for the MAC of the SRX, but this, of course, is problematic because if I replace the firewall, then I'll have to engage the ISP to change that, and I really shouldn't need to do that.
I don't know what changed on the ISP router that caused the connectivity to go down, and the techs haven't been able to explain it, either. So, the question becomes how do I make sure the ARP information for the internal non-NATed device makes it through to the next hop router that the SRX is connected to on the external interface?
Thank you - Jerry
------------------------------
JERRY GIACINTO
Original Message:
Sent: 02-15-2023 15:20
From: spuluka
Subject: public ip without nat
Could you expand on your exact situation?
If you are using a public address on a device without any NAT you cannot use the same address with proxy arp for NAT on the SRX. This would be an address conflict for that broadcast domain.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 02-14-2023 17:30
From: JERRY GIACINTO
Subject: public ip without nat
Hi... I know this is two years old, but can you provide what you did, in some detail, to get this working?&n