SRX

 View Only
last person joined: 5 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

public ip without nat

  • 1.  public ip without nat

    Posted 01-04-2021 09:15
    Hi,

    I have a srx-320 with 2 x /29.

    First /29 i use to static/dest NAT and it's working egress and ingress as desired.

    Second /29 i want to use for public ips behind the firewall without using NAT. This is working egress but no traffic is received from internet. How do i set this up?

    I've tried to setup some static NAT prefixed with the public ip and rules allowing the this respective untrust zone to access a trust zone defined by the second public /29  range but that's not working. Any one knows how to get this traffic flowing?

    Thank you.


  • 2.  RE: public ip without nat

    Posted 01-04-2021 17:55
    The two subnets you get for this purpose should be configured as follows.
    • First /29 for NAT
      • Option 1 - Configured on the untrust public interface
        • Use per the documentation with security and nat policies
        • configure proxy-arp for any address not on the actual interface
      • Option 2 - routed to the public address configured on the untrust interface by the upstream router
        • Use as pool addresses in nat policy and configure matching security policy
        • no proxy-arp is needed
    • Second /29 direct usage
      • Upstream router must route the subnet to the address physically configured on the SRX untrust interface
      • Configure directly on the downstream srx interface using one as the gateway address for the subnet on the SRX
      • Use the remaining addresses for the desired servers or devices needing a direct public address
      • Configure the untrust to trust security policy on the required ports to allow the connection through the SRX
      • Do NOT configure any NAT policy


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: public ip without nat

    Posted 01-04-2021 18:43
    One approach would be to use a dumb switch in front of the SRX and use that as an "internet blob" with all of the addresses available there.  Doing this of course, eliminates any controls that the SRX might provide for any of the other public addresses at your disposal.  The idea is that it's no worse than connecting to ANY public address.

    Conversely, if you want to control traffic in and out of one of your public addresses (which, in some sense seems a contradiction in terms but so be it), then I wonder if you might not want to consider different firewall rules for each one or for groups of them?   Likely not all devices using public addresses would have the same requirements.
    I suppose you might make separate rules on a per-address basis or you might create separate zones.  I don't know which is best.

    I mention these things out of curiosity because I really don't know what common practices might be....


  • 4.  RE: public ip without nat

    Posted 01-19-2021 04:57
    Just wanted to let you know i got to work with proxy arp. Thank you.


  • 5.  RE: public ip without nat

    Posted 02-14-2023 18:08
    Edited by spuluka 02-14-2023 19:38

    Hi... I know this is two years old, but can you provide what you did, in some detail, to get this working?  When I add a proxy arp to my config for the unNATed address, traffic doesn't pass from to my device that is not NATed despite having a static route in my config to direct that traffic to the correct internal interface.

    Thank you!





  • 6.  RE: public ip without nat

    Posted 02-15-2023 02:56

    Hi,

     

    1. You need to add all public addresses, both nat and not nat ranges, to proxy arp for that interface connected to your ISP.
    2. Then make traffic rules to allow the traffic reach the endpoints from outside the zone.

     

    //Carsten

     

     

     






  • 7.  RE: public ip without nat

    Posted 02-15-2023 15:21

    Could you expand on your exact situation?

    If you are using a public address on a device without any NAT you cannot use the same address with proxy arp for NAT on the SRX.  This would be an address conflict for that broadcast domain.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 8.  RE: public ip without nat

    Posted 02-17-2023 17:00
    Edited by Jerry 02-21-2023 13:58

    To expand... I have a device behind the firewall that I need to not apply NAT to.  I have had that configured and connectivity established from outside the firewall for a good year and a half.  The connectivity stopped working a couple of weeks ago, but I haven't changed any configs on the firewall or the other device.  In the end, I talked to my ISP, and they said they don't have an ARP table entry for the device.  I am not an expert at the SRX (one man shop), but I did find out a year and half ago that I could not use proxy arp for NAT for this device, and I figured it was an IP conflict.  I reminded myself of that earlier this week when I tried it again.  The ISP has currently added a static entry to the ARP table for the MAC of the SRX, but this, of course, is problematic because if I replace the firewall, then I'll have to engage the ISP to change that, and I really shouldn't need to do that.

    I don't know what changed on the ISP router that caused the connectivity to go down, and the techs haven't been able to explain it, either.  So, the question becomes how do I make sure the ARP information for the internal non-NATed device makes it through to the next hop router that the SRX is connected to on the external interface?

    Thank you - Jerry





  • 9.  RE: public ip without nat

    Posted 02-18-2023 11:03

    Could you confirm how the physical cabling is setup?

    It sounds like you have the SRX interface, the public addressed resource interface and the ISP interface in the same broadcast domain.

    I assume the resource is using the SRX interface as the default gateway.

    So for the SRX to control traffic both the ISP and the resource would need to be physically connected to an SRX interface. 



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 10.  RE: public ip without nat

    Posted 02-18-2023 14:52
    Edited by Jerry 02-19-2023 13:05

    The ISP is directly connected to ge-0/0/0.0, and the public addressed resource is connected to ge-0/0/6.0 through a couple of network switches.  The default gateway for the resource is a private IP address assigned to the ge-0/0/6.0 interface.  There are other devices using this interface as their default gateway, too, but they are setup with NAT.  The ge-0/0/0.0 interface is assigned a public IP address as the next hop for the ISP router.  The resource, the ISP interface, and the ge-0/0/0.0 interface are all in the same subnet.

    I use a rule under security -> nat to disable NAT for the resource (x.x.x.x):

    rule no-nat-security-rule {
        match {
            source-address x.x.x.x/32;
        }
        then {
            source-nat {
                off;
            }
        }
    }

    I set a static route to direct the SRX to send traffic to the ge-0/0/6.0 for the resource as well as the default route to the ISP router (x.x.x.y):

    routing-options {
        static {
            route 0.0.0.0/0 next-hop x.x.x.y;
            route x.x.x.x/32 next-hop ge-0/0/6.0;
        }
    }

    Do I need to have a rule to allow the ARP from the resource pass through the SRX to the ISP?  I'm not sure if that should just happen, or if I could be unintentionally blocking that with my security policies due to a lack of understanding on my part.

    Thanks for continuing to stick with me here! 





  • 11.  RE: public ip without nat

    Posted 02-28-2023 12:55

    I'm not sure I follow the setup here so forgive me if this is not right.

    It sounds like you are dual addressing a server with both a public and private ip address but do NOT over lap the two broadcast domains.  This would be none standard configurations so I could see why it might stop working after an upgrade.

    For the server arp to reach the upstream ISP device both would need to be in an interface configured with the same broadcast domain.  If both are connected to different SRX interfaces then policy from untrust to untrust zone (or whatever that external zone name is) could be used to control traffic and nat behavior.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 12.  RE: public ip without nat

    Posted 03-03-2023 11:00
    Edited by Jerry 03-03-2023 17:40

    I'm sorry if I didn't explain it well.  The device is not dual-addressed.  It is simply given a public address and I do not do any NAT translation at the SRX.  The device is connected to SRX interface ge-0/0/6.0, and this interface is given a private IP address, which is also the default gateway for the device.  I have no issues pinging the gateway from the device or sending data from the device out to the internet through the SRX.

    The issue is getting data back, and according to the ISP, it's because there is no ARP information for the device's IP address advertised to their router that the SRX is connected to, so the router doesn't know where to send the data.  As you said in an earlier post, "If you are using a public address on a device without any NAT you cannot use the same address with proxy arp for NAT on the SRX.  This would be an address conflict for that broadcast domain."

    So, I need to know how to get the ARP information for the device out to the router, or find some other way of making this work.


    Jerry




  • 13.  RE: public ip without nat

    Posted 03-07-2023 20:09

    So what is happening is there is no broadcast domain between the interface connected to the public device and the ISP interface because they are in two different layer 3 domains.  Based on your description it seems the lack of arp is a problem for the new ISP device that it was able to ignore previously.

    To get these into the same broadcast domain you would need to make the following changes.

    • Move the ip address on the interface facing the ISP to an irb interface
    • Remove the existing interface from the internet zone and add the new irb interface instead
    • Place both interfaces into the same vlan
    • Change the default route on the device to be to the SRX public ip address and remove the old one to the private address
    • Remove the route to the public ip of the device from the SRX
    • Security policy check
      • If both the internet and internal device interfaces are assigned to the same zone then no changes are needed
      • If these are different zones they need to change to be both to and from the same internet zone

    This process will create a normal broadcast domain so the arp will be forwarded through the SRX to the ISP. 

    Since the traffic has to go through the SRX between the ISP and the public device on different interfaces security policies will still be enforced.  Any devices in the same broadcast domain need to connect to different interfaces on the SRX.  If they were connected to the same layer 2 switch the SRX could be cut out of the loop and all traffic allowed between the devices.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 14.  RE: public ip without nat

    Posted 03-09-2023 12:14

    Thank you for the detailed reply.  I see what you're suggesting here.  It is a little outside of my experience with the SRX, but I'm sure I can work it out.  I found a similar question on Stack Exchange (https://networkengineering.stackexchange.com/questions/20732/srx-routed-subnet-no-nat), and I can see that a solution given there is going down the same path that you're suggesting.  Unfortunately, they point to an example on Juniper's site that is now a dead link:  http://www.juniper.net/documentation/en_US/junos12.1/topics/example/security-zone-layer2-configuring.html

    Are you aware of any other good example pages?

    Currently, the ISP has added a static ARP entry at their router to make this work.  My workload has grown a lot since this problem came up, and I don't know when I'll get back to this issue, but I wanted to reply so you knew that I read and appreciate your response.



    ------------------------------
    Jerry
    ------------------------------