Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  One External Physical Port Two IPs

    Posted 03-24-2023 17:03

    I am utilizing a SRX 380. The SRX currently has a /30 IP that is only routable across the Agency WAN. I am being assigned a /24 for backend devices that need access to internet. The backend IP space is RFC 1918 that gets nat'd to /30. There is a BGP peering  between the /30 IP and uplink. What is the best route to allow backend devices utilize the /24 with the one uplink?



    ------------------------------
    LAVEL BURCH
    ------------------------------


  • 2.  RE: One External Physical Port Two IPs

    Posted 03-25-2023 10:32

    You would assign a vlan for the internal /24 subnet and then determine if you want to have multiple ports on the SRX assigned to this or just a single port that is connecting to a down stream switch.

    With multiple ports these all get assigned to the vlan and then an irb interface created as the layer 3 gateway of the subnet.

    With a single port you simply configure that port as layer three for the gateway.

    Once the layer 3 interface is created that needs to be added at a zone for security and nat policy to be created.

    With the nat policy you write a policy from that internal zone to the existing wan link zone with a source nat interface policy.

    Then a security policy either allow all or a set of policies to restrict traffic are created from the internal zone to the wan interface zone for outbound initiated traffic.   The nat will then apply to any traffic that is permitted by policy.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: One External Physical Port Two IPs

    Posted 03-26-2023 17:10

    This sound almost like the factory config you get on low end SRXs. It will have a default inside network ( something like 192.168.1./24 ) and config will NAT this /24 to whatever you have on the outside. ( typically a service provider /31 or /30 network )



    ------------------------------
    Simon Bingham
    ------------------------------