Home / server / Questions / 227425
Accepted
Element
Asked: 2011-01-27 18:29:26 +0800 CST

Assign multiple external ips with Juniper SRX100

  • 772

I have a single Juniper SRX100 setup between several servers and a WAN.

Is it possible to give all the servers external IP addresses and still use the SRX100 as a firewall?

(My ISP has provisioned me additional addresses already, I am just not sure how to configure the switch)

configuration juniper

3 Answers

  1. Best Answer

    I don't agree with the above answer.

    SRX devices like NetScreen devices deal with zones. You're going to need to put one port in the "untrust" zone, and the rest of them in the "trust" zone. The SRX should be set for this out of the box. The port in the untrust zone is likely set for DHCP right now, you'll need to override that and do something like this:

    set interfaces ge-0/0/0 unit 0 description ISP Link
set interfaces ge-0/0/0 unit 0 family inet address 99.10.15.173/29

    Now... for the OTHER IP addresses to be available off that same interface, you need a proxy arp statement under NAT configuration.

    set security nat proxy-arp interface ge-0/0/0.0 address 99.10.15.170/32
set security nat proxy-arp interface ge-0/0/0.0 address 99.10.15.171/32

    Then, you need static NAT's mapping those IP addresses to internal hosts:

    set security nat static rule-set emailservers from zone untrust
set security nat static rule-set emailservers rule exchange-direct match destination-address 99.10.15.170/32
set security nat static rule-set emailservers rule exchange-direct then static-nat prefix 192.168.1.70/32
set security nat static rule-set emailservers rule proofpoint match destination-address 99.10.15.171/32
set security nat static rule-set emailservers rule proofpoint then static-nat prefix 192.168.1.74/32

    And then, you MUST have a policy that PERMITS said traffic!

    set security policies from-zone untrust to-zone trust policy mailservers match source-address any
set security policies from-zone untrust to-zone trust policy mailservers match destination-address mailservers
set security policies from-zone untrust to-zone trust policy mailservers match application junos-smtp
set security policies from-zone untrust to-zone trust policy mailservers match application junos-https
set security policies from-zone untrust to-zone trust policy mailservers match application junos-http
set security policies from-zone untrust to-zone trust policy mailservers match application junos-icmp-all
set security policies from-zone untrust to-zone trust policy mailservers match application junos-imap
set security policies from-zone untrust to-zone trust policy mailservers match application junos-imaps
set security policies from-zone untrust to-zone trust policy mailservers match application junos-pop3
set security policies from-zone untrust to-zone trust policy mailservers then permit

    Some things I left out: setting up address book entries for the zones, and etc... but to sum up:

    1) set external interface 2) set proxy arp 3) set static NATs (or whatever nat you need) 4) configure security policy to permit traffic.

    • 4

  2. Yes it is. Just let the servers be in a dmz, with the gateway address on its interface, and ofc, you must create permitting policies and so on.

    ex. server 1 has ip 1.1.1.2/24 with gateway 1.1.1.1 server 2 has ip 1.1.1.3/24 with gateway 1.1.1.1

    the IP of the SRX interface is 1.1.1.1.

    Good luck.

    • 0

  3. It sounds like you want transparent mode. It's currently supported only on the high-end SRX1400-SRX5800.

    There are rumors that it may be coming soon to the low-end SRX.

    • 0