2

I have a single Juniper SRX100 setup between several servers and a WAN.

Is it possible to give all the servers external IP addresses and still use the SRX100 as a firewall?

(My ISP has provisioned me additional addresses already, I am just not sure how to configure the switch)

Element
  • 856
  • 2
  • 10
  • 14
  • I types in an answer, then realized that the SRX is a JunOS thing, not a ScreenOS. This is (practically) trivial in ScreenOS -- but that's not relevant here. – David Mackintosh Jan 27 '11 at 03:24

3 Answers3

4

I don't agree with the above answer.

SRX devices like NetScreen devices deal with zones. You're going to need to put one port in the "untrust" zone, and the rest of them in the "trust" zone. The SRX should be set for this out of the box. The port in the untrust zone is likely set for DHCP right now, you'll need to override that and do something like this:

set interfaces ge-0/0/0 unit 0 description ISP Link
set interfaces ge-0/0/0 unit 0 family inet address 99.10.15.173/29

Now... for the OTHER IP addresses to be available off that same interface, you need a proxy arp statement under NAT configuration.

set security nat proxy-arp interface ge-0/0/0.0 address 99.10.15.170/32
set security nat proxy-arp interface ge-0/0/0.0 address 99.10.15.171/32

Then, you need static NAT's mapping those IP addresses to internal hosts:

set security nat static rule-set emailservers from zone untrust
set security nat static rule-set emailservers rule exchange-direct match destination-address 99.10.15.170/32
set security nat static rule-set emailservers rule exchange-direct then static-nat prefix 192.168.1.70/32
set security nat static rule-set emailservers rule proofpoint match destination-address 99.10.15.171/32
set security nat static rule-set emailservers rule proofpoint then static-nat prefix 192.168.1.74/32

And then, you MUST have a policy that PERMITS said traffic!

set security policies from-zone untrust to-zone trust policy mailservers match source-address any
set security policies from-zone untrust to-zone trust policy mailservers match destination-address mailservers
set security policies from-zone untrust to-zone trust policy mailservers match application junos-smtp
set security policies from-zone untrust to-zone trust policy mailservers match application junos-https
set security policies from-zone untrust to-zone trust policy mailservers match application junos-http
set security policies from-zone untrust to-zone trust policy mailservers match application junos-icmp-all
set security policies from-zone untrust to-zone trust policy mailservers match application junos-imap
set security policies from-zone untrust to-zone trust policy mailservers match application junos-imaps
set security policies from-zone untrust to-zone trust policy mailservers match application junos-pop3
set security policies from-zone untrust to-zone trust policy mailservers then permit

Some things I left out: setting up address book entries for the zones, and etc... but to sum up:

1) set external interface 2) set proxy arp 3) set static NATs (or whatever nat you need) 4) configure security policy to permit traffic.

SpacemanSpiff
  • 8,753
  • 1
  • 24
  • 35
  • 1
    +1 for probably the best workaround to not having transparent mode. The servers will still have private IPs, but they will appear to have separate public IPs to the outside world. – eater Jan 27 '11 at 14:39
  • Hey spacemanspiff thanks for the advice. I tried configuring it following your instructions but it does not route traffic properly, could you take a look at my configuration and see if you can spot any problems? It's setup to map 192.168.1.145 & .146 to: 10.0.0.2 & .3. Link: http://pastebin.com/N103x6h9 – Element Jan 30 '11 at 19:11
  • 1
    your next hop, 192.168.1.1 is not in a network you are connected to since you put a /29 mask on the 192.168.1.150 address for eth0/0/0. What is the network mask of the device 192.168.1.1? I would suspect 255.255.255.0 which is equivalent to /24. – SpacemanSpiff Jan 30 '11 at 19:37
0

Yes it is. Just let the servers be in a dmz, with the gateway address on its interface, and ofc, you must create permitting policies and so on.

ex. server 1 has ip 1.1.1.2/24 with gateway 1.1.1.1 server 2 has ip 1.1.1.3/24 with gateway 1.1.1.1

the IP of the SRX interface is 1.1.1.1.

Good luck.

xeet
  • 300
  • 2
  • 7
0

It sounds like you want transparent mode. It's currently supported only on the high-end SRX1400-SRX5800.

There are rumors that it may be coming soon to the low-end SRX.

eater
  • 1,549
  • 9
  • 12