[j-nsp] SRX Configuration guidance
Deon Vermeulen
Deon.Vermeulen at mtnbusiness.co.na
Mon Apr 12 05:11:11 EDT 2010
Hi,
I am setting up an SRX firewall for the first time and need some advice with a specific configuration solution.
Solution overview:
/----> Trusted Interface VLAN X. Custer X Private Network
Untrusted Traffic ---> / ----> Trusted Interface VLAN Y. Custer Y Private Network
/ -----> Trusted Interface VLAN Z. Custer Z Private Network
INTERFACES:
1x Physical Untrusted Interface (No VLANs). Has to stay one Physical Interface.
Multiple Trusted VLAN Interfaces.
VLANs allocated per customer. No traffic to be passed between customers.
NAT:
Do Public to private NAT from Untrusted to trusted, i.e Traffic initiated from Untrusted connecting to 196.x.x.1 translating to 192.x.x.1 sitting behind a trusted interface.
Some translations need to be source NATted.
ROUTING (ISSUE):
Route customer private IPs to customer VLAN Trusted Interface.
ISSUE: Conflicting Private IPs between customers.
To configure the security zones with their respective policies and NAT is not an issue.
The Issue is the conflicting Customer Ips.
I was thinking of using Virtual Routers for each Trusted Interface, but how do I route traffic from the Physical Untrusted Interface to the relevant Virtual Router without splitting the Untrusted Interface into multiple VLANs?
I am thinking of a feature that Cisco has of doing routing based on the Interface but not sure if this can be done on an SRX, i.e route outside 0.0.0.0 0.0.0.0 196.x.x.x ; route CUST-A 192.168.2.0 255.255.255.0 192.168.0.2 ; route CUST-B 192.168.2.0 255.255.255.0 192.168.1.2
Will really appreciate any guidance or advise with this.
Thank you in advance
________________________________
NOTE: This e-mail message and all attachments thereto contain confidential information intended for a specific addressee and purpose. If you are not the addressee (a) you may not disclose, copy, distribute or take any action based on the contents hereof; (b) kindly inform the sender immediately and destroy all copies hereof. Any copying, publication or disclosure of this message, or part hereof, in any form whatsoever, without the sender's express written consent, is prohibited. No opinion expressed or implied by the sender necessarily constitutes the opinion of MTN. This message does not constitute a guarantee or proof of the facts mentioned herein. No Employee or intermediary is authorised to conclude a binding agreement on behalf of MTN Group Limited, or any of its subsidiary companies, by e-mail without the express written confirmation by a duly authorised representative of MTN Group Limited.
More information about the juniper-nsp
mailing list