Hi,
I am setting up an SRX firewall for the first time and need some advice with a
specific configuration solution.
Solution overview:
/----> Trusted Interface VLAN X. Custer
X Private Network
Untrusted Traffic ---> / ----> Trusted Interface VLAN Y. Custer Y Private
Network
/ -----> Trusted Interface VLAN Z.
Custer Z Private Network
INTERFACES:
1x Physical Untrusted Interface (No VLANs). Has to stay one Physical Interface.
Multiple Trusted VLAN Interfaces.
VLANs allocated per customer. No traffic to be passed between customers.
NAT:
Do Public to private NAT from Untrusted to trusted, i.e Traffic initiated from
Untrusted connecting to 196.x.x.1 translating to 192.x.x.1 sitting behind a
trusted interface.
Some translations need to be source NATted.
ROUTING (ISSUE):
Route customer private IPs to customer VLAN Trusted Interface.
ISSUE: Conflicting Private IPs between customers.
To configure the security zones with their respective policies and NAT is not
an issue.
The Issue is the conflicting Customer Ips.
I was thinking of using Virtual Routers for each Trusted Interface, but how do
I route traffic from the Physical Untrusted Interface to the relevant Virtual
Router without splitting the Untrusted Interface into multiple VLANs?
I am thinking of a feature that Cisco has of doing routing based on the
Interface but not sure if this can be done on an SRX, i.e route outside 0.0.0.0
0.0.0.0 196.x.x.x ; route CUST-A 192.168.2.0 255.255.255.0 192.168.0.2 ; route
CUST-B 192.168.2.0 255.255.255.0 192.168.1.2
Will really appreciate any guidance or advise with this.
Thank you in advance
________________________________
NOTE: This e-mail message and all attachments thereto contain confidential
information intended for a specific addressee and purpose. If you are not the
addressee (a) you may not disclose, copy, distribute or take any action based
on the contents hereof; (b) kindly inform the sender immediately and destroy
all copies hereof. Any copying, publication or disclosure of this message, or
part hereof, in any form whatsoever, without the sender's express written
consent, is prohibited. No opinion expressed or implied by the sender
necessarily constitutes the opinion of MTN. This message does not constitute a
guarantee or proof of the facts mentioned herein. No Employee or intermediary
is authorised to conclude a binding agreement on behalf of MTN Group Limited,
or any of its subsidiary companies, by e-mail without the express written
confirmation by a duly authorised representative of MTN Group Limited.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
