|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Mailing List
|
By Joining the mailing list you will be notified of site updates.
|
|
Show Your Support For
This Site By Donating:
|
|
|
|
|
|
|
|
Public IPs and NAT on the same firewall
By Erik Rodriguez
Tags: public IP addresses plus NAT, Juniper NAT firewall setup, Juniper SSG zones, NAT zones on Juniper SSG, slash notation
The following article illustrates how to configure public IP address space plus NAT addresses on the same firewall. This is common in data center networks and other networks that require the use of public IP space with the protection of a firewall.
Introduction
In a previous article, I covered how to configure a firewall with public IP addresses on both the untrust and trust zones. However, sometimes it is desired to use both public IP space and NAT on the same firewall. This is done by using a larger allocation for the untrust or Internet facing interface. Some devices will allow you to add a secondary allocation to the untrust side as well. This setup is the same, only instead of a /30 we will use a /29. We will still need static routes setup but the difference here is that a /29 provides 4 other usable IP addresses that can be used for NAT. See the diagram below:
Show above, a /29 is used on the untrust (Internet facing) side. A /27 is used for the trust side and all IP addresses within the /27 are then routed through a single address from the /29 side. This leaves 4 other IP addresses from the /29 available to NAT other devices from another zone. This practice works well for things like private servers that do not need a public IP address directly. This setup is commonly used for development environments, management devices, or other network equipment such as switches or monitoring systems.
Contact Us
NOTE: this form DOES NOT e-mail this article, it sends feedback to the author.
|
|
|
|
|
|