Screen OS

I have an SSG140 with a pretty basic configuration.   I have a public /24 configured as DMZ so that I can have physical and virtual machines assigned directly to public IPs.

I now need to switch some of the virtual machines to private IPs that are connected through this same interface and share a single public IP.  Is that possible?

The following article seems to cover what I want to do for these virtual machines, but I'm not sure if it's possible to keep the rest of the public IPs as DMZ and just grab one public IP to set up the one (public) to many (private) IP configuration:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11901

Does my question even make sense?  If someone can help me better phrase my question, I'd appreciate that too!

Thanks!

Hi,

Welcome to the forum.

---

@spockdude wrote:

 

I now need to switch some of the virtual machines to private IPs that are connected through this same interface and share a single public IP.  Is that possible?

 

 

---

Do you mean you want to move one public IP from DMZ to Untrust and use it for NAT-ing a private subnet in DMZ? If that is the case, you may run into overlapping subnet issues, as the public subnet is already configured on the DMZ.

Gokul,

Thank you for your reply.  Yes, that is what I'm trying to do.

So, if I'm understanding you correctly, I must first convert all the public ips to the Untrust zone. That sounds like a tricky job with more than 200 devices on the DMZ needing to be reconfigured to use private ips with minimal downtime in a 24/7 production environment.  But, I suppose if there's no other way, we may have to consider that.

Ok, so assuming I can figure out how to make this switch, would it then be an issue to have most devices setup with a one to one relationship using NAT, while other devices share the same ip on the Untrust zone (I suppose with PAT)?

Thanks,

Curtis

Curtis,

I think you can play around with NAT configuration to get this working, rather than migrating your entire DMZ subnet.

You can configure a DIP on the untrust interface with the DMZ IP you have in mind. Select the option 'in same subnet as that of extended IP'.

set interface ethernet0/1 ip 10.204.8.56/24

set interface bgroup2 ip 192.168.80.100/24

set interface ethernet0/1 ext ip 192.168.80.25 255.255.255.0 dip 5 192.168.80.26 192.168.80.26

Then you can create policies from DMZ to Untrust to NAT the DMZ-private IPs with this DIP.

If you are looking for incoming traffic as well, then you can go ahead with configuring NAT destination through policies.

Thanks for your help with this.   I got outbound traffic working by setting up a DIP on the untrust interface as you recommended. 

Now I'm trying to figure out how to get traffic flowing inbound.  I tried to set up an untrust to dmz policy to do destination ip translation, but so far no traffic is flowing.  Is there something besides the policy that I need to set up to allow inbound traffic to flow?

Never mind... got it working... I just had to move my policy up above the default untrust to dmz policy so that it took precedence.

Thanks again for your help! 🙂