Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Configure secondary block of IPs untrust interface ns5gt

    Posted 06-16-2010 08:49

    My client has DSL from AT&T. it is a residential account. He purchased a block of 5 static ips with a gateway. I would like to configure this on the untrust port of the ns5gt. The untrust is currently getting a dynamic public ip ffrom the modem which is in bridge mode. The dynami ip is not in the same subnet as the new block of static ips. How can i accomplish this?

    My main problem is where do i setup the gateway for the new block of static ips so that i can route correctly and use the static ips for MIPs



  • 2.  RE: Configure secondary block of IPs untrust interface ns5gt

    Posted 06-16-2010 18:43

    Hi,

     

    I've never tried this with DSL, but you should be able to use a Secondary Interface.  However, Secondary Interfaces aren't supported in the "Untrust" zone so you may need to move the interface to a user defined zone (i.e. Untrust2).  I think you also may be able to create a loopback interface, but you will need a policy from Untrust to Untrust to permit the traffic to the loopback.  MIPs are supported on loopbacks as well.  If nobody else responds, I would recommend reviewing the C&E for your version of ScreenOS and performing some tests.  I hope this puts you on the right track.

     

    -John



  • 3.  RE: Configure secondary block of IPs untrust interface ns5gt
    Best Answer

    Posted 06-17-2010 00:26

    Hi!

     

    You can simply configure these MIPs on the untrust interface. The MIPs can be in a different subnet from an Untrust zone interface IP address. This is a provider task, to configure routing for the additional IPs. They should edit the DSL User profile so that the additional IP pool is routed to the dynamically assigned interface address, as soon as a DSL connection has been established.

    Kind regards,

    Edouard



  • 4.  RE: Configure secondary block of IPs untrust interface ns5gt

    Posted 06-17-2010 06:55

    I always believed that I would need to configure the gateway provided by the ISP somewhere on the netscreen in order to make this work. I will try just adding the MIP using an IP from the secondary block and see if that gives me the result I ant.

     

    As far as asking the ISP to make sure the IPs are routed to my modem, I am pretty sure they will not help me since this is a residential account and not a business account. So I have my fingers crossed that it works and I don't have to tell the customer to upgrade any futher. Thanks guys.