Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Configuring SSG-140 for multiple vrouters

    Posted 09-24-2014 09:35

    I am trying to configure additional vrouters in a SSG140 to isolate network traffic for specific customers.  The default trust-vr is working fine.  I have created the second vrouter named Customer-VR and added and interface for the internal traffic on an isolated vlan in our switch.  I have added a second interface to the new vrouter as its untrust connection.

     

    The second vrouters untrst connection, which is assigned to ethernet0/5, is connected to our same ISP as the default vrouter but it has its own IP block and routing setup.  I have created a policy allowing any outbound traffic from the new internal zone to the new untrust zone.

     

    When configuring the IP address on the new vrouter's untrust interface I get a message from the WebUI about an IP conflict being detected even though the addresses space are different and have different routes.



  • 2.  RE: Configuring SSG-140 for multiple vrouters

    Posted 09-24-2014 09:41

    Can you send the configuration?  It sounds like there are overlapping subnets configured, which by default is not permitted.



  • 3.  RE: Configuring SSG-140 for multiple vrouters

    Posted 09-24-2014 09:49
      |   view attached

    I have attached a copy of the config.  I replaced the external IP for the default vrouter with 1.1.1.x and the custom vrouter external interface with 2.2.2.x

    Attachment(s)

    txt
    ssg140-cfg.txt   65 KB 1 version


  • 4.  RE: Configuring SSG-140 for multiple vrouters

    Posted 09-24-2014 09:57

    Could you provide the exact error message? 



  • 5.  RE: Configuring SSG-140 for multiple vrouters

    Posted 09-24-2014 09:59

    I would also recommend removing the "permanent" flag from the routes.



  • 6.  RE: Configuring SSG-140 for multiple vrouters

    Posted 09-24-2014 10:04

    should I remove the permanent flag on all entries or just the 0.0.0.0/0 for both vrouters?



  • 7.  RE: Configuring SSG-140 for multiple vrouters

    Posted 09-24-2014 10:00

    The error reads "System detect an IP 2.2.2.196 conflict on interfacve ethernet0/5".

     

    The real issue is the computers behind this vrouter can not get out to the internet and I think it is related to this error being generated.



  • 8.  RE: Configuring SSG-140 for multiple vrouters
    Best Answer

    Posted 09-24-2014 10:05

    That indicates that there is another device that has the same IP address assigned.

     

    As for not being able to get out, it is most likely due to the firewall not NATing the traffic.  NAT automatically happens for trust to untrust and DMZ to untrust traffic as long as the trust interface is in NAT and the untrust is in route.  However, as you are using custom zones, you have to specify to NAT in the policy.  Set policy ID 341 to src nat using the egress IP.



  • 9.  RE: Configuring SSG-140 for multiple vrouters

    Posted 09-24-2014 10:09

    Genius is always so simple.  It was the NATing.  I didn't realize that did not happen automatically in custom VR's.  Thanks for the quick help.