Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Forward public ip to device directly attached to ssg interface

    Posted 10-13-2016 03:25

    Greetings to all the experts.

    I am a self-taught and I am not much netscreen expert.

     

    I have one isp router (A), one SSG140 and one other provider router (B)

     

    I should assign 1 Public IP to router (B) directly connected to interface X of my SSG.
    Traffic to and from this public IP is going through the provider router (A) connected to interface Y of the SSG.
    These are the steps :
    isp router (A) > interface Y ssg (n public ip) > interface X ssg > router (B one public ip)
    The router B must manage a vpn (for this must have a public ip): I can not use the ssg nat functions.

    The solution proposed by the provider of router B requires the use of a switch before of SSG140:
    traffic to the public ip assign to router B would be managed directly without going through the SSG.
    I do not like this solution and I'd like to handle it with the SSG interfaces but I have no idea on how to make.


    Sorry for my bad English (I used the google translator ...)

    thank you



  • 2.  RE: Forward public ip to device directly attached to ssg interface

    Posted 10-13-2016 04:10

    Hi,

     

    I understand that your VPN is terminating on the Router B and the other VPN peer is behind ISP router A.  Don't you have route from Router A to the router & in between devices for end to end communication?

     

    Thanks,

    Vikas



  • 3.  RE: Forward public ip to device directly attached to ssg interface

    Posted 10-13-2016 04:25
    Hi,
     
    no, router A (cisco 1841) have only one interface.
     
    thank you


  • 4.  RE: Forward public ip to device directly attached to ssg interface

    Posted 10-14-2016 00:09

    Hi,

     

    Can you let us know the topology including both VPN endpoints and the IP interfaces? you can use any random public IPs instead of your actual public IPs if you don't want to disclose.

     

    Thanks,

    Vikas

     

     

     



  • 5.  RE: Forward public ip to device directly attached to ssg interface

    Posted 10-14-2016 01:29

    I hope that this scheme is clear

    thanks

    Cattura_1.JPG



  • 6.  RE: Forward public ip to device directly attached to ssg interface

    Posted 10-14-2016 03:16

    Hi

    1: I hope you are not doing any interface based NATing (DIP,MIP,VIP) on the firewall interaface for IP 188.x.x.235.
    2: Your router A would have a route to send packets destined to the IP 188.x.x.235 to the SSG140, right?
    3: Router B is connected to the SSG140 so I am considering they also have IP connectivity.

     

    This should work if you have proper route on the SSG140 to send 188.x.x.235 traffic to the Router B via Eath4. Or do you problem that Eth4 doesn't have a public IP on the Eth4?

     

    Thanks,

    Vikas



  • 7.  RE: Forward public ip to device directly attached to ssg interface
    Best Answer

    Posted 10-14-2016 08:24

    How about moving all config from int1 to bgroup and then adding int1 and int4 to bgroup. Then it's both a switch AND handling it with ssg interfaces.



  • 8.  RE: Forward public ip to device directly attached to ssg interface

    Posted 11-15-2016 23:38

    It is the simplest and best solution !

    thanks

     

    renato



  • 9.  RE: Forward public ip to device directly attached to ssg interface

     
    Posted 10-17-2016 04:27

    Hi,

     

    If you need to have Router-B behind the SSG with a puclic IP, you will end up using one more public IP, because int-4 needs an IP from the same 188.x.x.x subnet.

     

    The easiest way to get this done would be by configurign a prvate IP on R-B and mapping it to MIP->188.x.x.235 on int1. If this is an IPSec VPN, please ensure both VPN endpoint and R-B support NAT-T.

     

    If you do not want NAT, you can follow the suggestion provided by Nikolay.