ScreenOS Firewalls (NOT SRX)
Reply
Visitor
IT_Support
Posts: 8
Registered: ‎08-04-2009
0

How to configure 2 wan IP's on ssg 140?

Hello,

 

I got 1 WAN IP + 32 LAN IP's from my ISP

IP's given by IPS >>

 

WAN IP >  115.113.153.x/30

LAN IP > 115.113.65.x/27

 

Unfortunattly LAN IP's are from another subnet and mask is also /27 not /30

 

How can I configure LAN IP on my SSG so that I can browse internet on that specific leased line?

 

Currently I have configrued another leased line on same firewall & everything working fine.

This link I want to use for some other purpose.

 

I tried to dig in  Routing>Source but I dont think that would help.

 

Any help?

 

Regards,

Amey.

Distinguished Expert
spuluka
Posts: 2,625
Registered: ‎03-30-2009

Re: How to configure 2 wan IP's on ssg 140?

In KB11911 there is an outline of options for public ip MIP.  There are options you'll need to review and see which best suits your situation.

This scenario is on number 7:
Is the IP address of firewall's public interface in the same subnet as the Server Public IP address?  For example, in Figure 1, Server Public IP (1.1.1.2) belongs to the same network segment as the Untrust IP (1.1.1.1).

No - In ScreenOS 6.0 and below, a MIP (Mapped IP) can be on a different subnet than the interface IP subnet, only if the interface is in a zone named 'Untrust'. Therefore, choose one of the following options:
    •    Either create the MIP on an interface in the Untrust zone (i.e refer to the three resources above)  

 

OR
   
    •    Instead of using a MIP, use a combination of policy NAT-Dst for inbound communication:
            •    KB12631- ScreenOS Cookbook Recipe 8.6 - Configure Destination NAT
            •    AND policy NAT-src for outbound communication options: 
            •    KB11901 - [Outbound direction] How to configure Source Network Address Translation (NAT-src) and source Port Address Translation (PAT)

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
IT_Support
Posts: 8
Registered: ‎08-04-2009
0

Re: How to configure 2 wan IP's on ssg 140?

Thanks Steve for quick reply.

 

 

It seems like I can go with "MIP".

In my case I want full subnet to be able to access internet.

 

What I did is fixed LAN cable to int 0/7 on my SSG. 

Made sure leased line is working fine as it was working earlier with my another cisco router.

Assigned WAN IP to eth 0/7 with mask etc

Now went to MIP

Mapped private IP with public LAN ip given by ISP

But whe ntried to look up out going IP it showed public IP of my another link.

I created bidrectional policy on temp basis for that host but didnt work.

 

Any clue what can be the reason?

I added host entry in  Policy> Policy Elements > Address > "Trust" list

 

And yes I made eth 0/7 as untrusted int  in  "Interfaces" section same like I set up for other lines.

 

Regards,
Amey.

 

 

Contributor
TravisJohnson
Posts: 116
Registered: ‎12-14-2009

Re: How to configure 2 wan IP's on ssg 140?

Hello Amey,

 

Take a look at PBR. (Policy based routing)  It allows you to specify certain traffic to take a different route based on host, port, etc...

________________________________________________


If my post helped you, please feel free to give me kudos.
Trusted Contributor
rfrederick
Posts: 213
Registered: ‎07-14-2008

Re: How to configure 2 wan IP's on ssg 140?

I think that what you are looking for would be to configure the /27 on a loopback interface, and the /30 on the external interface itself.  You then configure the external interface to be in a loopback group with the loopback interface that has the IP.  That way, you can use those addresses in the /27 for whatever purpose you want.  The loopback group can also direct the loopback interface to be down when the external interface is down, so any dynamic routes can be removed from the routing table.  There is a config doc avaialble here:

 

http://kb.juniper.net/kb/documents/public/kbdocs/BK9398/SSG_WAN-LAN_Configuration_v1_0.pdf

 

Ron

Distinguished Expert
spuluka
Posts: 2,625
Registered: ‎03-30-2009

Re: How to configure 2 wan IP's on ssg 140?

Interesting, a MIP is supposed to be bi-directional but apparently it is only mapping the inbound for you here.

 

It sounds like you will need to use the alternate method in the tech note above.  Part one of that method is mapping the inbound request while the second part is mapping your outbound traffic.  Since the inbound request is working with the MIP perhaps you could just add the second part to the mix to get your outbound working correctly.

 

-------

 

 KB11901 - [Outbound direction] How to configure Source Network Address Translation (NAT-src) and source Port Address Translation (PAT)

 

Using Step 10:

 

Do you need a one-to-one mapping of the internal IP addresses to a public (or external) IP address, i.e. do you want to ensure that an internal client IP address is always translated to the same external IP address?      

 

Yes - The following example can be used to configure your requirement.  'Address Shifting' ensures internal IP address are always translated to same external IP address. ScreenOS Concepts & Examples Guide - Volume 8 - Address Translation
Chapter 2 - Source Network Address Translation
“NAT-Src from a DIP Pool with Address Shifting”
Example: NAT-Src with Address Shifting
Note: PAT will not take place with 'Address shifting'.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009

Re: How to configure 2 wan IP's on ssg 140?

Hi,

 

I would configure a couple of DIP pools, covering the network 115.113.65.x/27, as extended IP space on the WAN interface und use policy-based NAT only (no MIPs, no VIPs). Policy-based NAT is absolutelly flexible and understandable. A separate DIP with a sinle IP should be defined for each system, that should be always source-NATted to the same IP. Any IP from any DIP can be used for destination NAT. You can mimic MIPs and VIPs, use two and more public IPs for a single host, use source NAT dependent on the protocol etc, etc.

 

Kind regards

Edouard

Kind regards,
Edouard
Visitor
IT_Support
Posts: 8
Registered: ‎08-04-2009
0

Re: How to configure 2 wan IP's on ssg 140?

[ Edited ]

echidov wrote:

Hi,

 

I would configure a couple of DIP pools, covering the network 115.113.65.x/27, as extended IP space on the WAN interface und use policy-based NAT only (no MIPs, no VIPs). Policy-based NAT is absolutelly flexible and understandable. A separate DIP with a sinle IP should be defined for each system, that should be always source-NATted to the same IP. Any IP from any DIP can be used for destination NAT. You can mimic MIPs and VIPs, use two and more public IPs for a single host, use source NAT dependent on the protocol etc, etc.

 

Kind regards

Edouard


Went through all options. DIP pool seems useful to me.

I can see existing DIP's for another link [ Although dont no why that was done by Juniper guys when they configured my SSG 140 box last year. ]

 

Now I am going to make these changes >>

 

Add 115.113.65.x/ IP in DIP and select "incoming NAT" option at top from web UI & also Port-Xlate as DIP type.

 

But how to configure PBR?

 

This is just going to be initial phase.

After this I need to do load balancing for single VPN. I dont no if it's possible in practical.

Possible to integrate 2 leased lines in to 1 single VPN tunnel [ Preshared key based ] ?

 

Update:  I configured  115.113.153.x IP on eth 0/7 . NO w I clicked on DIP and tried to add115.113.65.x IP and it showed me following error > The dynamic IP must be in the same subnet as the interface IP or its secondery IPs.

 

 

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: How to configure 2 wan IP's on ssg 140?

Hi,

 

You should add the DIPs using "In the same subnet as the extended IP"-option and configure "Extended IP/Netmask". You can use the network IP 115.113.65.x/27 as Extended IP. F.i Extended IP is 115.113.65.0/27, DIP is 115.113.65.1. Do not select "incoming NAT". If eth0/7 is not mapped to Untrust zone, you cannot use the Extended IP and should configure a secondary IP, provided that you have not very old ScreenOS version. Older versions supported, as far as I remember, the secondary IPs in Trust zone only. DIPs can be configured then with "In the same subnet as the interface IP or its secondary IPs"-option.

 

What is confusing me is "another leased line". You wrote:  "Unfortunattly LAN IP's are from another subnet and mask is also /27 not /30" So, I assumed that you have got an ISP connection with one usable address 115.113.153.x/30 and an additional public network 115.113.65.x/27 that is routed on this ISP Link. This is a typical configuration. But, if you have another link to the same provider and the second network is routed on another link, we have problems different from the difficulties with the NAT.

 

Please provide me with more details regarding ISP connection(s).

 

Kind regards,

Edouard

Kind regards,
Edouard
Visitor
IT_Support
Posts: 8
Registered: ‎08-04-2009
0

Re: How to configure 2 wan IP's on ssg 140?

[ Edited ]

>>>> 

What is confusing me is "another leased line". You wrote:  "Unfortunattly LAN IP's are from another subnet and mask is also /27 not /30" So, I assumed that you have got an ISP connection with one usable address 115.113.153.x/30 and an additional public network 115.113.65.x/27 that is routed on this ISP Link. <<<<

You are right.  I got usable IP's from same ISP from 115.113.65.x/27 subnet .

I tried to add DIP sueccfully with "incoming NAT". You mean to say I should not select "incoming NAT". [ I'll do that ]

After adding DIP what shall I do?

I'll be adding 1 IP from 115.113.65.x range.

What would be next steps?

Most probabbly I'll configure a squid proxy server and will Iassign IP say like 192.168.1.5 and this private will be natted to 115.113.65.x IP.

 

And yes eth 0/7 is named/mapped as untrusted int in my firewall.

 

Regards,

Amey.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.