Screen OS

How do I assign two/multiple public IP's to the SSG 140 Firwall (w/ ScreenOS 6.10)?

 

Let's say I have the following useable public IP addresses (I'm just using the 10.x.x.x as an example):

IP's: 10.0.0.170 to 10.0.0.180

Router: 10.0.0.1

 

I've created two zones:

wanuntrust1 -- eth0/0 10.0.0.170/24

wanuntrust2 -- eth0/1 10.0.0.180/24

 

This will fail with the following error:

---

ethernet0/1 ip change pre checking failed.

Interface: Illegal overlapping subnet.

---

 

I understand the subnets are overlapping... but who cares... I should be able to manipulate my zones, routing tables, and policies to fit my needs knowing that there is an overlap.

 

What is the apporpriate way to create two publicly facing IP's that are accessible (ie, respond to pings, and can be used for seperate VPN site to site VPN channels, port forwarding, etc)?

 

Basically... how do I assign to public facing IP addresses to eth0 and eth1?

 

 

128    64    32    16    8    4    2    1
|        |      |      |     |    |    |    |

 

Subnet the network when you are using /24 you are using the whole network instead split the network into two like /29 or /30 and they you should be able to assign the public IP's to the two different interface.  Just curious why are you trying to do it like that?  Perhaps you can use the VIP option....? 

 

10.0.0.170 is publicly listed as www.ourwebsite.com with VIP port forward on 80 and 443 for web traffic and other services as needed.

 

10.0.0.180 will be used for administrative management via site to site VPN... we have intrusion detection systems in front of the firewall that we would like to drop/block/reject *all* traffic that touches this x.x.x.180 IP on any port except for our valid office headquarters.

 

We prefer to have two layers of security in case some one accidentally misconfigures something; in addition, there is no reason anyone should be able to run an ike-scan on our public interface and see that a vpn might be running... therefore we'd like to block it.

 

Finally... when I try to change the netmask to 29, or 30... it appears the eth0 or eth1 interfaces cannot reach the router at 10.0.0.1 to route external traffic. I'm a little confused... on any standard linux box.. I should be able to have eth0 and eth1... they can be on the same network with no problems... and routing can be corrected via iptables. I feel like I'm configuring something wrong on the Juniper SSG-140.

 

Thoughts or suggestions? (thanks in advance!)

 

bump... bump... any ideas from anyone? 

 

 

Is it possible you can draw a diagram of what you are trying to accomplish and also what is the IP scheme that is given to you by your ISP.  You can replace the actual numbers with different IP's but the range is important and the subnet is important.

Sure,

 

Basically...  just try and assign two IP's from the same subnet to the juniper device... (as primary IP's).

Assume we have 10.0.0.xxx   as our useable IP's.  

Router is 10.0.0.1

Netmask 255.255.255.0

 

The goal... Assign the following

10.0.0.170 / 24  as primary ip for eth0 

10.0.0.180 / 24  as primary ip for eth1  

 

 That's basically it... just want to assign two IP's on the same subnet to 2 seperate eth0 ports on the Juniper SSG-140 (v6.1.0)

 

 

Ok, I understand now, you cannot assign 2 different IP's from the same subnet.  You will have to split that network up.  So if you are using a 10.0.0.0/24 network and you want to assign two IP's to your firewall you'll have to split your network as.

 

{FOR YOUR ROUTER} 

10.0.0.0/30

Network: 10.0.0.0

First IP: 10.0.0.1

Last IP: 10.0.0.4

Broadcast: 10.0.0.5

 

{FOR ETH0} 

10.0.0.6/30

Network: 10.0.0.6

First IP: 10.0.0.7

Last IP: 10.0.0.10

Broadcast: 10.0.0.11

 

{FOR ETH1} 

10.0.0.12/30

Network: 10.0.0.12

First IP: 10.0.0.13

Last IP: 10.0.0.16

Broadcast: 10.0.0.17 

 

10.0.0.18/25 (Which will give you like 128 IP's but if you split a network you will lose IP's)  Unless you want a totally different scheme for your internal LAN. 

Sorry here is the correction:

 

{FOR YOUR ROUTER} 

10.0.0.0/30

Network: 10.0.0.0

First IP: 10.0.0.1

Last IP: 10.0.0.2

Broadcast: 10.0.0.3

 

{FOR ETH0} 

10.0.0.4/30

Network: 10.0.0.4

First IP: 10.0.0.5

Last IP: 10.0.0.6

Broadcast: 10.0.0.7

 

{FOR ETH1} 

10.0.0.8/30

Network: 10.0.0.8

First IP: 10.0.0.9

Last IP: 10.0.0.10

Broadcast: 10.0.0.11

 

My tests seem to confirm what you proposed. ... ie... it does not appear possible, but rather, you would have to segment out your network, or use dip, or vip to use another ip in the same subnet block.  thanks for clarifying this and your help!

I was reading some comments at this forum and I saw your question just now !!!

 

My friend, at first, sorry for delay so many months to help you, but let's go ahead.

 

Although I do not thing it is a good idea you do this, you can configure your screenOS to support network overlap.You just need to configure it in the virtual router that you are using to route for these two interfaces.

Probably your virtual router is "trust-vr". Right?

 

So, just execute this command:  "set vrouter trust-vr ignore-subnet-conflict".

 

Regards,

 

Flavio Onofre (from Brazil) 🐵

Hi all, I've the same config request, the different is I'm managed the 2nd IP is binding to sub-int, however, the status of sub-int is "down" from GUI plus the "Admin Status Up" is checked, and seems there is no way to "turn" the sub-int. Also, the sub-int is belongs to the e0/1 of my firwall primary NIC and it's working.

 

pls advise how to "enable" this sub-int newaly added