ScreenOS Firewalls (NOT SRX)
Reply
Contributor
clintmiller
Posts: 14
Registered: ‎05-19-2009
0
Accepted Solution

Interface/router setup for new circuit

I have a SSG 140 ready to serve as the only hardware between my LAN and my ISPs network. It's a Ethernet-based DIA product, so no T1s or other WAN circuits to terminate.

They provided me on the circuit spec sheet 2 IP blocks:

** WAN **
1.1.1.16/30
ISP side: 1.1.1.17
Customer side: 1.1.1.18

** LAN **
2.2.2.128/28
Customer gateway: 2.2.2.129
Usable range: 2.2.2.130 - 2.2.2.142

I was able to obtain Internet connectivity by assigning the 1.1.1.18 address to my untrust interface in the untrust zone and then setting my default route 0.0.0.0/0 to 1.1.1.17.

My question is, how do I use the LAN (funny name since they are publicly routable) addresses as I need for DMZ or mapped IP for hosts in my trust zone? Oh, and how does the LAN gateway end up being used?

This setup makes much more sense to me when there's been some ISP-owned equipment to terminate a WAN connection. In that instance, I've never had to worry about anything but the "LAN" portion, but now, I need help!

Thank!
Recognized Expert
traceoptions
Posts: 152
Registered: ‎04-29-2008

Re: Interface/router setup for new circuit

[ Edited ]

Your WAN interface is the /30.  The LAN allocation they gave you can be defined either logically via a loopback, a physical network from an interface on the SSG, or a combination of both.   Your ISP should be routing that /28 address to your untrust interface. 

 

Their specification of a LAN gateway is just a specification.  You can define any address outside of the broadcast or the network address as the gateway in that block.  Its just best to pick either the first usable or the last.  

 

Here are 3 different scenarios.

 

Use of the loopback interface to provide a holding spot for MIPs for access to your trust network.

 

For MIPs to your trust.  Assign the LAN block to a loopback interface and create your MIPs from there.

 

set int loop.1 zone untrust

set int loop.1 ip 2.2.2.129/28

You may want to make the interface pingable during testing to verify routing.

set int loop.1 manage ping

set int loop.1 mip 2.2.2.130 host 10.1.1.1 netmask 255.255.255.255 vr trust-vr

 

To ping the interface, even though you have allowed it to be managable via ping, you will still need to create an untrust to untrust policy to allow it as well.  You can go untrust to untrust any, or you can lock it down to a specific protocol.

 

Then create the MIP policy and you should have access. 


Physical DMZ network, with publically routed LAN block.

 

From a DMZ, this is just assigning the LAN allocation to an interface.  If your DMZ zone is assigned to another virtual router than the same vr that your untrust interface is set to, you will need a route between virtual routers.

 

set int e0/2 zone dmz

set int e0/2 ip 2.2.2.129/28

 

Then create a policy from untrust to dmz, or vice versa for access.

 

A combination of both.  

 

If you want to do a bit of both, you will need to split your allocation.  

 

So break the 2.2.2.128/28 into 2.2.2.128/29 and 2.2.2.136/29.  Then use one block for the loopback and the other for the DMZ.    

 

Hope this helps out.

Message Edited by shadow on 05-19-2009 10:42 PM
JNCIE-ENT #424 JNCIP-SEC, JNCI @traceoptions

**If this worked for you please flag my post as an Accepted Solution so others can benefit.**
Contributor
clintmiller
Posts: 14
Registered: ‎05-19-2009
0

Re: Interface/router setup for new circuit

Very helpful. Thanks for explaining all of the different options. I couldn't get out of my mind the idea that this would require 2 routers (or two vrouters), but you helped me understand more of the options.

 

Thanks

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.