ScreenOS Firewalls (NOT SRX)
Reply
Contributor
aweise
Posts: 36
Registered: ‎09-18-2009
0
Accepted Solution

Loopback group members

We have an ISG 2000 with multiple VPNs. We want to NAT some traffic coming in from one of those VPNs. In the past, I've set up a loopback interface, added MIPs and DIPs to that interface, but had to add the specific tunnel interface supporting that VPN to the loopback interface's group in order to pass and translate the traffic appropriately.

 

I want to do the same thing, but for a different range of IP addresses.

 

The original loopback interface (loopback.2) is using an IP address of 10.1.1.129/27 with MIPs in that same subnet. The interface of tunnel.6 is a member of the loopback.2 group.

 

The new loopback interface (loopback.4) would have an IP address of 10.10.0.254/24 and the MIPs would also be in that subnet. Since the traffic destined for that subnet would also be coming in through tunnel.6, can I make tunnel.6 a member of the loopback.4 group, also?

 

Thanks!

Contributor
Rontu
Posts: 17
Registered: ‎12-15-2009
0

Re: Loopback group members

We cannot have one tunnel interface part of two loopback groups.

 

Since you have already configured MIP  for the NAT, i see no obstacles in you creating a MIP subnet thats different from the loopback.2 interface subnet , its supported in Juniper that you can create DIP or MIP in a diff subnet than the parent interface.

 

Just make sure you are above 6.1 ScreenOs

Cheers,
Rog
Contributor
aweise
Posts: 36
Registered: ‎09-18-2009
0

Re: Loopback group members

Thanks, Rontu. We're running 6.1.0r5 on our ISG, so we'll see if we can give that a shot.

Contributor
aweise
Posts: 36
Registered: ‎09-18-2009
0

Re: Loopback group members

FYI, Rontu, this looks like it worked. I did this with a MIP in the different subnet and the ISG was able to pass the traffic (verified with a policy log) to our internal network.

 

Thanks again!

Contributor
Rontu
Posts: 17
Registered: ‎12-15-2009
0

Re: Loopback group members

Happy to help

Cheers,
Rog
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.