ScreenOS Firewalls (NOT SRX)
Reply
Trusted Contributor
ac
Posts: 353
Registered: ‎11-01-2007
0

Multiple Subnets on the Untrust for a 5GT (Most Read threads copied from the old J-Net)

 
jmiller
Posts: 4
Registered on:
May 10, 2006
Multiple Subnets on the Untrust for a 5GT
Posted: May 11, 2006  11:57 AM 262 views  

When our 5GT was orgninally setup a /30 was applied to Eth3 (Untrust). We now need additional Public IPs so our ISP provided a second subnet to be applied to our router and in turn to our 5GT. Any help in what the steps are for adding this second subnet to the 5GT would be appreciated. Thank you.

John

 

aroper
Posts: 133
Registered on:
Apr 23, 2006

RE: Multiple Subnets on the Untrust for a 5GT
Posted: May 11, 2006  1:25 PM 262 views  
In reply to: Multiple Subnets on the Untrust for a 5GT — When our 5GT was orgninally setup a /30 was applied to Eth3 (Untrust)....
posted by jmiller on May 11, 2006  11:57 AM
You would need to set up the 5GT in Dual-Untrust mode, split the Internet feed coming into the firewall and set up the new subnet on the second Untrust interface.
jmiller
Posts: 4
Registered on:
May 10, 2006

RE: RE: Multiple Subnets on the Untrust for a 5GT
Posted: May 11, 2006  4:32 PM 261 views
In reply to: RE: Multiple Subnets on the Untrust for a 5GT — You would need to set up the 5GT in Dual-Untrust mode, split the...
posted by aroper on May 11, 2006  1:25 PM

I was really hoping to avoid that. If that's the only way, I guess I will remove the the /30. To bad a secondary IP cannot be added to the Untrusted interface........

jng
Posts: 29
Registered on:
Apr 17, 2006

RE: RE: RE: Multiple Subnets on the Untrust for a 5GT
Posted: May 12, 2006  6:28 AM 255 views
In reply to: RE: RE: Multiple Subnets on the Untrust for a 5GT — I was really hoping to avoid that. If that's the only way, I guess I...
posted by jmiller on May 11, 2006  4:32 PM
Dear Jmiller,

To answer your question in technically, if you need both ISP link run concurrently then  you need some multihoming device on top of NS5GT, "some kind of ISP load balancer"  in order to load balance the both ISP link. Then your NS5GT will still tied to one interface "eth3" to going out internet.
If you need only failover both ISP link, the NS5GT dual untrust mode will be the best choice. The NS5GT will failover the dual untrust interface base on the tracking IP.

Regard,
Janus
jmiller
Posts: 4
Registered on:
May 10, 2006

RE: Multiple Subnets on the Untrust for a 5GT
Posted: May 12, 2006  7:28 AM 265 views
In reply to: RE: RE: RE: Multiple Subnets on the Untrust for... — Dear Jmiller,To answer your question in technically, if you need both...
posted by jng on May 12, 2006  6:28 AM

Thank you for the response.

There is only one Internet connection. Just multiple subnets routed to it. Typically I would add a secondary IP to the router and point to it. This is not a load balancing situation.

In this case we have two routing components. The Cisco and the Netscreen. I can assign the Cisco a secondary IP from the supplemental subnet provided by the ISP. My ultimate objective is to assign a MIP to point from one of the new addresses to a host in the trusted zone. This requires binding the new subnet to the Netscreen's untrusted port in some fashion.

I do not want to use dual untrusted ports when there is really only one bandwidth source. The new subnet is large enough to encompass all of our needs. I was hoping to avoid downtime by adding additional routing rather than replacing the existing routing.

My other option is to make the changes to the Cisco an then place the target for the MIP outside the firewall. This is not desirable, due to the loss of the control offered by the Netscreen.....

 

 

 

 

 

jkim
Posts: 14
Registered on:
Jan 2, 2006

RE: RE: Multiple Subnets on the Untrust for a 5GT
Posted: May 12, 2006  12:51 PM 257 views
In reply to: RE: Multiple Subnets on the Untrust for a 5GT — Thank you for the response. ...
posted by jmiller on May 12, 2006  7:28 AM

What if you used a sub interface on the  untrust side and put your 2ndary subnet on it.

Then create a MIP on the sub interface to your private ip on the trust side.

jparapurath
Posts: 42
Registered on:
Mar 29, 2006

RE: Multiple Subnets on the Untrust for a 5GT
Posted: May 12, 2006  12:55 PM 252 views
In reply to: Multiple Subnets on the Untrust for a 5GT — When our 5GT was orgninally setup a /30 was applied to Eth3 (Untrust)....
posted by jmiller on May 11, 2006  11:57 AM
You can create a loopback interface on the untrust side and assign it an IP address
akelkar
Posts: 18
Registered on:
May 6, 2006

RE: RE: Multiple Subnets on the Untrust for a 5GT
Posted: May 17, 2006  9:54 PM 220 views
In reply to: RE: Multiple Subnets on the Untrust for a 5GT — You can create a loopback interface on the untrust side and assign it an...
posted by jparapurath on May 12, 2006  12:55 PM

Hi,

Having a sub-interface on untrust interface and then Mapping the ISP ip to the host inside sounds perfect solution.

 

-AK

jmiller
Posts: 4
Registered on:
May 10, 2006

RE: RE: RE: Multiple Subnets on the Untrust for a 5GT
Posted: May 18, 2006  8:36 AM 218 views
In reply to: RE: RE: Multiple Subnets on the Untrust for a 5GT — Hi, ...
posted by akelkar on May 17, 2006  9:54 PM

I agree, how do you create sub-interfaces on the NS5GT untrusted? Screen OS is 5.2

I did not see a command for it in the CLI.

John

 

aroper
Posts: 133
Registered on:
Apr 23, 2006

RE: RE: RE: RE: Multiple Subnets on the Untrust for a 5GT
Posted: May 18, 2006  1:41 PM 213 views
In reply to: RE: RE: RE: Multiple Subnets on the Untrust for... — I agree, how do you create sub-interfaces on the NS5GT untrusted? Screen...
posted by jmiller on May 18, 2006  8:36 AM
I'm not totally up on setting it up via the CLI, but in order to set-up the sub-interface on the 5GT via the WebUI you would do the following:

Log into the WebUI
Click on Interfaces
In the drop-down next to "New", select sub-interface, Click "New"
Configure the parameters, be sure to pick the right interface name and zone type
Save and apply
Be sure to have route statements for the new subnet
Define your MIP on the new sub-interface

The following link in the KB discusses this same thing:

http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c19029d1

Regards,
Andrew
cjoyce
Posts: 4
Registered on:
May 22, 2006

RE: RE: RE: RE: RE: Multiple Subnets on the Untrust for a 5GT
Posted: May 23, 2006  2:59 PM 203 views 3 star(s) of excellence   
In reply to: RE: RE: RE: RE: Multiple Subnets on the Untrust... — I'm not totally up on setting it up via the CLI, but in order to set-up...
posted by aroper on May 18, 2006  1:41 PM
Why bother defining the subnet on the Untrust interface?

You should assume that the ISP is routing your new network via your end of the /30 that connects your firewall to the ISP.

All you need to do is set up MIPs or DIPs on your firewall for traffic that leaves your site destined for the Internet, and for the traffic which is coming in to VIPs (TCP redirects) use NAT-DST. These MIPs and DIPs are defined on the Untrust interface, and do NOT need to be in the same subnet as the link to the ISP.

Note that you can't do VIPs on an IP subnet other than that configured on the untrust interface. You will need to use NAT-DST to achieve this kind of functionality.

For this, I refer you to the following:
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108031d1d8f0057a6
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108031d1d8f0057d9
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108031d1d8f0057bf

Refer to ScreenOS guides for detailed configuration information and examples on NAT-dst.

Cheers,

Craig Joyce
JNCIS-FWV, JNCIA-IDP, JNCIA-WX, JNCIA-SSL
sbrainerd

Posts: 7
Registered on:
May 17, 2006

Multiple Subnets on the Untrust for a 5GT
Posted: Jun 24, 2006  9:14 AM 159 views
In reply to: RE: RE: RE: RE: RE: Multiple Subnets on the... — Why bother defining the subnet on the Untrust interface? You should...
posted by cjoyce on May 23, 2006  2:59 PM

Now that is what I call a clever solution, using dest-nat with MIP/VIP on the secondary subnet. 

So when you create a dest-nat entry the firewall with respond appropriately to arp requests from the Internet facing router?

I have long been wondering why Juniper never allowed a secondary IP address on the Untrust zone but this seems to be an equally acceptable solution.

One other interesting note is that Juniper routers running JunOS don't have the concept of a secondary IP.  You can have multiple IP addresses assigned to an interface and they are all "equal" in a sense. 

sstar_internet
Posts: 1
Registered on:
Jan 15, 2007

RE: RE: Multiple Subnets on the Untrust for a 5GT
Posted: Jan 16, 2007  8:50 AM 77 views
In reply to: RE: Multiple Subnets on the Untrust for a 5GT — Thank you for the response. ...
posted by jmiller on May 12, 2006  7:28 AM
Best way to do this is to add the secondary IP range into the routing table on the netscreen.
Placing it on the untrust interface with a gateway IP address of 0.0.0.0. This basically tells the netscreen that it owns this IP range.
You can then use the IPs in MIPs DIPS and destination NAT as normal.


Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.