Screen OS

Hi

Currently, I'm using my home NS5-GT (OS 5.4.0) Extended in a dual DMZ setup, with 1 public IP, assigned by my ISP.

This is rather limited, since the single Untrust allows me to use only one VIP or MIP for HTTPS server on port 443.

Fortunately, my ISP is willing to provide me some extra IP addresses. It will probably be a continuous range of IP's.

It is, however, a bit unclear to me how to configure my Netscreen for the use of multiple IP's on my 1 physical untrust interface.

I've read at the forum, that using multiple VIP's might not work with multipe public IP's in this ScreenOS version (see forum thread here), so I guess I have to use MIP's.

It is the configuration of the Untrust interface that puzzles me:

In another thread, it is stated that MIP's can be used for IP's that are not assigned to the physical interface. That suprises me, since it is unclear to me how traffic is routed to my firewall in thise case. Can someone confirm this will work?

It all seemed pretty straightforward after reading the disscussion here : a range of IP addresses can be assigned by using a subnet, such as using xxx.xxx.xxx.71/30 for the range 71 through 74 in the xxx.xxx.xxx.0 subnet.

However, my current public IP comes with a /24 subnet (?)

That leaves me with two questions:

• Is it possible to get multiple IP addresses assigned to a single physical Untrust interface, by a DHCP server?
• If so, how about the subnet mask, compared to my current situation?
• Is it correct that I can use multiple MIP's with a range of public IP's on my Untrust interface?

Thank you very much for you help!

If your current provider adds IP-addresses its most likely they will be routed to your current IP. In that case you don't need to configure the new range on your interface, you just use the addresses from this range in MIP and VIP definitions. MIP: NATing works both ways (in- and outbound I.G bidirectional, other vendors call it static NAT) VIP: like portfowarding on ADSL routers.'

Just define the MIP and VIP on untrust interface and use tehse as destination in policies. 

Hi Screenie

Thank you for your reply.

I've been discussing this with my ISP, but since it is a non-business line, they won't offer me a routed subnet.

It seems though I'm stuck with IP-addresses assigned to MAC addresses.

I'm thinking of a solution by using the DHCP relay and have the public IP's assigned directly to (virtual) machines in the DMZ.

That leaves me, however, with two questions:

1. Will it imply any limitations to the firewall functions?
2. Is there an alternative solution? For example using VLAN's?  
   I have a 5GT Extended that can handle 8 zones and 10 VLAN's and I would prefer to avoid assigning public IP's to virtual machines, for obvious reasons.

Thank you very much for your help.