ScreenOS Firewalls (NOT SRX)
Reply
New User
Drizzt
Posts: 3
Registered: ‎09-11-2008
0

NS-204 Trust Network Change

What at the implications of changing the IP address on the Trust interface to a new network? I am implenting a new Network Access Control device which will require changing the network address on the trust interface.

 

Anybody had any experience with this before? Any information would be very helpful.

 

Thanks,

Dave 

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008
0

Re: NS-204 Trust Network Change

Hi there

 

I guess changing the IP address is easy, the following will change the interface ip via the cmd line.

 

set int <interface> ip <X.X.X.X/X>

 

But things that are going to be affected by it are the users, routing in the network. The users will need to be configured with the correct gateway IP address and if you have multiple subnets, routing has to be configured to correctly point to the new gateway IP addresses.

It will also depend on other stuff you have going on in the trust zone of the network,eg if you have vpns etc, etc.. Essentially it depends on the complexity of your network in the trust zone.

 

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
New User
Drizzt
Posts: 3
Registered: ‎09-11-2008
0

Re: NS-204 Trust Network Change

WL, Thanks for the reply. I've got multiple policies on the trust side to NAT to my public IP addresses based on a private range. I use a separate public for each of my schools. I've only got one default route, and knew I was going to have to change that. I'll be going from a  50.0.0.0 private address to a 10.10.2.0 private on the trust interface.

 

I just wanted to be sure the policies I have won't disappear when I change the IP address. I've backed up the configuration, and saved it to my PC, so if it doesn't work, I can always get back to where I am now.

 

Thanks again,

 

Dave 

New User
Drizzt
Posts: 3
Registered: ‎09-11-2008
0

Re: NS-204 Trust Network Change

WL,

 

DIdn't complete my last response. We don't have any VPN connections on the firewall. I've also got an SA4000 we use for SSL/VPN connections to our network.

 

My default route (0.0.0.0) point to the untrust interface, and I have a single 50.0.0.0 route that points to my inside router. This is the route I need to be sure I change to reflect the new inside router interface. 

 

Thanks,

Dave 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.