ScreenOS Firewalls (NOT SRX)
Reply
Contributor
JamesBellaart
Posts: 26
Registered: ‎06-19-2008
0

New Public IP ranges

Hi,

 

Currently my Juniper SSG520 is configured with a /27 on its untrust interface.

 

We are moving into a new datacenter where we have been given a /30 and then a new /27 as well for our MIPs/VIPs.

 

How do I configure my untrust interface to support these 2 subnets?

 

The /30 will have the next hop out of the network.

 

Cheers,

James

Contributor
JamesBellaart
Posts: 26
Registered: ‎06-19-2008
0

Re: New Public IP ranges

After a bit of searching (thanks search feature) it looks like the answer is to add a Loopback in the Untrust zone with the 2nd IP range and turn off intra zone blocking.

 

Is that all I need to do? and am I able to use an IP from the pool on the loopback (/27) as my egress IP?

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: New Public IP ranges

Yes it should work fine as long as you have the ISP routing the traffic to your end.

Take a look at C&E guide as well, its for VPN but can be used for cleartext as well:

http://www.juniper.net/techpubs/software/screenos/screenos6.1.0/ce_v8.pdf

 

Page 78 Chapter 4 for MIPs and VIPs.

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
JamesBellaart
Posts: 26
Registered: ‎06-19-2008
0

Re: New Public IP ranges

I've found another article suggesting you can simply add a route to the new network on the interface in untrust zone with a gateway of 0.0.0.0.  I have tried this and it allows me to add a MIP using IPs from the new range.
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: New Public IP ranges

Hmm, you dont really need that if you are using 6.1 screen OS. It allows you to configure the MIP without the route.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.