05-19-2009 02:58 PM
Using a SSG-520M, OS 6.1.0r5.0.
I will soon be moving the firewall to a co-loc. The provider there has given me two IP ranges, a /29 with 3 addresses for me to use, and a /28 with 14 addresses. These two ranges are NOT contiguous. Per their documentation, "Additional networks (i.e. my 2nd range) will be routed to the first customer usable IP address."
The first usable address is the IP of the untrusted interface on the firewall. I've set up MIP's on this interface for the remaining 2 addresses in the 1st range, and for most of the addresses in the 2nd range. I went to set up a VIP for an address in the second range, but receive the error "The Virtual IP must be in the same subnet as the interface IP."
Question #1 - Any way around this?
Question #2 - Will the MIP's from the 2nd range I've set up on the interface work?
05-19-2009 08:50 PM
Here is a suggestion.
You could look at using a loopback interface to house the MIPs for the 2nd allocation. Just assign the loopback interface to the untrust zone.
set int loop.1 zone untrust
set int loop.1 ip x.x.x.x/28
set int loop.1 mip x.x.x.y host 10.1.1.1 netmask 255.255.255.255 vr trust-vr
Hope this helps.
05-20-2009 08:18 AM