ScreenOS Firewalls (NOT SRX)
Reply
Contributor
JimPhelps
Posts: 12
Registered: ‎11-14-2008
0

Non-contiguous MIP's & VIP's?

Using a SSG-520M, OS 6.1.0r5.0.

 

I will soon be moving the firewall to a co-loc.  The provider there has given me two IP ranges, a /29 with 3 addresses for me to use, and a /28 with 14 addresses.  These two ranges are NOT contiguous.  Per their documentation, "Additional networks (i.e. my 2nd range) will be routed to the first customer usable IP address."

 

The first usable address is the IP of the untrusted interface on the firewall.  I've set up MIP's on this interface for the remaining 2 addresses in the 1st range, and for most of the addresses in the 2nd range.  I went to set up a VIP for an address in the second range, but receive the error "The Virtual IP must be in the same subnet as the interface IP."

 

Question #1 - Any way around this?

 

Question #2 - Will the MIP's from the 2nd range I've set up on the interface work?

 

Recognized Expert
traceoptions
Posts: 152
Registered: ‎04-29-2008
0

Re: Non-contiguous MIP's & VIP's?

Here is a suggestion.

 

You could look at using a loopback interface to house the MIPs for the 2nd allocation.  Just assign the loopback interface to the untrust zone.

 

set int loop.1 zone untrust

set int loop.1 ip x.x.x.x/28

set int loop.1 mip x.x.x.y host 10.1.1.1 netmask 255.255.255.255 vr trust-vr

 

Hope this helps.

 

JNCIE-ENT #424 JNCIP-SEC, JNCI @traceoptions

**If this worked for you please flag my post as an Accepted Solution so others can benefit.**
Contributor
JimPhelps
Posts: 12
Registered: ‎11-14-2008
0

Re: Non-contiguous MIP's & VIP's?

Thanks - this happens on Friday, so I'll update after then.  Anyone else have alternate suggetions?  I want to make sure I'm armed with possibilities when this happens, to avoid falling back.  Thanks!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.