ScreenOS Firewalls (NOT SRX)
Reply
Contributor
adambg
Posts: 12
Registered: ‎12-17-2009
0

PC with public IP behind SSG-140 without NAT

How do I configure a PC behind the SSG 140 with a public IP provided by my ISP?

 

My ISP is providing me with public internet IP's 1.1.1.0/27. The gateway for my subnet is 1.1.1.1 (provided by my ISP on my own subnet).

The Untrust interface eth0/2 is configured with IP 1.1.1.2/32.

 

MIP from Untrust eth0/2 to Trust eth0/3 works (public IP to private IP).

 

How to configure a PC with a public IP _without_ NAT? So when I access http://cmyip.com I get the PC IP and not the SSG IP?

Trusted Expert
SSHSSH
Posts: 601
Registered: ‎11-21-2009
0

Re: PC with public IP behind SSG-140 without NAT

you can use bgroups

 

create bgroup interace

give it  an ip from 1.1.1.x

assign2 physical interfaces to that   bgroup interface  ( one of them is connected to youe server & is connected to your ISP )

 

Contributor
NET-WORKS
Posts: 73
Registered: ‎02-17-2009
0

Re: PC with public IP behind SSG-140 without NAT

What i am able to understand is that

 

ISP CPE (1.1.1.1)------------------SSG----------------------PC(1.1.1.5)

 

If you want to directly assign public ip address to the PC& servers ,you can try configuring the SSG in transparent mode.

In routed mode, if you configure MIP, you will still be able to access the PC(which is on private IP) like http://cmyip.com .just that particular ip whch is mapped to the domainname should be used for MIP.

HTH

Contributor
adambg
Posts: 12
Registered: ‎12-17-2009
0

Re: PC with public IP behind SSG-140 without NAT

Your diagram is correct, but some PC's should still have private IP address.

 

Is it possible to have the SSG transparent on some interfaces and routed on others?

Or this is done using bgroups?

Contributor
NET-WORKS
Posts: 73
Registered: ‎02-17-2009
0

Re: PC with public IP behind SSG-140 without NAT

No transparent and routed mode would not work in parallel.

Is there a special requirement that NAT is not done , the case you mention i.e to enable http access (or what ever ) will still work with MIP  translation.

Anyways bgroup also seem good to go.

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.