Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG140 - How to set up multiple WAN IP blocks on 1 interface?

    Posted 08-15-2013 10:59

    I currently have a /28 from an ISP, and an interface bound to the first IP in that block.  I use MIPs and VIPs to handle traffic for the other IPs in the /28 (mapped to hosts on a seperate internal-only network).  Everything works fine.

     

    I'm switching ISPs and they have given me a /30 interconnect block, and a /28 IP block.  The interface on the Juniper needs to be assigned an IP from the /30 block, but I need to have MIPs/VIPs for hosts in the /28 block.  Can anyone point me in the right direction on how I configure the interface properly?

     

    I did a little testing and it looks like I can assign MIPs from the /28 subnet to an interface bound to a /30.  At least I didn't get errors when I tried it.  Trying to add a VIP gives me an error saying the IPs are in a different subnet.

     

    What's the best way to set this up? 

     

     

     

     

     

     



  • 2.  RE: SSG140 - How to set up multiple WAN IP blocks on 1 interface?

    Posted 08-15-2013 14:10

    I contacted support and chatted with a tech about this.  He said if I set the interface address to the /30 subnet, I will still be able to use MIPs to the /28 subnet on that interface.  Apparently you can set MIPs to any subnet, on any interface.

     

    However, I will NOT be able to use VIP mappings to the /28 subnet.  I can use VIP mappings to the interface IP itself, though.

     

    So it sounds to me like I need to change my setup and only use MIPs. I dont have many VIPs, so I do have enough address space to replace them with MIPs.

     

    Does this sound right to other people?  Has anyone else done anything similiar?

     



  • 3.  RE: SSG140 - How to set up multiple WAN IP blocks on 1 interface?
    Best Answer

    Posted 08-16-2013 02:55

    The mip is used when you need a one-to-one nat between a single internal address to a single external address for ALL ports and in BOTH inbound and outbound directions.   Other systems refer to this as static nat.

     

    The vip you are using now is able to isolate ports from a single external address inbound and forward them to different internal ip addresses.

     

    The other way to accomplish this port forwarding in ScreenOS is to use policy based destination nat. This is what I think you would use in your case.  Here you create a policy to permit the traffic with the correct ports selected.  Then in the advanced tab you will need to add the destination nat address.

     

    For the policy to work you may also need to add proxy arp to your carrier facing interface for the public ip address.

     

    And you will need to create a static route for that address into the interface where you want the destination zone of the connection to exist.  Otherwise the route lookup fails.  If the public address is used both internal and external then both devices need a policy.

     

    I have a sample configuration for this posted in the Configuration Library forum which also has documentation references.

     

    http://forums.juniper.net/t5/Configuration-Library/Server-published-to-Public-IP-for-both-Trust-amp-Untrust/m-p/98018/highlight/true#M254