Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Using a firewall and Cisco Policy Based Routing

    Posted 09-23-2008 14:03

    Ok, here's our scenario:

    1 Juniper SSG-5

    1 Cisco 3840

    2 Internet connections from two separate providers

    1 Class C Public IP range

    1 Class C Private IP range

    All available ports on Juniper in use (1 available for project)

     

    Our internet connections run into the Cisco, which is attached to one of the ports on the Juniper (eth0).  Our private subnet runs into the Juniper (eth5).  By default, all internet traffic passes into eth5 and out eth0, which gets nat'd using provider 1's public IP address.  A policy based route is in effect on the cisco which will pass certain public IP's to provider 2.  What I'd like to be able to do, is get the private subnet to run over provider 2's internet connection.  How to do it, I haven't been able to figure out, since I only have 1 available eth port on the Juniper to do this project with.


    What I've thought of so far:

    1) Setup the eth port with a private IP, then somehow get it to NAT using the IP(s) from Provider 2, instead of the IP's from Provider 1, that way it'll get routed through the proper connection

     

    2) Setup the eth port with primary/secondary IP's and then connect it to a switch with VLAN's, but that would mean the SSG would have to forward traffic out the interface it came in on, and I don't think that'll work

     

    Anyone have an idea or approach I could look at for making this happen?  Ideally I'd just use two interfaces, but I don't have any left, so it requires a little more creative thinking than I'm capable of.



  • 2.  RE: Using a firewall and Cisco Policy Based Routing

    Posted 09-23-2008 19:28

    Hi,

     

    Can you post a diagram of what you are trying to achieve as i think it will make it a little clearer.

     

    Regards

     

    Andy



  • 3.  RE: Using a firewall and Cisco Policy Based Routing

    Posted 09-24-2008 08:03
      |   view attached

    Ok, I think this diagram sums up what I'm trying to do.  The challenge here is that I can't use any additional ports on the SSG, I only have one that can be reconfigured.  So I can set that up however I need to, but I can't take the easy route and have my private subnet on one and then use another with the IP range from ISP 2.  Currently, all private subnetted traffic will get nat'd using the public IP of the interface connecting the Juniper to the Cisco.  I need to use the IP(s) of the public block that I got for use on ISP 2's network.  My guess is I need to do something with subinterfaces and vlans on the HP, but I couldn't really figure out how to get that to work.

     

     -Nathan

     

     

    Attachment(s)

    pdf
    Visio-Juniper Setup.pdf   159 KB 1 version


  • 4.  RE: Using a firewall and Cisco Policy Based Routing
    Best Answer

    Posted 10-02-2008 17:47

    I think that this is a simple solution.  Since your default route on the firewall is to the router, and you have two public subnets, then all you have to do is setup some DIP's on eth0 for the second subnet.  Your DIP can be a single address or a pool (my example is a two IP pool).  If you use a DIP pool, make sure to use the command "set dip sticky".  The "4" in the example is the first available number for the DIP ID.

     

    set int e0 ext ip 1.1.1.0 255.255.255.0 dip 4 1.1.1.1 1.1.1.2 

     

    Note: You have to use the "ext ip 1.1.1.0 255.255.255.0" portion of the DIP command because the DIP range may be outside the subnet on the e0 interface.

     

     

    Then setup an outbound policy that matches your internal hosts to your destination and then NAT using this DIP. 



  • 5.  RE: Using a firewall and Cisco Policy Based Routing

    Posted 10-03-2008 09:49

    This almost works.  I set it up as explained, however traffic doesn't seem to get back to the source.  If I check the policy that sets the NAT through DIP I see the translation occuring properly, but no traffic comes back and each log entry reads Close - Age Out.  I tried playing around with the routing to see if that might help, but to no avail.

     

    I think the problem might be that Eth0 is in the Untrust VR so I can't assign a secondary IP, which I'm assuming is the ext ip part of the command?  When I tried to use the CLI the command structure you gave me didn't work, it said unknown keyword ext.  I did do it through the webui successfully though...to the part where outgoing xslates fine, but no traffic comes back.  I think we're on the right track, but some of the little details are creating a proble. (or two)

     

     -Nathan



  • 6.  RE: Using a firewall and Cisco Policy Based Routing

    Posted 10-03-2008 10:22

    No, you can't assign a secondary IP to the egress/untrust interface (regardless of VR's).  If you are expecting traffic from multiple subnets on the 'untrust' interface of the firewall, that's done with MIP's.  If you are NATing outbound traffic, then DIP's are used.

     

    Definitely sounds like you need a route back in from the untrust-vr to the trust-vr in some fashion.  If I can come up with some time, I'll play with that.  Otherwise, hack around with that and see what happens.



  • 7.  RE: Using a firewall and Cisco Policy Based Routing

    Posted 10-03-2008 12:52
    Actually this did the trick, what I needed to do was configure a static route on the Cisco so that traffic would come back to the Juniper and not someplace else.