10-18-2010 11:31 PM - edited 10-18-2010 11:36 PM
I'm new here. Glad to found this forum.
Actually i need some help to configure my Juniper SSG-550M
This is my situation :
My SSG-550M have 2 active interface :
- ethernet0/0 untrust zone have private ip from ISP (172.16.30.2/30)
- ethernet0/1 trust zone have public ip from ISP (203.x.x.33/28).
Default gateway to outside (internet) is 172.16.30.1 (to ISP side)
My problem is, i can't making outgoing action such us traceroute, AV update, ntp sync, DNS request from my BOX (router SSG 550M) since the're use private ip gateway.
My question: how to make it work, i wondering to using my public ip address that assign in trust interface (ethernet0/1).
Any advise will be great.
Solved! Go to Solution.
10-19-2010 01:00 AM
You can do this! Use ping/trace with the keyword "from": ping xxx.xxx.xxx.xxx from eth0/1. The syntax for telnet is slightly different: telnet xxx.xxx.xxx.xxx port number src-interface eth0/1.
While configuring ntp, dns,snmp you can always select eth0/1 as the source interface.
You cannot configure a source interface for the AV updates but you can try to install an internal proxy for downloading the AV patterns indirectly: SSG --> Proxy --> Juniper AV server.
10-19-2010 07:29 AM
You can retrieve it from the Juniper Licensing Site (using a Web browser) and install on the SSG using the command
exec license-key key_str. Your device should be registered by Juniper for this.
10-20-2010 02:35 AM - edited 10-20-2010 02:36 AM
thank you for the solutions, great apriciates
by the way, could be NAT applied in a situation like this?
10-20-2010 04:52 AM
You are welcome!
Sorry, I did not understand your question. If you send a packet from the trust interface to Internet, it has already got a public IP as it's source IP. If you send a packet from the untrust interface to Internet, it's src IP is a private one and the packet is away! It will be sent but never responded.
10-20-2010 08:57 PM - edited 10-20-2010 09:07 PM
Since i don't have any internal proxy in my local network, it make me searching for solutions to update AV.
I think when the packet go out from untrust interface, the packet will be sent but never responded, so i have to NAT it using public ip. The Question is : is it possible? (in this case)
10-21-2010 01:33 AM
Hmm... This is not a trivial problem and a solution might be very, very tricky. The SSG would not NAT packets generated by itself. This can only be done on the ISP router, perhaps with the one of your public IPs.
I would recommend to install a simple proxy. There are free proxy applications in Internet.
10-21-2010 03:23 AM
Ic ic ic.
"The SSG would not NAT packets generated by itself." <--- this is what i want to know actually.
Thank you very much Edouard.
10-25-2010 03:56 AM
SSHSSH knows a trick, that might solve your problem:
"....create a MIP on the untrust interface like the below:
host address:interface ip
Mapped address: a public ip
This will translate the packets sent from the firewall itself..."
11-08-2010 11:12 PM - edited 11-08-2010 11:44 PM
wow, thanks for your advanced.
i've succesfully to retrieve license key from the box.
ping / traceroute to outside (without using keyword "from source" command in cli) also working well