ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Loopback group members

05.05.10   |  
‎05-05-2010 08:22 AM

We have an ISG 2000 with multiple VPNs. We want to NAT some traffic coming in from one of those VPNs. In the past, I've set up a loopback interface, added MIPs and DIPs to that interface, but had to add the specific tunnel interface supporting that VPN to the loopback interface's group in order to pass and translate the traffic appropriately.

 

I want to do the same thing, but for a different range of IP addresses.

 

The original loopback interface (loopback.2) is using an IP address of 10.1.1.129/27 with MIPs in that same subnet. The interface of tunnel.6 is a member of the loopback.2 group.

 

The new loopback interface (loopback.4) would have an IP address of 10.10.0.254/24 and the MIPs would also be in that subnet. Since the traffic destined for that subnet would also be coming in through tunnel.6, can I make tunnel.6 a member of the loopback.4 group, also?

 

Thanks!

4 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Loopback group members

05.05.10   |  
‎05-05-2010 09:03 AM

We cannot have one tunnel interface part of two loopback groups.

 

Since you have already configured MIP  for the NAT, i see no obstacles in you creating a MIP subnet thats different from the loopback.2 interface subnet , its supported in Juniper that you can create DIP or MIP in a diff subnet than the parent interface.

 

Just make sure you are above 6.1 ScreenOs

Cheers,
Rog
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Loopback group members

05.05.10   |  
‎05-05-2010 11:22 AM

Thanks, Rontu. We're running 6.1.0r5 on our ISG, so we'll see if we can give that a shot.

ScreenOS Firewalls (NOT SRX)

Re: Loopback group members

05.07.10   |  
‎05-07-2010 10:11 AM

FYI, Rontu, this looks like it worked. I did this with a MIP in the different subnet and the ISG was able to pass the traffic (verified with a policy log) to our internal network.

 

Thanks again!

ScreenOS Firewalls (NOT SRX)

Re: Loopback group members

05.07.10   |  
‎05-07-2010 10:13 AM

Happy to help

Cheers,
Rog