ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

New Public IP ranges

02.24.09   |  
‎02-24-2009 01:44 PM

Hi,

 

Currently my Juniper SSG520 is configured with a /27 on its untrust interface.

 

We are moving into a new datacenter where we have been given a /30 and then a new /27 as well for our MIPs/VIPs.

 

How do I configure my untrust interface to support these 2 subnets?

 

The /30 will have the next hop out of the network.

 

Cheers,

James

4 REPLIES
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: New Public IP ranges

02.24.09   |  
‎02-24-2009 02:34 PM

After a bit of searching (thanks search feature) it looks like the answer is to add a Loopback in the Untrust zone with the 2nd IP range and turn off intra zone blocking.

 

Is that all I need to do? and am I able to use an IP from the pool on the loopback (/27) as my egress IP?

ScreenOS Firewalls (NOT SRX)

Re: New Public IP ranges

02.24.09   |  
‎02-24-2009 03:07 PM

Yes it should work fine as long as you have the ISP routing the traffic to your end.

Take a look at C&E guide as well, its for VPN but can be used for cleartext as well:

http://www.juniper.net/techpubs/software/screenos/screenos6.1.0/ce_v8.pdf

 

Page 78 Chapter 4 for MIPs and VIPs.

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
ScreenOS Firewalls (NOT SRX)

Re: New Public IP ranges

02.24.09   |  
‎02-24-2009 03:11 PM
I've found another article suggesting you can simply add a route to the new network on the interface in untrust zone with a gateway of 0.0.0.0.  I have tried this and it allows me to add a MIP using IPs from the new range.
ScreenOS Firewalls (NOT SRX)

Re: New Public IP ranges

02.24.09   |  
‎02-24-2009 05:09 PM
Hmm, you dont really need that if you are using 6.1 screen OS. It allows you to configure the MIP without the route.
****pls click the button " Accept as Solution" if my post helped to solve your problem****