ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Non-contiguous MIP's & VIP's?

05.19.09   |  
‎05-19-2009 02:58 PM

Using a SSG-520M, OS 6.1.0r5.0.


I will soon be moving the firewall to a co-loc.  The provider there has given me two IP ranges, a /29 with 3 addresses for me to use, and a /28 with 14 addresses.  These two ranges are NOT contiguous.  Per their documentation, "Additional networks (i.e. my 2nd range) will be routed to the first customer usable IP address."


The first usable address is the IP of the untrusted interface on the firewall.  I've set up MIP's on this interface for the remaining 2 addresses in the 1st range, and for most of the addresses in the 2nd range.  I went to set up a VIP for an address in the second range, but receive the error "The Virtual IP must be in the same subnet as the interface IP."


Question #1 - Any way around this?


Question #2 - Will the MIP's from the 2nd range I've set up on the interface work?


ScreenOS Firewalls (NOT SRX)

Re: Non-contiguous MIP's & VIP's?

05.19.09   |  
‎05-19-2009 08:50 PM

Here is a suggestion.


You could look at using a loopback interface to house the MIPs for the 2nd allocation.  Just assign the loopback interface to the untrust zone.


set int loop.1 zone untrust

set int loop.1 ip x.x.x.x/28

set int loop.1 mip x.x.x.y host netmask vr trust-vr


Hope this helps.


Juniper Ambassador

**If this worked for you please flag my post as an Accepted Solution so others can benefit.**
ScreenOS Firewalls (NOT SRX)

Re: Non-contiguous MIP's & VIP's?

05.20.09   |  
‎05-20-2009 08:18 AM
Thanks - this happens on Friday, so I'll update after then.  Anyone else have alternate suggetions?  I want to make sure I'm armed with possibilities when this happens, to avoid falling back.  Thanks!