ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Port forwarding on Juniper SSG 20

08.06.09   |  
‎08-06-2009 01:33 AM


I'm new to these boards so please be gentle. In fact I'm fairly new to Juniper products alltogether. I love their stuff though so I'm embracing it a lot lately. Pretty soon I'm scoping to get initial certification in JNCIA so I can get familiar with the equipment - but for now I'm in the deep end as I need to set up some Juniper gear - and having some teething issues basically due to the poor knowledge of the product - so need some help from those in the know!



I've searched here and other sites - and found semi relevant info - however I think my situation may be a little unique.

I'm configuring 2* SSG 20s for a 2 site VPN setup - and I'm in the process of configuring the port forwards so that each site can rdp eachother etc etc. Simple enough.

The SSGs have been fitted with an adsl2/2+ A PIM each to accommodate the links at each site - here's where I *think* I may be having an issue.

Being a fair beginner to Juniper products - I'll try to explain my problem as best as I can.

I'm familiar with the VIP method - however I'm unable to see the VIP option on my adsl1 untrust interface - I do however see it on the bgroup0 trust interface - however I'm thinking this is the incorrect interface to configure VIPs for my requirements.

Reason I'm confused is that I use a 5GT at home - and I have configured VIPs quite easily on the untrust interface with no hassles, I created my custom service, setup my policy, chose the VIP as destination - off it went without a hitch.

The SSG20s are being configured offsite ready for deployment tomorrow - adsl interface is as yet not initialized - could this be why the VIP option is missing?

I'm thinking it has something to do with the PIM/dsl untrust interface configuration - although I accept I could be way off. I followed the manual and there's nothing really specific about the PIM install/config.


Any help or a point in the right direction would be handy. I'm waiting for my 1 day turnaround to activate Juniper support for these new SSGs hence I've posted for help here.

Look forward to some assistance.



ScreenOS Firewalls (NOT SRX)

Re: Port forwarding on Juniper SSG 20

08.06.09   |  
‎08-06-2009 10:33 AM

I think you are pointing out your own issue indeed. You should configure the VIP on the adsl interface indeed, but for what i can recall an IP address is required on the interface before you can set VIP/MIPs.


I suppose you could do it with a temp dummy address and change it back to DHCP when deploying it.




ScreenOS Firewalls (NOT SRX)

Re: Port forwarding on Juniper SSG 20

08.09.09   |  
‎08-09-2009 03:44 AM

The issue was indeed caused by the dsl interface not being initialized and having an IP at the time I configured the units.

Soon as I arrived onsite - connected the units and the interface established a connection with an IP address - the VIP option became available. The rest was reasonably easy to complete and the VPN is now simmering away nicely.


Thanks for your help.