Screen OS

Hi Guys,

  I have an SSG320 design question, and need your assistance.

We want to deploy a firewall for remote VPN client connections, and connect the external public interface to the 

Juniper SSG 320 Firewall.

Using a single public IP range,  93.192.26.176/28, Is it possible to address both external interfaces - 

SSG 320 Ethernet 0/0, and Ethernet 0/3 connected to the remote VPN client Firewall, or do we need to subnet.

Can you please advise on a possible solution,

Thanks in advance,

I'm a little unclear on what you're looking to accomplish, could you elaborate a bit?  Perhaps a diagram?

Sorry for the confusion.

The Juniper SSG 320 will have two external interfaces.

External Interface ethernet0/0 will connect directly to the Internet border router, and external interface ehternet 0/3 will connect to the ASA Firewall outside interface - 

SSG 320 ethernet 0/0 will be used in creating the site-to-site VPN tunnels, while ASA is used primarily for remote home VPN users.

My objective is to address each external interface (SSG 320 E0/0, and ASA E0/0) with a unique public IP address from a single public ip range, or can you advise on a better solution, Thanks.  

ASA E0/0 ---------- E0/3 (SSG 320 Firewall) E0/0 --------- Internet Border Router 

I'm still not positive I follow you.

I assume that all the internet traffic will come in on the border router.  The VPN will terminate at eth0/0 and the client ASA traffic needs to reach the ASA external interface.

If this is correct, then what you need is to put only two public ip addresses one for the SSG and one for the ASA.  The ASA will still have a default route to your border router.  There is no need to route the ASA traffic through another address on your SSG, just publish it directly to the border router.  In fact, running through the SSG will likely create issues with policies and the connections.

For these types of setups I would usually create a three  port vlan on the local switch

port 1 border router

port 2 SSG eth0/0

port 3 ASA eth0/0

If you want to use SSG interfaces instead then you can use the bgroup function to create a two port switch.

Create bgroup1 with eth0/0 and eth0/3 as members

Put your public address for the SSG on this bgroup1 interface and assign to the untrust zone

Connect the border router to eth0/0 and the ASA to eth0/3 and they will both see the inbound traffic.

Hi Spuluka,

  Thanks a lot for the input below. This was very helpful!

I'm just curious, do you know if we can utilize the MIP's in this case as well by assigning a

private IP to the outside of the ASA firewall, and forward traffic to it via the MIP on the Juniper SSG 320.

Technically you can try using MIP to place the ASA behind the SSG.  But in my experience most vpn connections have issues with reaching and negociating connections in these scenarios.  They can see the ultimate private address in the process and try to send communications to it directly which then fail because they are not reachable that way.

You might be able to get them to work but it will take some careful configuration testing and good control over both endpoints and the software.

A VPN endpoint doing IPSEC really wants to have a public ip gateway address as the termination point.

I am also not sure what you want to do.  I think you are asking if you can configure two pubic interfaces in the same subnet 93.192.176/28 and then connect half of your remote site vpn tunnels to one and the other half to the other.  I'm guessing this is for load balancing.

If that is the case then you can do this but you will need to turn off the subnet conflict detection.

Network -- Routing -- Virtual Routers

Edit the trust-vr

check the box -- Ignore Subnet Conflict for Interfaces in This VRouter