Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG140 both NAT and transparent

    Posted 08-05-2011 06:56

    Please advise;

    On the premises we have one ISP, that gives a small subnet (/28). So we have a netadress (.0), and a router from the ISP within the subnet (.1) and a broadcast (.7). All the other IP's can be used for our own servers and/or routers.

     

    On this moment, we have a switch behind this router of the ISP, and two routers attached. Both routers provide the internetservices for two different networks.

     

    For one of those networks we would like to keep everything as simple as possible in the transfer. So preferable we would keep them on the switch, but to make things somewhat more secure for that network as well, we think transparant mode on a SSG140 would be better.

     

    The other network should be NAT if possible. Since we want to eliminate the router in that network. Is this possible? Should I connect the SSG140 to the Switch with two network-interfaces and make one transparent and one NAT? Or would it also be possible to do it with one connection to the ISP's router?



  • 2.  RE: SSG140 both NAT and transparent
    Best Answer

    Posted 08-13-2011 00:18

    yes you can do that i.e.

     

    internet-1   --------- (eth0/0)  |                 | (eth0/2)  ------------network-1  (simple)

                                                     |  ISG140  |

    internet -2  --------- (eth0/1)  |                 | (eth0/3) ------------- network-2 (secure)

     

     

    now you will keep eth0/0 and 0/2 in single vlan group interfacce to make it transparent

     

    and eth0/1 and eth0/3 in separate l3 security zones and enable NAT on the policies ..

     

    regards



  • 3.  RE: SSG140 both NAT and transparent

    Posted 08-15-2011 04:14

    Thak you very much. This might be of great help when I get that far. This looks like I want it.



  • 4.  RE: SSG140 both NAT and transparent

    Posted 08-04-2012 14:08

    I realize this is a very old post.

     

    My comment is really for my own configuration.

     

    You stated that he can use the same /28 Network on 2 interfacses of the SSG140 I believe in your reply.

     

    If that is not accurate then the rest of my post is pointless.  

     

    Assuming that it is accurate and you were stating that both interfacses can be on the same subnet my question to you is what is the easiest way for servers in  0/2 (network-1  (simple))  to communicate with servers in 0/3 (network-2 (secure)).

     

    Original Diagram

    >>Appreciate any comments on this.

     

    internet-1   --------- (eth0/0)  |                 | (eth0/2)  ------------network-1  (simple)

                                                     |  ISG140  |

    internet -2  --------- (eth0/1)  |                 | (eth0/3) ------------- network-2 (secure)