Solved

How do we use multiple ISP IP addresses with only one port on the incoming device?

Posted on 2008-10-08
13
3,089 Views
Last Modified: 2013-11-16
We have been getting along fine by using the first IP address in the ISP-provided block with NAT and port forwarding.  Now, we are about to add a conferencing application and we'd like to use one of the other IPs provided by the ISP.

We are using a Juniper Netscreen SSG140 as the firewall, which has multiple interfaces.  There is only, however, one interface on the device from which the Internet connection originates (Cisco IAD).

What is the best way to go about using one of the other IP addresses?  If another routing technique is recommended using the primary IP, I am fine with that.  Our goal is to have external customers connect to conference.ourdomain.com.  I am not sure if that will reside on port 80, which is why I wanted to try to separate it from the primary IP address which already utilizes that port.

IP address block
x.x.x.249
x.x.x.250
x.x.x.251
x.x.x.252
x.x.x.253
x.x.x.254

Netmask:  255.255.255.248
First IP is Gateway, x.x.x.250 currently in use.

Thanks in advance!
0
Comment
Question by:wega1985
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 13

Expert Comment

by:kdearing
ID: 22671477
the easiest way is to just put a basic switch in between the ISP and the Netscreen.
That way you can use multiple ports on the Netscreen for WAn interfaces.
0
 

Author Comment

by:wega1985
ID: 22671523
Like a 5 port Linksys switch?  Does this adversely affect anything?  Is this a standard practice?
0
 
LVL 4

Expert Comment

by:icanhelp
ID: 22671730
I need to know why all IP's are necessary...better yet, what you want to do with all 5 available remaining IPs.  However, here' s a stab at it without having much information (from a cisco router's config)

Router(config)#  interface FA0/0
Router(config-interface)#  ip address x.x.x.x <subnet_mask>
Router(config-interface)#  ip address x.x.x.x <subnet_mask> secondary

...
the "secondary" keyword allows you to bind more than 1 ip address onto a single interface.

if this doesn't help, please provide a description of your exact challenge and I'll try to answer for u.

cheers,

rc
0
 

Author Comment

by:wega1985
ID: 22671839
Don't need all five, was just considering using another one.  Using a Juniper Netscreen SSG140 as the firewall.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 22672770
icanhelp-
The Juniper Netwcreen SSG140 doesn't allow multiple secondary IP addresses on 'untrusted' interfaces.

wega1985-
Yes, that will work.
But, depending on how critical the link is, you may want to use something more reliable.
At the very least, use one of the Linksys 'business-class' switches such as the SRW-208:
http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1153780852984&pagename=Linksys%2FCommon%2FVisitorWrapper&lid=5298495123B19
0
 
LVL 4

Expert Comment

by:icanhelp
ID: 22675621
You could get a multi-vlan enabled switch such as a Cisco Catalyst 3550 and connect your Juniper interfaces on the switch.  You would then be able to configure your Juniper (outside) interfaces with multiple ip addresses and configure 1 (or more) "inside" interfaces to correspond to your internal (LAN) VLAN or DMZ VLAN....etc.

The nice thing about this approach is that you're keeping all your existing configurations and simply adding 1 new piece of hardware.  The really nice thing about Catalyst 3550's is that it's a layer 3 switch or routable switch and capable of creating virtual lans thus splitting traffic between what's meant for the DMZ and what's meant for local area traffic.  Lastly, these layer 3 switches are capable of setting up Access Control Lists and Quality of Service reservations....

rc
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:wega1985
ID: 22677796
We already have 4 3560s for the clients / phones.  Are you saying this new 3550 would be "before" the juniper, between the ISP and the firewall?  If this is the recommendation, which we cannot afford right now, I may try to find another way to simply use the one WAN IP that we're currently using.
0
 
LVL 4

Expert Comment

by:icanhelp
ID: 22677868
that is not what I'm suggesting at all.  Let me ask another question:  How many possible outside interface cards do you have (or can have) on your Juniper firewall?  If more than 1, great!  Half the work is done, all you'd do is use one of your existing 3550 switches and create a new VLAN and plug an inside interface from your JUNIPER wall into it.  Also move the switchport associated with this public/private nat translation into this new VLAN and setup route statements to make correct call to your Local Area VLAN.

If you specify exactly what (application or whatever) you're trying to map and let us know how many interfaces (both inside and out) on your Juniper wall, then we can provide a specific solution.
0
 

Author Comment

by:wega1985
ID: 22677938
Yes, the SSG140 definitely has multiple interfaces.  I am planning ahead for the installation of an Inter-Tel conferencing software package.  As stated in the initial question, we will have outside users/customers navigate to conference.ourdomain.com.  I'm not sure exactly the requirements of the software, as we haven't received it yet from the phone vendor.  Again, if using a second IP isn't the best approach, that is fine.  I don't know if the port can be adjusted in the software.
0
 
LVL 2

Expert Comment

by:iw0k
ID: 22688378
Well, it's pretty basic feature from the screenos...
Let's just make things sure in order to be efficient :
   - Your ISP is providing you one internet connection with a router, and your having a block of ip as described on the same subnet.
   - You currently configured your WAN interface on your SSG140 using the x.x.x.250 ip address and x.x.x.249 as a gateway for that interface (which route 0.0.0.0 towards it).
You just need to use another "WAN" ip address in order to use a new application which is supposed to use a port already used on the x.x.x.250.

Well, you just need to use MIP / VIP address on your WAN interface... you actually don't need to plug out anything. The difference between MIP and VIP, MIP is mapping all the traffic towards one destination where VIP mapping one port to one destination. You can add multiple destination dependings on port for VIP where you're stuck with only one destination with MIP.

To do that, simply log in to your netscreen webui, go to your interface used by the wan, go to edit, on the top menu go to MIP / VIP and click on new.
Enter your mapped ip : (x.x.x.251 for example) Host IP (lan ip of your server) the netmask (255.255.255.255 since only one ip) and the Host Virtual Router if you have splitted your router domain.
After that, you need to go to your policy, from untrust to trust (depends which zone you're using...) select the source ip (MIP: x.x.x.251) and destination, the protocol... and that's it.

Now those things can rely also on some other parameters, such as your virtual routers... your zones... etc...
If you want further information, please paste the content of your vrouters table, the information with your interfaces, and the ipconfig information about your "conference" server and the zone where it's alocated.
0
 

Author Comment

by:wega1985
ID: 22688752
iw0k:
What you have described is my exact situation and goal.   We already have several VIPs defined for our email, RDP, etc. on our primary IP, 250.
Since I will probably want to only forward one or a couple ports to the conference server, it appears that another VIP would be the best option.
How do I add the new IP (251) to the interface so that it is an option in the VIP Virtual IP drop-down?  All that is appearing is the 250 IP.
0
 
LVL 2

Accepted Solution

by:
iw0k earned 500 total points
ID: 22690306
Well to use VIP on an untrust interface, you need the untrust interface to have a subnet with the other available IP.
I'm gonna give you an example.
Your eth3 interface needs to be 192.168.10.250 with a gateway of 192.168.10.249 while allowing the usage of further ip until 192.168.10.254.
It would need you to setup your eth3 interface to IP Address : 192.168.10.250 Subnet : 255.255.255.248 (/29) and adding the gateway of 192.168.10.249 to it.
Once it's done : Network > Interfaces > Edit (for ethernet3) > VIP: 192.168.10.251, then click Add.
Then (Network > Interfaces > Edit (for ethernet3) ) VIP > New VIP Service: Enter
the following, then click OK:
Virtual IP: 192.168.10.251
Virtual Port: 80
Map to Service: HTTP (80)
Map to IP: 10.10.20.10 (ip server)

After that you just need to add the policy :
From untrust to trust ; source adress : any ; destination address : VIP(192.168.10.251); service http ; permit
0
 

Author Closing Comment

by:wega1985
ID: 31513633
Perfect!  I just had to update my ScreenOS and the option for the additional VIP appeared.  Thanks!
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now