Go Premium for a chance to win a PS4. Enter to Win


How do we use multiple ISP IP addresses with only one port on the incoming device?

Posted on 2008-10-08
Medium Priority
Last Modified: 2013-11-16
We have been getting along fine by using the first IP address in the ISP-provided block with NAT and port forwarding.  Now, we are about to add a conferencing application and we'd like to use one of the other IPs provided by the ISP.

We are using a Juniper Netscreen SSG140 as the firewall, which has multiple interfaces.  There is only, however, one interface on the device from which the Internet connection originates (Cisco IAD).

What is the best way to go about using one of the other IP addresses?  If another routing technique is recommended using the primary IP, I am fine with that.  Our goal is to have external customers connect to conference.ourdomain.com.  I am not sure if that will reside on port 80, which is why I wanted to try to separate it from the primary IP address which already utilizes that port.

IP address block

First IP is Gateway, x.x.x.250 currently in use.

Thanks in advance!
Question by:wega1985
  • 6
  • 3
  • 2
  • +1
LVL 13

Expert Comment

ID: 22671477
the easiest way is to just put a basic switch in between the ISP and the Netscreen.
That way you can use multiple ports on the Netscreen for WAn interfaces.

Author Comment

ID: 22671523
Like a 5 port Linksys switch?  Does this adversely affect anything?  Is this a standard practice?

Expert Comment

ID: 22671730
I need to know why all IP's are necessary...better yet, what you want to do with all 5 available remaining IPs.  However, here' s a stab at it without having much information (from a cisco router's config)

Router(config)#  interface FA0/0
Router(config-interface)#  ip address x.x.x.x <subnet_mask>
Router(config-interface)#  ip address x.x.x.x <subnet_mask> secondary

the "secondary" keyword allows you to bind more than 1 ip address onto a single interface.

if this doesn't help, please provide a description of your exact challenge and I'll try to answer for u.


 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.


Author Comment

ID: 22671839
Don't need all five, was just considering using another one.  Using a Juniper Netscreen SSG140 as the firewall.
LVL 13

Expert Comment

ID: 22672770
The Juniper Netwcreen SSG140 doesn't allow multiple secondary IP addresses on 'untrusted' interfaces.

Yes, that will work.
But, depending on how critical the link is, you may want to use something more reliable.
At the very least, use one of the Linksys 'business-class' switches such as the SRW-208:

Expert Comment

ID: 22675621
You could get a multi-vlan enabled switch such as a Cisco Catalyst 3550 and connect your Juniper interfaces on the switch.  You would then be able to configure your Juniper (outside) interfaces with multiple ip addresses and configure 1 (or more) "inside" interfaces to correspond to your internal (LAN) VLAN or DMZ VLAN....etc.

The nice thing about this approach is that you're keeping all your existing configurations and simply adding 1 new piece of hardware.  The really nice thing about Catalyst 3550's is that it's a layer 3 switch or routable switch and capable of creating virtual lans thus splitting traffic between what's meant for the DMZ and what's meant for local area traffic.  Lastly, these layer 3 switches are capable of setting up Access Control Lists and Quality of Service reservations....


Author Comment

ID: 22677796
We already have 4 3560s for the clients / phones.  Are you saying this new 3550 would be "before" the juniper, between the ISP and the firewall?  If this is the recommendation, which we cannot afford right now, I may try to find another way to simply use the one WAN IP that we're currently using.

Expert Comment

ID: 22677868
that is not what I'm suggesting at all.  Let me ask another question:  How many possible outside interface cards do you have (or can have) on your Juniper firewall?  If more than 1, great!  Half the work is done, all you'd do is use one of your existing 3550 switches and create a new VLAN and plug an inside interface from your JUNIPER wall into it.  Also move the switchport associated with this public/private nat translation into this new VLAN and setup route statements to make correct call to your Local Area VLAN.

If you specify exactly what (application or whatever) you're trying to map and let us know how many interfaces (both inside and out) on your Juniper wall, then we can provide a specific solution.

Author Comment

ID: 22677938
Yes, the SSG140 definitely has multiple interfaces.  I am planning ahead for the installation of an Inter-Tel conferencing software package.  As stated in the initial question, we will have outside users/customers navigate to conference.ourdomain.com.  I'm not sure exactly the requirements of the software, as we haven't received it yet from the phone vendor.  Again, if using a second IP isn't the best approach, that is fine.  I don't know if the port can be adjusted in the software.

Expert Comment

ID: 22688378
Well, it's pretty basic feature from the screenos...
Let's just make things sure in order to be efficient :
   - Your ISP is providing you one internet connection with a router, and your having a block of ip as described on the same subnet.
   - You currently configured your WAN interface on your SSG140 using the x.x.x.250 ip address and x.x.x.249 as a gateway for that interface (which route towards it).
You just need to use another "WAN" ip address in order to use a new application which is supposed to use a port already used on the x.x.x.250.

Well, you just need to use MIP / VIP address on your WAN interface... you actually don't need to plug out anything. The difference between MIP and VIP, MIP is mapping all the traffic towards one destination where VIP mapping one port to one destination. You can add multiple destination dependings on port for VIP where you're stuck with only one destination with MIP.

To do that, simply log in to your netscreen webui, go to your interface used by the wan, go to edit, on the top menu go to MIP / VIP and click on new.
Enter your mapped ip : (x.x.x.251 for example) Host IP (lan ip of your server) the netmask ( since only one ip) and the Host Virtual Router if you have splitted your router domain.
After that, you need to go to your policy, from untrust to trust (depends which zone you're using...) select the source ip (MIP: x.x.x.251) and destination, the protocol... and that's it.

Now those things can rely also on some other parameters, such as your virtual routers... your zones... etc...
If you want further information, please paste the content of your vrouters table, the information with your interfaces, and the ipconfig information about your "conference" server and the zone where it's alocated.

Author Comment

ID: 22688752
What you have described is my exact situation and goal.   We already have several VIPs defined for our email, RDP, etc. on our primary IP, 250.
Since I will probably want to only forward one or a couple ports to the conference server, it appears that another VIP would be the best option.
How do I add the new IP (251) to the interface so that it is an option in the VIP Virtual IP drop-down?  All that is appearing is the 250 IP.

Accepted Solution

iw0k earned 2000 total points
ID: 22690306
Well to use VIP on an untrust interface, you need the untrust interface to have a subnet with the other available IP.
I'm gonna give you an example.
Your eth3 interface needs to be with a gateway of while allowing the usage of further ip until
It would need you to setup your eth3 interface to IP Address : Subnet : (/29) and adding the gateway of to it.
Once it's done : Network > Interfaces > Edit (for ethernet3) > VIP:, then click Add.
Then (Network > Interfaces > Edit (for ethernet3) ) VIP > New VIP Service: Enter
the following, then click OK:
Virtual IP:
Virtual Port: 80
Map to Service: HTTP (80)
Map to IP: (ip server)

After that you just need to add the policy :
From untrust to trust ; source adress : any ; destination address : VIP(; service http ; permit

Author Closing Comment

ID: 31513633
Perfect!  I just had to update my ScreenOS and the option for the additional VIP appeared.  Thanks!

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question