How do we use multiple ISP IP addresses with only one port on the incoming device?

We have been getting along fine by using the first IP address in the ISP-provided block with NAT and port forwarding.  Now, we are about to add a conferencing application and we'd like to use one of the other IPs provided by the ISP.

We are using a Juniper Netscreen SSG140 as the firewall, which has multiple interfaces.  There is only, however, one interface on the device from which the Internet connection originates (Cisco IAD).

What is the best way to go about using one of the other IP addresses?  If another routing technique is recommended using the primary IP, I am fine with that.  Our goal is to have external customers connect to  I am not sure if that will reside on port 80, which is why I wanted to try to separate it from the primary IP address which already utilizes that port.

IP address block

First IP is Gateway, x.x.x.250 currently in use.

Thanks in advance!
Who is Participating?
iw0kConnect With a Mentor Commented:
Well to use VIP on an untrust interface, you need the untrust interface to have a subnet with the other available IP.
I'm gonna give you an example.
Your eth3 interface needs to be with a gateway of while allowing the usage of further ip until
It would need you to setup your eth3 interface to IP Address : Subnet : (/29) and adding the gateway of to it.
Once it's done : Network > Interfaces > Edit (for ethernet3) > VIP:, then click Add.
Then (Network > Interfaces > Edit (for ethernet3) ) VIP > New VIP Service: Enter
the following, then click OK:
Virtual IP:
Virtual Port: 80
Map to Service: HTTP (80)
Map to IP: (ip server)

After that you just need to add the policy :
From untrust to trust ; source adress : any ; destination address : VIP(; service http ; permit
the easiest way is to just put a basic switch in between the ISP and the Netscreen.
That way you can use multiple ports on the Netscreen for WAn interfaces.
wega1985Author Commented:
Like a 5 port Linksys switch?  Does this adversely affect anything?  Is this a standard practice?
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

I need to know why all IP's are necessary...better yet, what you want to do with all 5 available remaining IPs.  However, here' s a stab at it without having much information (from a cisco router's config)

Router(config)#  interface FA0/0
Router(config-interface)#  ip address x.x.x.x <subnet_mask>
Router(config-interface)#  ip address x.x.x.x <subnet_mask> secondary

the "secondary" keyword allows you to bind more than 1 ip address onto a single interface.

if this doesn't help, please provide a description of your exact challenge and I'll try to answer for u.


wega1985Author Commented:
Don't need all five, was just considering using another one.  Using a Juniper Netscreen SSG140 as the firewall.
The Juniper Netwcreen SSG140 doesn't allow multiple secondary IP addresses on 'untrusted' interfaces.

Yes, that will work.
But, depending on how critical the link is, you may want to use something more reliable.
At the very least, use one of the Linksys 'business-class' switches such as the SRW-208:
You could get a multi-vlan enabled switch such as a Cisco Catalyst 3550 and connect your Juniper interfaces on the switch.  You would then be able to configure your Juniper (outside) interfaces with multiple ip addresses and configure 1 (or more) "inside" interfaces to correspond to your internal (LAN) VLAN or DMZ VLAN....etc.

The nice thing about this approach is that you're keeping all your existing configurations and simply adding 1 new piece of hardware.  The really nice thing about Catalyst 3550's is that it's a layer 3 switch or routable switch and capable of creating virtual lans thus splitting traffic between what's meant for the DMZ and what's meant for local area traffic.  Lastly, these layer 3 switches are capable of setting up Access Control Lists and Quality of Service reservations....

wega1985Author Commented:
We already have 4 3560s for the clients / phones.  Are you saying this new 3550 would be "before" the juniper, between the ISP and the firewall?  If this is the recommendation, which we cannot afford right now, I may try to find another way to simply use the one WAN IP that we're currently using.
that is not what I'm suggesting at all.  Let me ask another question:  How many possible outside interface cards do you have (or can have) on your Juniper firewall?  If more than 1, great!  Half the work is done, all you'd do is use one of your existing 3550 switches and create a new VLAN and plug an inside interface from your JUNIPER wall into it.  Also move the switchport associated with this public/private nat translation into this new VLAN and setup route statements to make correct call to your Local Area VLAN.

If you specify exactly what (application or whatever) you're trying to map and let us know how many interfaces (both inside and out) on your Juniper wall, then we can provide a specific solution.
wega1985Author Commented:
Yes, the SSG140 definitely has multiple interfaces.  I am planning ahead for the installation of an Inter-Tel conferencing software package.  As stated in the initial question, we will have outside users/customers navigate to  I'm not sure exactly the requirements of the software, as we haven't received it yet from the phone vendor.  Again, if using a second IP isn't the best approach, that is fine.  I don't know if the port can be adjusted in the software.
Well, it's pretty basic feature from the screenos...
Let's just make things sure in order to be efficient :
   - Your ISP is providing you one internet connection with a router, and your having a block of ip as described on the same subnet.
   - You currently configured your WAN interface on your SSG140 using the x.x.x.250 ip address and x.x.x.249 as a gateway for that interface (which route towards it).
You just need to use another "WAN" ip address in order to use a new application which is supposed to use a port already used on the x.x.x.250.

Well, you just need to use MIP / VIP address on your WAN interface... you actually don't need to plug out anything. The difference between MIP and VIP, MIP is mapping all the traffic towards one destination where VIP mapping one port to one destination. You can add multiple destination dependings on port for VIP where you're stuck with only one destination with MIP.

To do that, simply log in to your netscreen webui, go to your interface used by the wan, go to edit, on the top menu go to MIP / VIP and click on new.
Enter your mapped ip : (x.x.x.251 for example) Host IP (lan ip of your server) the netmask ( since only one ip) and the Host Virtual Router if you have splitted your router domain.
After that, you need to go to your policy, from untrust to trust (depends which zone you're using...) select the source ip (MIP: x.x.x.251) and destination, the protocol... and that's it.

Now those things can rely also on some other parameters, such as your virtual routers... your zones... etc...
If you want further information, please paste the content of your vrouters table, the information with your interfaces, and the ipconfig information about your "conference" server and the zone where it's alocated.
wega1985Author Commented:
What you have described is my exact situation and goal.   We already have several VIPs defined for our email, RDP, etc. on our primary IP, 250.
Since I will probably want to only forward one or a couple ports to the conference server, it appears that another VIP would be the best option.
How do I add the new IP (251) to the interface so that it is an option in the VIP Virtual IP drop-down?  All that is appearing is the 250 IP.
wega1985Author Commented:
Perfect!  I just had to update my ScreenOS and the option for the additional VIP appeared.  Thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.