Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How do we use multiple ISP IP addresses with only one port on the incoming device?

Posted on 2008-10-08
Medium Priority
Last Modified: 2013-11-16
We have been getting along fine by using the first IP address in the ISP-provided block with NAT and port forwarding.  Now, we are about to add a conferencing application and we'd like to use one of the other IPs provided by the ISP.

We are using a Juniper Netscreen SSG140 as the firewall, which has multiple interfaces.  There is only, however, one interface on the device from which the Internet connection originates (Cisco IAD).

What is the best way to go about using one of the other IP addresses?  If another routing technique is recommended using the primary IP, I am fine with that.  Our goal is to have external customers connect to  I am not sure if that will reside on port 80, which is why I wanted to try to separate it from the primary IP address which already utilizes that port.

IP address block

First IP is Gateway, x.x.x.250 currently in use.

Thanks in advance!
Question by:wega1985
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
LVL 13

Expert Comment

ID: 22671477
the easiest way is to just put a basic switch in between the ISP and the Netscreen.
That way you can use multiple ports on the Netscreen for WAn interfaces.

Author Comment

ID: 22671523
Like a 5 port Linksys switch?  Does this adversely affect anything?  Is this a standard practice?

Expert Comment

ID: 22671730
I need to know why all IP's are necessary...better yet, what you want to do with all 5 available remaining IPs.  However, here' s a stab at it without having much information (from a cisco router's config)

Router(config)#  interface FA0/0
Router(config-interface)#  ip address x.x.x.x <subnet_mask>
Router(config-interface)#  ip address x.x.x.x <subnet_mask> secondary

the "secondary" keyword allows you to bind more than 1 ip address onto a single interface.

if this doesn't help, please provide a description of your exact challenge and I'll try to answer for u.


Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.


Author Comment

ID: 22671839
Don't need all five, was just considering using another one.  Using a Juniper Netscreen SSG140 as the firewall.
LVL 13

Expert Comment

ID: 22672770
The Juniper Netwcreen SSG140 doesn't allow multiple secondary IP addresses on 'untrusted' interfaces.

Yes, that will work.
But, depending on how critical the link is, you may want to use something more reliable.
At the very least, use one of the Linksys 'business-class' switches such as the SRW-208:

Expert Comment

ID: 22675621
You could get a multi-vlan enabled switch such as a Cisco Catalyst 3550 and connect your Juniper interfaces on the switch.  You would then be able to configure your Juniper (outside) interfaces with multiple ip addresses and configure 1 (or more) "inside" interfaces to correspond to your internal (LAN) VLAN or DMZ VLAN....etc.

The nice thing about this approach is that you're keeping all your existing configurations and simply adding 1 new piece of hardware.  The really nice thing about Catalyst 3550's is that it's a layer 3 switch or routable switch and capable of creating virtual lans thus splitting traffic between what's meant for the DMZ and what's meant for local area traffic.  Lastly, these layer 3 switches are capable of setting up Access Control Lists and Quality of Service reservations....


Author Comment

ID: 22677796
We already have 4 3560s for the clients / phones.  Are you saying this new 3550 would be "before" the juniper, between the ISP and the firewall?  If this is the recommendation, which we cannot afford right now, I may try to find another way to simply use the one WAN IP that we're currently using.

Expert Comment

ID: 22677868
that is not what I'm suggesting at all.  Let me ask another question:  How many possible outside interface cards do you have (or can have) on your Juniper firewall?  If more than 1, great!  Half the work is done, all you'd do is use one of your existing 3550 switches and create a new VLAN and plug an inside interface from your JUNIPER wall into it.  Also move the switchport associated with this public/private nat translation into this new VLAN and setup route statements to make correct call to your Local Area VLAN.

If you specify exactly what (application or whatever) you're trying to map and let us know how many interfaces (both inside and out) on your Juniper wall, then we can provide a specific solution.

Author Comment

ID: 22677938
Yes, the SSG140 definitely has multiple interfaces.  I am planning ahead for the installation of an Inter-Tel conferencing software package.  As stated in the initial question, we will have outside users/customers navigate to  I'm not sure exactly the requirements of the software, as we haven't received it yet from the phone vendor.  Again, if using a second IP isn't the best approach, that is fine.  I don't know if the port can be adjusted in the software.

Expert Comment

ID: 22688378
Well, it's pretty basic feature from the screenos...
Let's just make things sure in order to be efficient :
   - Your ISP is providing you one internet connection with a router, and your having a block of ip as described on the same subnet.
   - You currently configured your WAN interface on your SSG140 using the x.x.x.250 ip address and x.x.x.249 as a gateway for that interface (which route towards it).
You just need to use another "WAN" ip address in order to use a new application which is supposed to use a port already used on the x.x.x.250.

Well, you just need to use MIP / VIP address on your WAN interface... you actually don't need to plug out anything. The difference between MIP and VIP, MIP is mapping all the traffic towards one destination where VIP mapping one port to one destination. You can add multiple destination dependings on port for VIP where you're stuck with only one destination with MIP.

To do that, simply log in to your netscreen webui, go to your interface used by the wan, go to edit, on the top menu go to MIP / VIP and click on new.
Enter your mapped ip : (x.x.x.251 for example) Host IP (lan ip of your server) the netmask ( since only one ip) and the Host Virtual Router if you have splitted your router domain.
After that, you need to go to your policy, from untrust to trust (depends which zone you're using...) select the source ip (MIP: x.x.x.251) and destination, the protocol... and that's it.

Now those things can rely also on some other parameters, such as your virtual routers... your zones... etc...
If you want further information, please paste the content of your vrouters table, the information with your interfaces, and the ipconfig information about your "conference" server and the zone where it's alocated.

Author Comment

ID: 22688752
What you have described is my exact situation and goal.   We already have several VIPs defined for our email, RDP, etc. on our primary IP, 250.
Since I will probably want to only forward one or a couple ports to the conference server, it appears that another VIP would be the best option.
How do I add the new IP (251) to the interface so that it is an option in the VIP Virtual IP drop-down?  All that is appearing is the 250 IP.

Accepted Solution

iw0k earned 2000 total points
ID: 22690306
Well to use VIP on an untrust interface, you need the untrust interface to have a subnet with the other available IP.
I'm gonna give you an example.
Your eth3 interface needs to be with a gateway of while allowing the usage of further ip until
It would need you to setup your eth3 interface to IP Address : Subnet : (/29) and adding the gateway of to it.
Once it's done : Network > Interfaces > Edit (for ethernet3) > VIP:, then click Add.
Then (Network > Interfaces > Edit (for ethernet3) ) VIP > New VIP Service: Enter
the following, then click OK:
Virtual IP:
Virtual Port: 80
Map to Service: HTTP (80)
Map to IP: (ip server)

After that you just need to add the policy :
From untrust to trust ; source adress : any ; destination address : VIP(; service http ; permit

Author Closing Comment

ID: 31513633
Perfect!  I just had to update my ScreenOS and the option for the additional VIP appeared.  Thanks!

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question