Multiple Internet Gateways Interfaces Routing+VPN on Juniper SSG5

Posted on 2009-05-17
Last Modified: 2012-05-07
Hello !

I have been having a real hard time trying to setup a Juniper SSG5 Firewall device. I need to set it up for the company I work - a multimedia agency.
I need to say I am new to Juniper routers - and routing in general, so maybe the terminology I will use won't be very accurate.

Well, I`ve had setup already an SSG5 some time ago to use two (dynamic ip) cable internet connections [[ethernet0/0 & ethernet0/6]] on a fail-safe basis to route to our main network - [[bgroup0 = ethernet0/2]]

We have recently acquired a Mac Pro with Os X Leopard Server [[]] to run some services such as Open(Active) Directory, DNS, File Versioning server and it works very well on our internal network.
- Our first requirement is to open up VPN access so that we can securely access our file sharing services outside our network.

Secondly, aside from the two cable internet connections we already have, we have signed up for two more - so that we can securely publish live footage to the internet in real time. One of them is a fiber optic link (1Mbps U/D) [[ethernet 0/5]], and the other one a radio link (512 Kbps U/D) [[ethernet 0/4]]. Both of them have static IPs.

- We want to make another fail-safe configuration for a second network [[ethernet0/3]] that will be connected only to our studio equipment, that will publish directly the content to the internet.

- And lastly (finally!), We want to take advantage of the static ip of our fiber optic link (we actually have 4 static ip addresses by this link) to make it our VPN address, and maybe use it as the address of our server, to use it as a mail server as well. The first thing that comes into my mind is DMZ, but I don't even know how a DMZ setup really is[[ethernet0/1]].

I am sending our current config. As you can see the bgroup has the ethernet0/3 also, as I haven't been able to correctly setup the ethernet0/3 yet.
current config:

set clock timezone 0

set vrouter trust-vr sharable

set vrouter "untrust-vr"


set vrouter "trust-vr"

unset auto-route-export


set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth default auth server "Local"

set auth radius accounting port 1646

set admin name "aragorn"

set admin password "xxx"

set admin auth timeout 10

set admin auth server "Local"

set admin privilege read-write

set admin format dos

set zone "Trust" vrouter "trust-vr"

set zone "Untrust" vrouter "trust-vr"

set zone "DMZ" vrouter "trust-vr"

set zone "VLAN" vrouter "trust-vr"

set zone "Untrust-Tun" vrouter "trust-vr"

set zone "Trust" tcp-rst 

set zone "Untrust" block 

unset zone "Untrust" tcp-rst 

set zone "DMZ" tcp-rst 

set zone "VLAN" block 

unset zone "VLAN" tcp-rst 

set zone "Untrust" screen tear-drop

set zone "Untrust" screen syn-flood

set zone "Untrust" screen ping-death

set zone "Untrust" screen ip-filter-src

set zone "Untrust" screen land

set zone "V1-Untrust" screen tear-drop

set zone "V1-Untrust" screen syn-flood

set zone "V1-Untrust" screen ping-death

set zone "V1-Untrust" screen ip-filter-src

set zone "V1-Untrust" screen land

set interface "ethernet0/0" zone "Untrust"

set interface "ethernet0/1" zone "DMZ"

set interface "ethernet0/5" zone "Untrust"

set interface "ethernet0/6" zone "Untrust"

set interface "wireless0/0" zone "Trust"

set interface "bgroup0" zone "Trust"

set interface bgroup0 port ethernet0/2

set interface bgroup0 port ethernet0/3

set interface bgroup0 port wireless0/1

unset interface vlan1 ip

set interface ethernet0/0 ip 201.e0.e0.181/22

set interface ethernet0/0 route

set interface ethernet0/1 ip

set interface ethernet0/1 nat

set interface ethernet0/4 ip 201.e4.e4.10/29

set interface ethernet0/4 route

set interface ethernet0/5 ip 201.e5.e5.66/29

set interface ethernet0/5 route

set interface ethernet0/6 ip 201.e6.e6.88/20

set interface ethernet0/6 route

set interface bgroup0 ip

set interface bgroup0 nat

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

set interface ethernet0/5 manage-ip 201.e5.e5.67

set interface ethernet0/4 manage-ip 201.e4.e4.11

set interface ethernet0/0 ip manageable

set interface ethernet0/1 ip manageable

set interface ethernet0/5 ip manageable

set interface ethernet0/6 ip manageable

set interface bgroup0 ip manageable

set interface ethernet0/0 backup interface ethernet0/6 type tunnel-if

set interface ethernet0/0 dhcp client enable

set interface ethernet0/6 dhcp client enable

unset interface ethernet0/6 dhcp client settings update-dhcpserver

set interface bgroup0 dhcp server service

set interface bgroup0 dhcp server auto

set interface bgroup0 dhcp server option gateway 

set interface bgroup0 dhcp server option netmask 

set interface bgroup0 dhcp server option domainname 

set interface bgroup0 dhcp server option dns1 

set interface bgroup0 dhcp server option dns2 

set interface bgroup0 dhcp server option wins1 

set interface bgroup0 dhcp server ip to 

unset interface bgroup0 dhcp server config next-server-ip

set interface "serial0/0" modem settings "USR" init "AT&F"

set interface "serial0/0" modem settings "USR" active

set interface "serial0/0" modem speed 115200

set interface "serial0/0" modem retry 3

set interface "serial0/0" modem interval 10

set interface "serial0/0" modem idle-time 10

set flow tcp-mss

unset flow no-tcp-seq-check

set flow tcp-syn-check

set domain gondor.c***

set hostname ssg5

set pki authority default scep mode "auto"

set pki x509 default cert-path partial

set dns host dns1 src-interface bgroup0

set dns host dns2

set dns host dns3

set ike respond-bad-spi 1

unset ike ikeid-enumeration

unset ipsec access-session enable

set ipsec access-session maximum 5000

set ipsec access-session upper-threshold 0

set ipsec access-session lower-threshold 0

set ipsec access-session dead-p2-sa-timeout 0

unset ipsec access-session log-error

unset ipsec access-session info-exch-connected

unset ipsec access-session use-error-log

set url protocol websense


set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 

set policy id 1


set monitor cpu 100

set global-pro policy-manager primary outgoing-interface ethernet0/0

set global-pro policy-manager secondary outgoing-interface ethernet0/0

set nsmgmt bulkcli reboot-timeout 60

set ssh version v2

set ssh enable

set config lock timeout 5

set wlan 0 channel auto

set wlan 1 channel auto

set snmp port listen 161

set snmp port trap 162

set vrouter "untrust-vr"


set vrouter "trust-vr"

set source-routing enable

unset add-default-route

set route source interface ethernet0/1 gateway 

227.66 preference 20


set vrouter "untrust-vr"


set vrouter "trust-vr"


Open in new window

Question by:waneck
  • 2
LVL 68

Expert Comment

ID: 24410838
Phoooh, that's a lot of stuff. Let's consider one ofter another.

Your options are many. It depends on the remote side - mobile clients, corporate clients, Windows or Mac. If the Juniper should serve as VPN gateway (recommended!), you will either need a (IPSec) VPN client to be installed on each computer which should have access, or use a VPN router and site-2-site tunneling. With Mac, the client options are rare.
We need more info here.

Failsave configuation with eth0/3
I do not know what you mean exactly. Do you want to hardwire eth0/3 with eth0/4 & eth0/5 in failsave configuration, i.e. if eth0/5 is not available, use eth0/4, but only for the studio equipment?

Static IPs/Public Services
I would recommend to put public services into DMZ zone. That requires that the corresponding server is in an own network segment isolated from all other traffic, and plugged into a separate eth of SSG. You will have to define policies from Untrust to DMZ, DMZ to Trust, and Trust do DMZ according to your used services to have traffic flowing.

Why DMZ? Software flaws can be used to obtain access to the network for malicious code. If DMZ can't access important services on Trust, the harm is strongly restricted. Without DMZ, it could be more critical, e.g. infecting other PCs via network shares.

You should use one IP for mail and other public available services (or even another one for the latter).

VPN should have it's own IP - that way, you can easy drill-down what service is used. And it's less likely hacking attempts are applied. Not of high importance, IPSec on SSG is secure.


Author Comment

ID: 24415541
I kindly thank you for your comment! It has helped me structure the problem in a better way!

Falsave configuration on eth0/3:
Yes!! You understood it correctly! My main doubt is in regard to how can I configure this setup on the SSG5? I know how to make eth0/3 act as another DHCP server, give it another subnet address, define eth0/5 as a backup interface of eth0/4 but I can't seem to figure out how to configure where will they route to. By default, they seem to route to bgroup0. Should I define another vrouter for them? I have tried, but wasn't successful at all. (Many solutions come to my mind. Is it by source routing? Hasn't worked either. But still, I might not have been able to correctly configure this)

This problem extends to the static services, because it still is a source routing/vrouter/whatever configuration, and what really changes is that I don't know how to have multiple IPs (eg. 201.e5.e5.66 for the studio, 201.e5.e5.67 for VPN AND 201.e5.e5.68 for the mail server) coming out from a single ethernet interface. Is that possible on ScreenOS ?

I'm sorry to have written so many questions in only one. It's my first Experts Exchange question. I guess we could leave the VPN & DMZ-specific questions for another question, then! : )

Thank you very much!
LVL 68

Accepted Solution

Qlemo earned 500 total points
ID: 24416947
Agreed to VPN part, we can consider that later in another question.

Let's have a look on routing. I do not know how the SSG5 is structured internally with that bgroup0 thing, but I know about interface based routing.
In WebUI, Routing, choose Source Interface Routing,
choose eth0/3,
create a new default route ( for eth0/3 using interface eth0/5 as gateway,
and again with eth0/4 and lower preference or higher metric, whatever you like best.

Of course you need to setup IP adresses for all interfaces, and assign them to Trust (eth0/3) respective Untrust (eth0/4, eth0/5).

You could use own zones (if you are able to add two with SSG5), but then you have to create policies for them. If you want to secure it with own policies, this is one track to follow (another one are normal Trust-Untrust policies based on the IP addresses).

As you have asked for it: vrouters are needed to separate routing domains, which is useful if you have dynamic routing protocols like OSPF or RIP (aaaarggh), and want to separate the routes gotten for one interface from those from others.

Next point, multipe static IPs. Yes, it's possible and called MIP. You define them on the interface, and create a 1:1 mapping to an internal address. You will need to create a policy Untrust to Trust, with MIP as source address and the internal network as destination, and service restrictions as you like.


Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
jump server vs push server 6 154
VPN doubts 4 59
L2TP/IPSec VPN Passthrough Cisco ASA 5505 8.2(5) to Server 2008 R2 4 53
Botnet detection help me please 21 86
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now