Multiple Internet Gateways Interfaces Routing+VPN on Juniper SSG5

Hello !

I have been having a real hard time trying to setup a Juniper SSG5 Firewall device. I need to set it up for the company I work - a multimedia agency.
I need to say I am new to Juniper routers - and routing in general, so maybe the terminology I will use won't be very accurate.

Well, I`ve had setup already an SSG5 some time ago to use two (dynamic ip) cable internet connections [[ethernet0/0 & ethernet0/6]] on a fail-safe basis to route to our main network - [[bgroup0 = ethernet0/2]]

We have recently acquired a Mac Pro with Os X Leopard Server [[]] to run some services such as Open(Active) Directory, DNS, File Versioning server and it works very well on our internal network.
- Our first requirement is to open up VPN access so that we can securely access our file sharing services outside our network.

Secondly, aside from the two cable internet connections we already have, we have signed up for two more - so that we can securely publish live footage to the internet in real time. One of them is a fiber optic link (1Mbps U/D) [[ethernet 0/5]], and the other one a radio link (512 Kbps U/D) [[ethernet 0/4]]. Both of them have static IPs.

- We want to make another fail-safe configuration for a second network [[ethernet0/3]] that will be connected only to our studio equipment, that will publish directly the content to the internet.

- And lastly (finally!), We want to take advantage of the static ip of our fiber optic link (we actually have 4 static ip addresses by this link) to make it our VPN address, and maybe use it as the address of our server, to use it as a mail server as well. The first thing that comes into my mind is DMZ, but I don't even know how a DMZ setup really is[[ethernet0/1]].

I am sending our current config. As you can see the bgroup has the ethernet0/3 also, as I haven't been able to correctly setup the ethernet0/3 yet.
current config:
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
set vrouter "trust-vr"
unset auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "aragorn"
set admin password "xxx"
set admin auth timeout 10
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/5" zone "Untrust"
set interface "ethernet0/6" zone "Untrust"
set interface "wireless0/0" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port wireless0/1
unset interface vlan1 ip
set interface ethernet0/0 ip 201.e0.e0.181/22
set interface ethernet0/0 route
set interface ethernet0/1 ip
set interface ethernet0/1 nat
set interface ethernet0/4 ip 201.e4.e4.10/29
set interface ethernet0/4 route
set interface ethernet0/5 ip 201.e5.e5.66/29
set interface ethernet0/5 route
set interface ethernet0/6 ip 201.e6.e6.88/20
set interface ethernet0/6 route
set interface bgroup0 ip
set interface bgroup0 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/5 manage-ip 201.e5.e5.67
set interface ethernet0/4 manage-ip 201.e4.e4.11
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/5 ip manageable
set interface ethernet0/6 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 backup interface ethernet0/6 type tunnel-if
set interface ethernet0/0 dhcp client enable
set interface ethernet0/6 dhcp client enable
unset interface ethernet0/6 dhcp client settings update-dhcpserver
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server option gateway 
set interface bgroup0 dhcp server option netmask 
set interface bgroup0 dhcp server option domainname 
set interface bgroup0 dhcp server option dns1 
set interface bgroup0 dhcp server option dns2 
set interface bgroup0 dhcp server option wins1 
set interface bgroup0 dhcp server ip to 
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set domain gondor.c***
set hostname ssg5
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 src-interface bgroup0
set dns host dns2
set dns host dns3
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set policy id 1
set monitor cpu 100
set global-pro policy-manager primary outgoing-interface ethernet0/0
set global-pro policy-manager secondary outgoing-interface ethernet0/0
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
set wlan 0 channel auto
set wlan 1 channel auto
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set vrouter "trust-vr"
set source-routing enable
unset add-default-route
set route source interface ethernet0/1 gateway 
227.66 preference 20
set vrouter "untrust-vr"
set vrouter "trust-vr"

Open in new window

Who is Participating?
QlemoConnect With a Mentor Batchelor, Developer and EE Topic AdvisorCommented:
Agreed to VPN part, we can consider that later in another question.

Let's have a look on routing. I do not know how the SSG5 is structured internally with that bgroup0 thing, but I know about interface based routing.
In WebUI, Routing, choose Source Interface Routing,
choose eth0/3,
create a new default route ( for eth0/3 using interface eth0/5 as gateway,
and again with eth0/4 and lower preference or higher metric, whatever you like best.

Of course you need to setup IP adresses for all interfaces, and assign them to Trust (eth0/3) respective Untrust (eth0/4, eth0/5).

You could use own zones (if you are able to add two with SSG5), but then you have to create policies for them. If you want to secure it with own policies, this is one track to follow (another one are normal Trust-Untrust policies based on the IP addresses).

As you have asked for it: vrouters are needed to separate routing domains, which is useful if you have dynamic routing protocols like OSPF or RIP (aaaarggh), and want to separate the routes gotten for one interface from those from others.

Next point, multipe static IPs. Yes, it's possible and called MIP. You define them on the interface, and create a 1:1 mapping to an internal address. You will need to create a policy Untrust to Trust, with MIP as source address and the internal network as destination, and service restrictions as you like.

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Phoooh, that's a lot of stuff. Let's consider one ofter another.

Your options are many. It depends on the remote side - mobile clients, corporate clients, Windows or Mac. If the Juniper should serve as VPN gateway (recommended!), you will either need a (IPSec) VPN client to be installed on each computer which should have access, or use a VPN router and site-2-site tunneling. With Mac, the client options are rare.
We need more info here.

Failsave configuation with eth0/3
I do not know what you mean exactly. Do you want to hardwire eth0/3 with eth0/4 & eth0/5 in failsave configuration, i.e. if eth0/5 is not available, use eth0/4, but only for the studio equipment?

Static IPs/Public Services
I would recommend to put public services into DMZ zone. That requires that the corresponding server is in an own network segment isolated from all other traffic, and plugged into a separate eth of SSG. You will have to define policies from Untrust to DMZ, DMZ to Trust, and Trust do DMZ according to your used services to have traffic flowing.

Why DMZ? Software flaws can be used to obtain access to the network for malicious code. If DMZ can't access important services on Trust, the harm is strongly restricted. Without DMZ, it could be more critical, e.g. infecting other PCs via network shares.

You should use one IP for mail and other public available services (or even another one for the latter).

VPN should have it's own IP - that way, you can easy drill-down what service is used. And it's less likely hacking attempts are applied. Not of high importance, IPSec on SSG is secure.

waneckAuthor Commented:
I kindly thank you for your comment! It has helped me structure the problem in a better way!

Falsave configuration on eth0/3:
Yes!! You understood it correctly! My main doubt is in regard to how can I configure this setup on the SSG5? I know how to make eth0/3 act as another DHCP server, give it another subnet address, define eth0/5 as a backup interface of eth0/4 but I can't seem to figure out how to configure where will they route to. By default, they seem to route to bgroup0. Should I define another vrouter for them? I have tried, but wasn't successful at all. (Many solutions come to my mind. Is it by source routing? Hasn't worked either. But still, I might not have been able to correctly configure this)

This problem extends to the static services, because it still is a source routing/vrouter/whatever configuration, and what really changes is that I don't know how to have multiple IPs (eg. 201.e5.e5.66 for the studio, 201.e5.e5.67 for VPN AND 201.e5.e5.68 for the mail server) coming out from a single ethernet interface. Is that possible on ScreenOS ?

I'm sorry to have written so many questions in only one. It's my first Experts Exchange question. I guess we could leave the VPN & DMZ-specific questions for another question, then! : )

Thank you very much!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.