Solved

Juniper ssg140 using 2 untrust interfaces for different networks

Posted on 2009-07-01
6
1,580 Views
Last Modified: 2012-05-07
i have 2 juniper ssg140's in a failover cluster config. 1 untrust interface, several VIPs and MIPs configured. 2 trust interfaces but both route through same untrust. Here's a sample layout:
Untrust Intreface 12.12.12.12
Trust1 interface 192.168.1.x
Trust2 interface 192.168.100.x
Remote offices have site to site route based vpn to main office. Remote office nets are 192.168.2.x, .3.x, .4.x, .5.x, etc.
We now have a client that unfortuantely has the same net as one of our remote offices, like 192.168.4.x. We have to create a site-site vpn with this client. My idea is to use a second Untrust interface at 12.12.12.13 with lan behind it of 172.16.100.x for example. The client will only need access to 3 or 4 services on 1 server which we can place in the 172.x.x.x lan.
any ideas if this will even work or if the ssg140 supports this config?
thx

0
Comment
Question by:dguillen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 24761089
Did you think to add an alias 172.x.x.x to the server or move it from your LAN completely?

Are your remote offices (especially the conflicting one) accessing this server? If yes then adding a 172.x.x.x alias won't solve your problems. The server will want to send a packet to the IP 192.168.4.5 and it won't know whether to your client or remote office.

I believe you could leave everything as it is and just add NAT to the client's VPN (maybe also to the conflicting office VPN) - change their addresses to 192.168.199.x (a non conflicting network).
0
 
LVL 1

Author Comment

by:dguillen
ID: 24763623
the server at 172.x.x.x will only need to be accessed by the new clients and by a server at 192.168.1.x (local trust int). The existing remote conflicting office will not need to access this server. I wanted to avoid changing my existing remote office lan's ip.
0
 
LVL 16

Accepted Solution

by:
Blaz earned 400 total points
ID: 24770463
> I wanted to avoid changing my existing remote office lan's ip.

I suggested that you NAT your new client - you don't have to change their LAN IPs, just NAT their connection. You can leave the existing remote office intact.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 69

Assisted Solution

by:Qlemo
Qlemo earned 100 total points
ID: 24776487
I agree, best is to just NAT the client's IP addresses in the VPN policy. For restricting of traffic in policies you will need to apply to the NATted addresses, of course.
0
 
LVL 1

Author Comment

by:dguillen
ID: 24787425
i did end up using NAT using the juniper overlapping subnet instructions.
thanks
0
 
LVL 1

Author Comment

by:dguillen
ID: 24787432
i'll award qlemo some points as well for stating the policy info, i overlooked it at first
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question