dguillen
asked on
Juniper ssg140 using 2 untrust interfaces for different networks
i have 2 juniper ssg140's in a failover cluster config. 1 untrust interface, several VIPs and MIPs configured. 2 trust interfaces but both route through same untrust. Here's a sample layout:
Untrust Intreface 12.12.12.12
Trust1 interface 192.168.1.x
Trust2 interface 192.168.100.x
Remote offices have site to site route based vpn to main office. Remote office nets are 192.168.2.x, .3.x, .4.x, .5.x, etc.
We now have a client that unfortuantely has the same net as one of our remote offices, like 192.168.4.x. We have to create a site-site vpn with this client. My idea is to use a second Untrust interface at 12.12.12.13 with lan behind it of 172.16.100.x for example. The client will only need access to 3 or 4 services on 1 server which we can place in the 172.x.x.x lan.
any ideas if this will even work or if the ssg140 supports this config?
thx
Untrust Intreface 12.12.12.12
Trust1 interface 192.168.1.x
Trust2 interface 192.168.100.x
Remote offices have site to site route based vpn to main office. Remote office nets are 192.168.2.x, .3.x, .4.x, .5.x, etc.
We now have a client that unfortuantely has the same net as one of our remote offices, like 192.168.4.x. We have to create a site-site vpn with this client. My idea is to use a second Untrust interface at 12.12.12.13 with lan behind it of 172.16.100.x for example. The client will only need access to 3 or 4 services on 1 server which we can place in the 172.x.x.x lan.
any ideas if this will even work or if the ssg140 supports this config?
thx
ASKER
the server at 172.x.x.x will only need to be accessed by the new clients and by a server at 192.168.1.x (local trust int). The existing remote conflicting office will not need to access this server. I wanted to avoid changing my existing remote office lan's ip.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i did end up using NAT using the juniper overlapping subnet instructions.
thanks
thanks
ASKER
i'll award qlemo some points as well for stating the policy info, i overlooked it at first
Are your remote offices (especially the conflicting one) accessing this server? If yes then adding a 172.x.x.x alias won't solve your problems. The server will want to send a packet to the IP 192.168.4.5 and it won't know whether to your client or remote office.
I believe you could leave everything as it is and just add NAT to the client's VPN (maybe also to the conflicting office VPN) - change their addresses to 192.168.199.x (a non conflicting network).