Solved

Multiple devices with a public IP address on a Juniper SSG-140 firewall

Posted on 2011-03-22
4
1,490 Views
Last Modified: 2012-05-11
I have a network which is designed for Video Conferencing. At this moment I have a Cisco VCS Expressway, a Cisco VCS Control, a Codian MCU and a Tandberg Management Suite running outside my firewall, connected to a Cisco Catalyst 2950 switch.

Everyone from the outside should be able to connect to these devices using at least SIP and H.323 and these devices need to be able to connect to the Internet.

Now we want to secure this, by putting all these devices behind our Juniper SSG-140 in a DMZ. Each of these devices has a public IP address, which should not change because then we have to update hundreds of video devices, which is not an option.

Our public IP addresses range from x.y.z.97 - x.y.z.125. Our ISP gateway is x.y.z.126 and the Primary DNS Server is x.y.z.70 (different Host ID than the other addresses).

I'm personally not really experienced with Juniper products, could someone guide me with this?
0
Comment
Question by:RHochstenbach
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 350 total points
ID: 35188999
Have a look at using MIPs here (mapped IPs)

This is the screenos implementation of static nat

Details can be found here
http://kb.juniper.net/InfoCenter/index?page=content&id=KB11911

The basics are we define a MIP on the external interface and map this to an internal host.

We can then create policies where the destination is the MIP address and then allow in any services we need.

Hope this helps.
0
 
LVL 70

Assisted Solution

by:Qlemo
Qlemo earned 100 total points
ID: 35189244
Using MIPs (which is what I recommend, too) requires that your DMZ servers change their IP, most likely to private IPs. Those IPs should be (a) private (b) using a different subnet than your LAN.
0
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 50 total points
ID: 35189716
Juniper MIP and SIP/VOIP do not work very well. We've tried this in our network several times over the last few years. Done everything from enabling source based NAT to disabling/re-enabling SIP ALGs. always ended up putting voip equipment directly on the internet.

someone may have a way to make this work, this is just my experience with theis type of setup
0
 
LVL 1

Author Comment

by:RHochstenbach
ID: 35189850
Thanks for your help guys, you are really life savers! :)

I'll speak to my team, and then we'll try to implement this (it's a 24/7 company, so that takes planning).
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question