Solved

Multiple devices with a public IP address on a Juniper SSG-140 firewall

Posted on 2011-03-22
4
1,470 Views
Last Modified: 2012-05-11
I have a network which is designed for Video Conferencing. At this moment I have a Cisco VCS Expressway, a Cisco VCS Control, a Codian MCU and a Tandberg Management Suite running outside my firewall, connected to a Cisco Catalyst 2950 switch.

Everyone from the outside should be able to connect to these devices using at least SIP and H.323 and these devices need to be able to connect to the Internet.

Now we want to secure this, by putting all these devices behind our Juniper SSG-140 in a DMZ. Each of these devices has a public IP address, which should not change because then we have to update hundreds of video devices, which is not an option.

Our public IP addresses range from x.y.z.97 - x.y.z.125. Our ISP gateway is x.y.z.126 and the Primary DNS Server is x.y.z.70 (different Host ID than the other addresses).

I'm personally not really experienced with Juniper products, could someone guide me with this?
0
Comment
Question by:RHochstenbach
4 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 350 total points
Comment Utility
Have a look at using MIPs here (mapped IPs)

This is the screenos implementation of static nat

Details can be found here
http://kb.juniper.net/InfoCenter/index?page=content&id=KB11911

The basics are we define a MIP on the external interface and map this to an internal host.

We can then create policies where the destination is the MIP address and then allow in any services we need.

Hope this helps.
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 100 total points
Comment Utility
Using MIPs (which is what I recommend, too) requires that your DMZ servers change their IP, most likely to private IPs. Those IPs should be (a) private (b) using a different subnet than your LAN.
0
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 50 total points
Comment Utility
Juniper MIP and SIP/VOIP do not work very well. We've tried this in our network several times over the last few years. Done everything from enabling source based NAT to disabling/re-enabling SIP ALGs. always ended up putting voip equipment directly on the internet.

someone may have a way to make this work, this is just my experience with theis type of setup
0
 
LVL 1

Author Comment

by:RHochstenbach
Comment Utility
Thanks for your help guys, you are really life savers! :)

I'll speak to my team, and then we'll try to implement this (it's a 24/7 company, so that takes planning).
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now