[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1500
  • Last Modified:

Multiple devices with a public IP address on a Juniper SSG-140 firewall

I have a network which is designed for Video Conferencing. At this moment I have a Cisco VCS Expressway, a Cisco VCS Control, a Codian MCU and a Tandberg Management Suite running outside my firewall, connected to a Cisco Catalyst 2950 switch.

Everyone from the outside should be able to connect to these devices using at least SIP and H.323 and these devices need to be able to connect to the Internet.

Now we want to secure this, by putting all these devices behind our Juniper SSG-140 in a DMZ. Each of these devices has a public IP address, which should not change because then we have to update hundreds of video devices, which is not an option.

Our public IP addresses range from x.y.z.97 - x.y.z.125. Our ISP gateway is x.y.z.126 and the Primary DNS Server is x.y.z.70 (different Host ID than the other addresses).

I'm personally not really experienced with Juniper products, could someone guide me with this?
0
RHochstenbach
Asked:
RHochstenbach
3 Solutions
 
deimarkCommented:
Have a look at using MIPs here (mapped IPs)

This is the screenos implementation of static nat

Details can be found here
http://kb.juniper.net/InfoCenter/index?page=content&id=KB11911

The basics are we define a MIP on the external interface and map this to an internal host.

We can then create policies where the destination is the MIP address and then allow in any services we need.

Hope this helps.
0
 
QlemoDeveloperCommented:
Using MIPs (which is what I recommend, too) requires that your DMZ servers change their IP, most likely to private IPs. Those IPs should be (a) private (b) using a different subnet than your LAN.
0
 
Sanga CollinsSystems AdminCommented:
Juniper MIP and SIP/VOIP do not work very well. We've tried this in our network several times over the last few years. Done everything from enabling source based NAT to disabling/re-enabling SIP ALGs. always ended up putting voip equipment directly on the internet.

someone may have a way to make this work, this is just my experience with theis type of setup
0
 
RHochstenbachAuthor Commented:
Thanks for your help guys, you are really life savers! :)

I'll speak to my team, and then we'll try to implement this (it's a 24/7 company, so that takes planning).
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now