Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Multiple devices with a public IP address on a Juniper SSG-140 firewall

Posted on 2011-03-22
4
Medium Priority
?
1,492 Views
Last Modified: 2012-05-11
I have a network which is designed for Video Conferencing. At this moment I have a Cisco VCS Expressway, a Cisco VCS Control, a Codian MCU and a Tandberg Management Suite running outside my firewall, connected to a Cisco Catalyst 2950 switch.

Everyone from the outside should be able to connect to these devices using at least SIP and H.323 and these devices need to be able to connect to the Internet.

Now we want to secure this, by putting all these devices behind our Juniper SSG-140 in a DMZ. Each of these devices has a public IP address, which should not change because then we have to update hundreds of video devices, which is not an option.

Our public IP addresses range from x.y.z.97 - x.y.z.125. Our ISP gateway is x.y.z.126 and the Primary DNS Server is x.y.z.70 (different Host ID than the other addresses).

I'm personally not really experienced with Juniper products, could someone guide me with this?
0
Comment
Question by:RHochstenbach
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 1400 total points
ID: 35188999
Have a look at using MIPs here (mapped IPs)

This is the screenos implementation of static nat

Details can be found here
http://kb.juniper.net/InfoCenter/index?page=content&id=KB11911

The basics are we define a MIP on the external interface and map this to an internal host.

We can then create policies where the destination is the MIP address and then allow in any services we need.

Hope this helps.
0
 
LVL 71

Assisted Solution

by:Qlemo
Qlemo earned 400 total points
ID: 35189244
Using MIPs (which is what I recommend, too) requires that your DMZ servers change their IP, most likely to private IPs. Those IPs should be (a) private (b) using a different subnet than your LAN.
0
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 200 total points
ID: 35189716
Juniper MIP and SIP/VOIP do not work very well. We've tried this in our network several times over the last few years. Done everything from enabling source based NAT to disabling/re-enabling SIP ALGs. always ended up putting voip equipment directly on the internet.

someone may have a way to make this work, this is just my experience with theis type of setup
0
 
LVL 1

Author Comment

by:RHochstenbach
ID: 35189850
Thanks for your help guys, you are really life savers! :)

I'll speak to my team, and then we'll try to implement this (it's a 24/7 company, so that takes planning).
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question