Solved

Multiple devices with a public IP address on a Juniper SSG-140 firewall

Posted on 2011-03-22
4
1,481 Views
Last Modified: 2012-05-11
I have a network which is designed for Video Conferencing. At this moment I have a Cisco VCS Expressway, a Cisco VCS Control, a Codian MCU and a Tandberg Management Suite running outside my firewall, connected to a Cisco Catalyst 2950 switch.

Everyone from the outside should be able to connect to these devices using at least SIP and H.323 and these devices need to be able to connect to the Internet.

Now we want to secure this, by putting all these devices behind our Juniper SSG-140 in a DMZ. Each of these devices has a public IP address, which should not change because then we have to update hundreds of video devices, which is not an option.

Our public IP addresses range from x.y.z.97 - x.y.z.125. Our ISP gateway is x.y.z.126 and the Primary DNS Server is x.y.z.70 (different Host ID than the other addresses).

I'm personally not really experienced with Juniper products, could someone guide me with this?
0
Comment
Question by:RHochstenbach
4 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 350 total points
ID: 35188999
Have a look at using MIPs here (mapped IPs)

This is the screenos implementation of static nat

Details can be found here
http://kb.juniper.net/InfoCenter/index?page=content&id=KB11911

The basics are we define a MIP on the external interface and map this to an internal host.

We can then create policies where the destination is the MIP address and then allow in any services we need.

Hope this helps.
0
 
LVL 69

Assisted Solution

by:Qlemo
Qlemo earned 100 total points
ID: 35189244
Using MIPs (which is what I recommend, too) requires that your DMZ servers change their IP, most likely to private IPs. Those IPs should be (a) private (b) using a different subnet than your LAN.
0
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 50 total points
ID: 35189716
Juniper MIP and SIP/VOIP do not work very well. We've tried this in our network several times over the last few years. Done everything from enabling source based NAT to disabling/re-enabling SIP ALGs. always ended up putting voip equipment directly on the internet.

someone may have a way to make this work, this is just my experience with theis type of setup
0
 
LVL 1

Author Comment

by:RHochstenbach
ID: 35189850
Thanks for your help guys, you are really life savers! :)

I'll speak to my team, and then we'll try to implement this (it's a 24/7 company, so that takes planning).
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question