Solved

ssg5 router: need to route 3 IPs though to a 3 private IPs..

Posted on 2011-09-21
9
1,155 Views
Last Modified: 2013-11-16
I am not very good at this so I don't know if the problem is the IPs that I got from my isp. they didn't give me my own subnet, I am on a class-c subnet with 3 IPs 215, 216,218
I think that I should be using the SUB-if since I only have one interface to the router, which i setup with a mask of /32 since anything else would trip a subnet error.

thanks!!
Rob

unset key protection enable
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "realvnc" protocol tcp src-port 5901-5901 dst-port 5901-5901
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646

set admin port 8000
set admin mail alert

set admin mail traffic-log
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "WIRELESS"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
unset zone "WIRELESS" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/0.1" zone "Untrust"
set interface "ethernet0/0.2" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "bgroup1" zone "WIRELESS"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup1 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 255.70.162.215/32
set interface ethernet0/0 route
set interface ethernet0/0.1 ip 255.70.162.216/32
set interface ethernet0/0.1 route
set interface bgroup0 ip 10.20.0.1/24
set interface bgroup0 nat
set interface bgroup1 ip 192.168.1.1/24
set interface bgroup1 route
set interface ethernet0/0.1 mtu 1492
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
unset interface ethernet0/0.1 ip manageable
set interface bgroup0 ip manageable
set interface bgroup1 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage web
set interface ethernet0/0.1 manage ping
set interface ethernet0/0.1 manage web
set interface ethernet0/0.1 monitor track-ip ip
unset interface ethernet0/0.1 monitor track-ip dynamic
set interface ethernet0/0 vip interface-ip 80 "HTTP" 10.20.0.20
set interface ethernet0/0.1 vip interface-ip 80 "HTTP" 10.20.0.35
set interface bgroup1 dhcp server service
set interface bgroup1 dhcp server enable
set interface bgroup1 dhcp server option lease 1440000
set interface bgroup1 dhcp server option gateway 192.168.1.1
set interface bgroup1 dhcp server option netmask 255.255.255.0
set interface bgroup1 dhcp server option dns1 10.2.0.36
set interface bgroup1 dhcp server option dns2 10.2.0.26
set interface bgroup1 dhcp server option dns3 255.70.128.241
set interface bgroup1 dhcp server ip 192.168.1.100 to 192.168.1.150
unset interface bgroup1 dhcp server config next-server-ip
set interface "ethernet0/0.1" mip 255.70.162.216 host 10.20.0.35 netmask 255.255.255.255 vr "untrust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 0.0.0.0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set dns host schedule 06:28 interval 4
set address "Trust" "10.20.0.10/24" 10.20.0.10 255.255.255.0
set address "Trust" "10.20.0.20/255.255.255.0" 10.20.0.20 255.255.255.0
set address "Trust" "10.20.0.35/24" 10.20.0.35 255.255.255.0
set address "Trust" "10.20.0.5/255.255.255.0" 10.20.0.5 255.255.255.0
set address "Trust" "RobNet" 10.20.0.0 255.255.255.0
set address "Untrust" "255.70.162.216/24" 255.70.162.216 255.255.255.0
set address "Untrust" "DrSite" 10.100.0.0 255.255.255.0
set address "Untrust" "Houston private" 10.50.0.0 255.255.0.0
set address "Untrust" "HoustonDMZ" 10.12.0.0 255.255.255.0
set address "Untrust" "HoustonNet" 10.2.0.0 255.255.0.0
set crypto-policy
exit
set ike gateway "DrVPN" address 209.247.110.2 Main outgoing-interface "ethernet0/0" preshare "Smpu9vcnNx9leksQoOCibDrgHhnCb4BWacDdoK5PMyECP4M7PC2RNsA=" proposal "pre-g2-aes128-md5" "pre-g2-aes128-sha"
set ike gateway "HoustonVZN" address 63.97.65.194 Main outgoing-interface "ethernet0/0" preshare "/5fIJfhVNjQkIZsCWxCXMcIMOandkUH1ZrD0ni1Q2MS1G869X2H8yrU=" proposal "pre-g2-aes128-md5" "pre-g2-aes128-sha"
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "DRVPN" gateway "DrVPN" no-replay tunnel idletime 0 proposal "g2-esp-aes128-md5"  "g2-esp-aes128-sha"
set vpn "HoustonVZN" gateway "HoustonVZN" no-replay tunnel idletime 0 proposal "g2-esp-aes128-md5"  "g2-esp-aes128-sha"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set vpn "DRVPN" proxy-id local-ip 10.20.0.0/24 remote-ip 10.100.0.0/24 "ANY"
set policy id 15 name "webserver" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0.1)" "ANY" permit log
set policy id 15
set log session-init
exit
set policy id 14 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "ANY" permit log
set policy id 14
set log session-init
exit
set policy id 10 from "Trust" to "WIRELESS"  "Any" "Any" "ANY" permit log
set policy id 10
exit
set policy id 9 from "Untrust" to "Trust"  "DrSite" "Any" "ANY" tunnel vpn "DRVPN" id 0x4 pair-policy 8 log
set policy id 9
exit
set policy id 8 from "Trust" to "Untrust"  "Any" "DrSite" "ANY" tunnel vpn "DRVPN" id 0x4 pair-policy 9 log
set policy id 8
exit
set policy id 7 from "Untrust" to "Trust"  "HoustonNet" "RobNet" "ANY" tunnel vpn "HoustonVZN" id 0x8 pair-policy 6 log
set policy id 7
exit
set policy id 6 from "Trust" to "Untrust"  "RobNet" "HoustonNet" "ANY" tunnel vpn "HoustonVZN" id 0x8 pair-policy 7 log
set policy id 6
exit
set policy id 5 from "Untrust" to "Trust"  "HoustonDMZ" "RobNet" "ANY" tunnel vpn "HoustonVZN" id 0x9 pair-policy 4 log
set policy id 5
exit
set policy id 4 from "Trust" to "Untrust"  "RobNet" "HoustonDMZ" "ANY" tunnel vpn "HoustonVZN" id 0x9 pair-policy 5 log
set policy id 4
exit
set policy id 3 from "Untrust" to "Trust"  "Houston private" "RobNet" "ANY" tunnel vpn "HoustonVZN" id 0xa pair-policy 2 log
set policy id 3
exit
set policy id 2 from "Trust" to "Untrust"  "RobNet" "Houston private" "ANY" tunnel vpn "HoustonVZN" id 0xa pair-policy 3 log
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 1
exit
set policy id 13 from "Untrust" to "Trust"  "Any" "Any" "ANY" deny log
set policy id 13
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway 255.70.162.254
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
0
Comment
Question by:robinkaty
  • 2
  • 2
  • 2
  • +1
9 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 168 total points
Comment Utility
No you should not use /32; you should use the subnet as allocated to you by your ISP. Least you can use is /30 where you have one IP as subnet IP; one for interface IP other for gateway or ISP router and fourth for broadcast.
I think as you have 3 IP in all you would use /29 but again it depends on your ISP.
For using other IPs you can use DIP or MIP [if you want to host server and wish people from outside to hit the server on IP other than the external IP of your firewall].

Please implement and update if you need further help.

Thank you.
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
What was the subnet msak given to you by your ISP. This info will determine what you are able to do with the IP addresses you have.
0
 

Author Comment

by:robinkaty
Comment Utility
the netmask that they gave me was /24, but If I use a /24 then I cannot configure a SUB-IF because it says that I cannot have multiple IPs on the interface... something about failing the pre-check
error:
ethernet0/0.1 ip change pre-checking failed
Interface: illegal overlapping subnet.

the primary  interface is ehternet0/0 207.70.162.215/24
so I am at a loss as how to forward 3 ips that are on the same subnet?

Thanks
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 166 total points
Comment Utility
very strange for them to give you a /24 and only 3 satic IPs. Whats is the gateway you are supposed to use. In an ideal situation with a block of lets say 8 ips. You would configure your wan interface IP and then use MIP (mapped ips) to point any of the other 7 to internal web servers or email etc. Sub interface is not necessary unless u are trying to use two seperate subnets on one lan port. For a wan port loopback interface allows you to configure 2 seperate subnets on a single port.
0
 

Author Comment

by:robinkaty
Comment Utility
Thanks Sangamc,

 SIP: 207.70.162.216        
 SIP: 207.70.162.218        
 GATEWAY: 207.70.162.254    
 SUBNET MASK: 255.255.255.0
Plus I had an existing static IP of 207.70.162.215
I am just assuming that because this is a rural area and they didn't want to block it out, I was sort of surprised at that too!
So, would I have the primary 207.70.162.215 as the ethernet0/0 and then in the MIPS or VIPS specify the other IP addresses?  I was worried that doing that ethernet0/0 would only capture 215 and not the others?
Thanks, you make a lot of sense and explained it so that I can almost understand :)
Rob
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 166 total points
Comment Utility
If you use the /24 netmask, MIPs will do. If SSG sees one of the MIP addresses coming in, it will process them as MIP, and not just route them.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now