Solved

SSG20 Juniper firewall

Posted on 2012-03-19
24
1,238 Views
Last Modified: 2012-03-22
Hi,
I have a firewall attached and working however I reached the amount of IP addresses that can address it from the internet interface and have been allocated a second set of IP's from my supplier.
How can I make these available in the Juniper?
Under Networking, Routing I have added the IPs and set up new rules to allow through ping as a trial but nothing comes through.  The original set work fine.

Lets say my IP's are
1st bank of external IP's **.**.1.242 to 254
Router IP: **.**.1.241

2nd bank of external IP's **.**.63.226 to 238
Router IP: **.**.63.225

As said I have added Routing destinations for these in my table, and started adding the policy but it still doesn't appear to be enough to allow ping through.  Any help would be greatly appreciated.

Regards,
0
Comment
Question by:Emanuel
  • 15
  • 8
24 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
I wonder if you might explain why you'd want multiple public IPs on a single device?  That could help.  Something like using it as a "multi-channel" device with different LANs behind each, or .... ?  It's not clear to me why having multiple public addresses to the *same* device would make sense unless you are setting up a publicly-addressed DMZ with multiple devices there.
Knowing might help suggest setup approaches.
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
Im guessing your ISP gave you two different blocks of ip addresses (eg 10.10.10.x/28 and 11.11.11.x/28)

what you want to do is create a new interface as a loopback interface in the same zone as interface with your first block of IPs.
Take your first IP on the new block and make that the IP of the loopback.
create a policy from untrust-untrust / any / any / allow / logging=on. This will then permit th traffic to and from your new block of IPs.

this is the general approach to slving this. If you have specific questions or get stuck, feel free to post and we can get into more details or specifics. :)_
0
 

Author Comment

by:Emanuel
Comment Utility
Sangamc,
You are quite correct, it was my ISP that issued a second bank of IP's when I reached the limit of the current 28 range.  
If you could offer a more detailed instruction that would be brilliant.  My experience is not based around Firewall's, so all the help possible would be very well received.

Thank you.
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
The best place for HowTo for juniper products is their Knowledge base. I have been using it for years and its free! :) some of the documents were written for older versions of the OS, but still apply to current versions since most of the steps and concepts are exactly the same.

How to configure loopback interface
http://kb.juniper.net/InfoCenter/index?page=content&id=KB4167&cat=PRODUCT&actp=LIST

How to manage loopback interface
http://kb.juniper.net/InfoCenter/index?page=content&id=KB4168

Remember once you configure the loop back interface. You will need to add a policy allowing traffic from untrust to untrust so that the New public IPs are routable.
0
 

Author Comment

by:Emanuel
Comment Utility
Thanks.  I shall take a look now.
0
 

Author Comment

by:Emanuel
Comment Utility
OK thank you for the two information pages.  They made it straight forward enough.  I have set the IP as suggested.  My Supplier has said that the router IP is *.*.63.225, while the first the IP of the range is *.*.63.224, can I take it I just point the new rules to start from *.*.63.226 and point to where I need them, be that DMZ or trust.
You mentioned something about creating a rule from untrust to untrust any any.  What is that element for?

My original IP's are
1st bank of external IP's **.**.1.242 to 254
Router IP: **.**.1.241

New 2nd bank of external IP's **.**.63.226 to 238
Router IP: **.**.63.225

Regards,
0
 

Author Comment

by:Emanuel
Comment Utility
Having re-read your post I think I have done it.

Untrust Intra-Zone policy, Source ANY, Destination ANY, Service ANY, Action TICK, Logging, enabled.
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
Good to hear! is everything working ok. Once the new block is in place you can start using the additional IPs just like before in MIPs. You can point them to DMZ, Trust or even other custom zones if you have created any
0
 

Author Comment

by:Emanuel
Comment Utility
Do I need any routing to be set?
0
 

Author Comment

by:Emanuel
Comment Utility
Actually I have just logged in again to that routing page and it shows the loop using the /28 so I guess that means I don't.

Thanks
0
 

Author Comment

by:Emanuel
Comment Utility
In the logging I can see five attempts for traffic but nothing from the IP I am sending from?
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
You wont need routing if the ISP routes the second block of IPs through the first (standard practice in this situation). If for some strange reason they can not route the second block through the first. Then the best way to get around this is to use the untrust-vr to configure the new block of IPs with its corresponding gateway.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:Emanuel
Comment Utility
Could it be you are available via email?
my email kerj at qav-ltd.com

Regards,
0
 

Author Comment

by:Emanuel
Comment Utility
Hi,
Could you explain how I could do that, is that within Routing?
I could try that before I call them to check configuration.
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
to accomplish this by routing. I think the best way would be to do the following.

create a new zone and make sure it is in the untrust-vr. Give it a name like IP2 or ISP2.
edit the loop back interface and change its zone to IP2
go to the routing table Network > routing > destination; you will need to create a couple of new routes.

untrust-vr
i) 0.0.0.0/0 -> **.**.63.225, interface = loopback
ii) LANIP -> trust-vr

Now instead of the untrust intrazone policy. that will be replaced by 1 policy from untrust-ip2 and another from ip2 to untrust.


I hope this make sense.
0
 

Author Comment

by:Emanuel
Comment Utility
Many thanks for your assistance, it transpires that we weren't sending the IP through the original bank but the very kind man on the support desk is in the process of changing our configuration to do just that.

OK they have finished and now I get a response back from the Firewall stating that TTL expired in transit but it is from the Firewall's exposed IP address.

Your help has been brilliant.
0
 

Author Comment

by:Emanuel
Comment Utility
Really sorry for keeping hassling you on this.  You have been so helpful and it feels really close to the end now.  
The logging is now showing my other IP and it is showing that I am sending to the IP where I have a server able to respond.  The downside is that the Firewall responds with Reply from <external firewall ip>: TTL expired in transit.
Could you suggest how I could fix this?
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
Ya not a problem.

Tell me how you are setup right now. You are either missing a policy or a route.

is there a policy from trust to ip2 zone?

if there is, can you ping the new ip that is configured on the loopback? or trace route to it from a workstation?

what is the routes in the unrust-vr?
0
 

Author Comment

by:Emanuel
Comment Utility
If you could let me have an email address I will email them over.  I just don't want to publish our live IP's in the forum if possible?

Our provider made the second range of IP go to the 1st range.  So I have stayed with the initial settings you described.

In Network.Routing.Destination, I have
*.*.63.224/28 as a loopback.1

In Policy.Policies, I have
Untrust Intra-zone, ANY,ANY,ANY

Finally I have created
In Policy, Policies
Untrust (*.*.63.226) to DMZ(*.*.1.10), Allowing PING service
My device is sat on *.*.1.10 and is able to ping respond locally.

Many thanks again...

Which is a loopback.1 bringing back all traffic on the /28

I have a route set which is identical to the loopback.1
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
i think its against ee policy to post email addresses, but that ok. I wont need the actual ip address information to get you through the setup.

I think the problem might be the route you set which identical to loopback.1 in the route table. what is the route you set?

below is an example of my route table using the loopback

eth2 is my LAN, eth4 is my WAN

	IP/Netmask 	Gateway 	Interface 	Protocol 	Preference 	Metric 	Vsys 	Configure
*	10.160.100.0/24	 	ethernet2	C	 	 	Root 	-
*	10.160.100.1/32	 	ethernet2	H	 	 	Root 	-
*	x.x.x.52/30	 	ethernet4	C	 	 	Root 	-
*	x.x.x.54/32	 	ethernet4	H	 	 	Root 	-
*	64.140.103.8/29	 	loopback.1	C	 	 	Root 	-
*	0.0.0.0/0	209.42.58.53	ethernet4	S	20	1	Root

Open in new window

0
 

Author Comment

by:Emanuel
Comment Utility
Hi,

OK here is a list from my route table;
      IP/Netmask         Gateway            Interface         Protocol         Pref        Metric       Vsys
*      *.*.1.240/28                                  ethernet0/0      C                                           Root
*      *.*.16.0/24                                  bgroup0            C                                        Root
*      *.*.16.1/32                                  bgroup0            H                                        Root
*      *.*.10.0/24                                  ethernet0/1      C                                        Root
*      *.*.10.0/32                                  ethernet0/1      H                                        Root
*      0.0.0.0/0                 *.*.1.241              ethernet0/0      C                                1      Root
*      *.*.63.224/28                                  loopback.1      C                                        Root

Looking at my table to yours it doesn't look to dissimilar.
But what now appears to me is that I haven't told the router where to send the loopback.1 too.

Network Interface list;
Ethernet0/0  is *.*.1.254/28 - Untrust
Ethernet0/1  is *.*.10.1/24 - DMZ
Ethernet0/2  is bgroup0 *.*.16.1/24 - Trust
Ethernet0/3  is bgroup0
Ethernet0/4  is 0.0.0.0/0 - Untrust
loopback.1    is *.*.63.225/28 - Untrust

Really hoping you can help me complete the configuration.

Thank you again.

Les.
0
 

Author Comment

by:Emanuel
Comment Utility
Thank you for all your help.  I have it working and can see the error of my ways from the last post.

The loopback.1 in the network interface needed a minor adjustment, I had it at *.*.63.225/28 and it should of been 63.224/28.

The I didn't have any routes in the root table to take the traffic from the untrust side to the DMZ or trust depending on service.  I have now added my first set and all appears to be working now.

Thank you for your time yesterday, you have been a real help.
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
Comment Utility
Thats good to hear. It is usually the smallest of details that trip me up too when configuring Juniper devices. I am sure now that you have seen it working, it makes more sense. Let me know if you have additional questions.
0
 

Author Closing Comment

by:Emanuel
Comment Utility
You are a complete life saver thank you very much for all your extended effort.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now