SSG20 Juniper firewall

I have a firewall attached and working however I reached the amount of IP addresses that can address it from the internet interface and have been allocated a second set of IP's from my supplier.
How can I make these available in the Juniper?
Under Networking, Routing I have added the IPs and set up new rules to allow through ping as a trial but nothing comes through.  The original set work fine.

Lets say my IP's are
1st bank of external IP's **.**.1.242 to 254
Router IP: **.**.1.241

2nd bank of external IP's **.**.63.226 to 238
Router IP: **.**.63.225

As said I have added Routing destinations for these in my table, and started adding the policy but it still doesn't appear to be enough to allow ping through.  Any help would be greatly appreciated.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
I wonder if you might explain why you'd want multiple public IPs on a single device?  That could help.  Something like using it as a "multi-channel" device with different LANs behind each, or .... ?  It's not clear to me why having multiple public addresses to the *same* device would make sense unless you are setting up a publicly-addressed DMZ with multiple devices there.
Knowing might help suggest setup approaches.
Sanga CollinsSystems AdminCommented:
Im guessing your ISP gave you two different blocks of ip addresses (eg 10.10.10.x/28 and 11.11.11.x/28)

what you want to do is create a new interface as a loopback interface in the same zone as interface with your first block of IPs.
Take your first IP on the new block and make that the IP of the loopback.
create a policy from untrust-untrust / any / any / allow / logging=on. This will then permit th traffic to and from your new block of IPs.

this is the general approach to slving this. If you have specific questions or get stuck, feel free to post and we can get into more details or specifics. :)_
EmanuelAuthor Commented:
You are quite correct, it was my ISP that issued a second bank of IP's when I reached the limit of the current 28 range.  
If you could offer a more detailed instruction that would be brilliant.  My experience is not based around Firewall's, so all the help possible would be very well received.

Thank you.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Sanga CollinsSystems AdminCommented:
The best place for HowTo for juniper products is their Knowledge base. I have been using it for years and its free! :) some of the documents were written for older versions of the OS, but still apply to current versions since most of the steps and concepts are exactly the same.

How to configure loopback interface

How to manage loopback interface

Remember once you configure the loop back interface. You will need to add a policy allowing traffic from untrust to untrust so that the New public IPs are routable.
EmanuelAuthor Commented:
Thanks.  I shall take a look now.
EmanuelAuthor Commented:
OK thank you for the two information pages.  They made it straight forward enough.  I have set the IP as suggested.  My Supplier has said that the router IP is *.*.63.225, while the first the IP of the range is *.*.63.224, can I take it I just point the new rules to start from *.*.63.226 and point to where I need them, be that DMZ or trust.
You mentioned something about creating a rule from untrust to untrust any any.  What is that element for?

My original IP's are
1st bank of external IP's **.**.1.242 to 254
Router IP: **.**.1.241

New 2nd bank of external IP's **.**.63.226 to 238
Router IP: **.**.63.225

EmanuelAuthor Commented:
Having re-read your post I think I have done it.

Untrust Intra-Zone policy, Source ANY, Destination ANY, Service ANY, Action TICK, Logging, enabled.
Sanga CollinsSystems AdminCommented:
Good to hear! is everything working ok. Once the new block is in place you can start using the additional IPs just like before in MIPs. You can point them to DMZ, Trust or even other custom zones if you have created any
EmanuelAuthor Commented:
Do I need any routing to be set?
EmanuelAuthor Commented:
Actually I have just logged in again to that routing page and it shows the loop using the /28 so I guess that means I don't.

EmanuelAuthor Commented:
In the logging I can see five attempts for traffic but nothing from the IP I am sending from?
Sanga CollinsSystems AdminCommented:
You wont need routing if the ISP routes the second block of IPs through the first (standard practice in this situation). If for some strange reason they can not route the second block through the first. Then the best way to get around this is to use the untrust-vr to configure the new block of IPs with its corresponding gateway.
EmanuelAuthor Commented:
Could it be you are available via email?
my email kerj at

EmanuelAuthor Commented:
Could you explain how I could do that, is that within Routing?
I could try that before I call them to check configuration.
Sanga CollinsSystems AdminCommented:
to accomplish this by routing. I think the best way would be to do the following.

create a new zone and make sure it is in the untrust-vr. Give it a name like IP2 or ISP2.
edit the loop back interface and change its zone to IP2
go to the routing table Network > routing > destination; you will need to create a couple of new routes.

i) -> **.**.63.225, interface = loopback
ii) LANIP -> trust-vr

Now instead of the untrust intrazone policy. that will be replaced by 1 policy from untrust-ip2 and another from ip2 to untrust.

I hope this make sense.
EmanuelAuthor Commented:
Many thanks for your assistance, it transpires that we weren't sending the IP through the original bank but the very kind man on the support desk is in the process of changing our configuration to do just that.

OK they have finished and now I get a response back from the Firewall stating that TTL expired in transit but it is from the Firewall's exposed IP address.

Your help has been brilliant.
EmanuelAuthor Commented:
Really sorry for keeping hassling you on this.  You have been so helpful and it feels really close to the end now.  
The logging is now showing my other IP and it is showing that I am sending to the IP where I have a server able to respond.  The downside is that the Firewall responds with Reply from <external firewall ip>: TTL expired in transit.
Could you suggest how I could fix this?
Sanga CollinsSystems AdminCommented:
Ya not a problem.

Tell me how you are setup right now. You are either missing a policy or a route.

is there a policy from trust to ip2 zone?

if there is, can you ping the new ip that is configured on the loopback? or trace route to it from a workstation?

what is the routes in the unrust-vr?
EmanuelAuthor Commented:
If you could let me have an email address I will email them over.  I just don't want to publish our live IP's in the forum if possible?

Our provider made the second range of IP go to the 1st range.  So I have stayed with the initial settings you described.

In Network.Routing.Destination, I have
*.*.63.224/28 as a loopback.1

In Policy.Policies, I have
Untrust Intra-zone, ANY,ANY,ANY

Finally I have created
In Policy, Policies
Untrust (*.*.63.226) to DMZ(*.*.1.10), Allowing PING service
My device is sat on *.*.1.10 and is able to ping respond locally.

Many thanks again...

Which is a loopback.1 bringing back all traffic on the /28

I have a route set which is identical to the loopback.1
Sanga CollinsSystems AdminCommented:
i think its against ee policy to post email addresses, but that ok. I wont need the actual ip address information to get you through the setup.

I think the problem might be the route you set which identical to loopback.1 in the route table. what is the route you set?

below is an example of my route table using the loopback

eth2 is my LAN, eth4 is my WAN

	IP/Netmask 	Gateway 	Interface 	Protocol 	Preference 	Metric 	Vsys 	Configure
*	 	ethernet2	C	 	 	Root 	-
*	 	ethernet2	H	 	 	Root 	-
*	x.x.x.52/30	 	ethernet4	C	 	 	Root 	-
*	x.x.x.54/32	 	ethernet4	H	 	 	Root 	-
*	 	loopback.1	C	 	 	Root 	-
*	ethernet4	S	20	1	Root

Open in new window

EmanuelAuthor Commented:

OK here is a list from my route table;
      IP/Netmask         Gateway            Interface         Protocol         Pref        Metric       Vsys
*      *.*.1.240/28                                  ethernet0/0      C                                           Root
*      *.*.16.0/24                                  bgroup0            C                                        Root
*      *.*.16.1/32                                  bgroup0            H                                        Root
*      *.*.10.0/24                                  ethernet0/1      C                                        Root
*      *.*.10.0/32                                  ethernet0/1      H                                        Root
*                 *.*.1.241              ethernet0/0      C                                1      Root
*      *.*.63.224/28                                  loopback.1      C                                        Root

Looking at my table to yours it doesn't look to dissimilar.
But what now appears to me is that I haven't told the router where to send the loopback.1 too.

Network Interface list;
Ethernet0/0  is *.*.1.254/28 - Untrust
Ethernet0/1  is *.*.10.1/24 - DMZ
Ethernet0/2  is bgroup0 *.*.16.1/24 - Trust
Ethernet0/3  is bgroup0
Ethernet0/4  is - Untrust
loopback.1    is *.*.63.225/28 - Untrust

Really hoping you can help me complete the configuration.

Thank you again.

EmanuelAuthor Commented:
Thank you for all your help.  I have it working and can see the error of my ways from the last post.

The loopback.1 in the network interface needed a minor adjustment, I had it at *.*.63.225/28 and it should of been 63.224/28.

The I didn't have any routes in the root table to take the traffic from the untrust side to the DMZ or trust depending on service.  I have now added my first set and all appears to be working now.

Thank you for your time yesterday, you have been a real help.
Sanga CollinsSystems AdminCommented:
Thats good to hear. It is usually the smallest of details that trip me up too when configuring Juniper devices. I am sure now that you have seen it working, it makes more sense. Let me know if you have additional questions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EmanuelAuthor Commented:
You are a complete life saver thank you very much for all your extended effort.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.