asked on SSG20 Juniper firewall
Hi,
I have a firewall attached and working however I reached the amount of IP addresses that can address it from the internet interface and have been allocated a second set of IP's from my supplier.
How can I make these available in the Juniper?
Under Networking, Routing I have added the IPs and set up new rules to allow through ping as a trial but nothing comes through. The original set work fine.
Lets say my IP's are
1st bank of external IP's **.**.1.242 to 254
Router IP: **.**.1.241
2nd bank of external IP's **.**.63.226 to 238
Router IP: **.**.63.225
As said I have added Routing destinations for these in my table, and started adding the policy but it still doesn't appear to be enough to allow ping through. Any help would be greatly appreciated.
Regards,
I have a firewall attached and working however I reached the amount of IP addresses that can address it from the internet interface and have been allocated a second set of IP's from my supplier.
How can I make these available in the Juniper?
Under Networking, Routing I have added the IPs and set up new rules to allow through ping as a trial but nothing comes through. The original set work fine.
Lets say my IP's are
1st bank of external IP's **.**.1.242 to 254
Router IP: **.**.1.241
2nd bank of external IP's **.**.63.226 to 238
Router IP: **.**.63.225
As said I have added Routing destinations for these in my table, and started adding the policy but it still doesn't appear to be enough to allow ping through. Any help would be greatly appreciated.
Regards,
Hardware FirewallsRouters
Last Comment
Emanuel
Im guessing your ISP gave you two different blocks of ip addresses (eg 10.10.10.x/28 and 11.11.11.x/28)
what you want to do is create a new interface as a loopback interface in the same zone as interface with your first block of IPs.
Take your first IP on the new block and make that the IP of the loopback.
create a policy from untrust-untrust / any / any / allow / logging=on. This will then permit th traffic to and from your new block of IPs.
this is the general approach to slving this. If you have specific questions or get stuck, feel free to post and we can get into more details or specifics. :)_
what you want to do is create a new interface as a loopback interface in the same zone as interface with your first block of IPs.
Take your first IP on the new block and make that the IP of the loopback.
create a policy from untrust-untrust / any / any / allow / logging=on. This will then permit th traffic to and from your new block of IPs.
this is the general approach to slving this. If you have specific questions or get stuck, feel free to post and we can get into more details or specifics. :)_
ASKER
Sangamc,
You are quite correct, it was my ISP that issued a second bank of IP's when I reached the limit of the current 28 range.
If you could offer a more detailed instruction that would be brilliant. My experience is not based around Firewall's, so all the help possible would be very well received.
Thank you.
You are quite correct, it was my ISP that issued a second bank of IP's when I reached the limit of the current 28 range.
If you could offer a more detailed instruction that would be brilliant. My experience is not based around Firewall's, so all the help possible would be very well received.
Thank you.
The best place for HowTo for juniper products is their Knowledge base. I have been using it for years and its free! :) some of the documents were written for older versions of the OS, but still apply to current versions since most of the steps and concepts are exactly the same.
How to configure loopback interface
http://kb.juniper.net/InfoCenter/index?page=content&id=KB4167&cat=PRODUCT&actp=LIST
How to manage loopback interface
http://kb.juniper.net/InfoCenter/index?page=content&id=KB4168
Remember once you configure the loop back interface. You will need to add a policy allowing traffic from untrust to untrust so that the New public IPs are routable.
How to configure loopback interface
http://kb.juniper.net/InfoCenter/index?page=content&id=KB4167&cat=PRODUCT&actp=LIST
How to manage loopback interface
http://kb.juniper.net/InfoCenter/index?page=content&id=KB4168
Remember once you configure the loop back interface. You will need to add a policy allowing traffic from untrust to untrust so that the New public IPs are routable.
ASKER
Thanks. I shall take a look now.
ASKER
OK thank you for the two information pages. They made it straight forward enough. I have set the IP as suggested. My Supplier has said that the router IP is *.*.63.225, while the first the IP of the range is *.*.63.224, can I take it I just point the new rules to start from *.*.63.226 and point to where I need them, be that DMZ or trust.
You mentioned something about creating a rule from untrust to untrust any any. What is that element for?
My original IP's are
1st bank of external IP's **.**.1.242 to 254
Router IP: **.**.1.241
New 2nd bank of external IP's **.**.63.226 to 238
Router IP: **.**.63.225
Regards,
You mentioned something about creating a rule from untrust to untrust any any. What is that element for?
My original IP's are
1st bank of external IP's **.**.1.242 to 254
Router IP: **.**.1.241
New 2nd bank of external IP's **.**.63.226 to 238
Router IP: **.**.63.225
Regards,
ASKER
Having re-read your post I think I have done it.
Untrust Intra-Zone policy, Source ANY, Destination ANY, Service ANY, Action TICK, Logging, enabled.
Untrust Intra-Zone policy, Source ANY, Destination ANY, Service ANY, Action TICK, Logging, enabled.
Good to hear! is everything working ok. Once the new block is in place you can start using the additional IPs just like before in MIPs. You can point them to DMZ, Trust or even other custom zones if you have created any
ASKER
Do I need any routing to be set?
ASKER
Actually I have just logged in again to that routing page and it shows the loop using the /28 so I guess that means I don't.
Thanks
Thanks
ASKER
In the logging I can see five attempts for traffic but nothing from the IP I am sending from?
You wont need routing if the ISP routes the second block of IPs through the first (standard practice in this situation). If for some strange reason they can not route the second block through the first. Then the best way to get around this is to use the untrust-vr to configure the new block of IPs with its corresponding gateway.
ASKER
Could it be you are available via email?
my email kerj at qav-ltd.com
Regards,
my email kerj at qav-ltd.com
Regards,
ASKER
Hi,
Could you explain how I could do that, is that within Routing?
I could try that before I call them to check configuration.
Could you explain how I could do that, is that within Routing?
I could try that before I call them to check configuration.
to accomplish this by routing. I think the best way would be to do the following.
create a new zone and make sure it is in the untrust-vr. Give it a name like IP2 or ISP2.
edit the loop back interface and change its zone to IP2
go to the routing table Network > routing > destination; you will need to create a couple of new routes.
untrust-vr
i) 0.0.0.0/0 -> **.**.63.225, interface = loopback
ii) LANIP -> trust-vr
Now instead of the untrust intrazone policy. that will be replaced by 1 policy from untrust-ip2 and another from ip2 to untrust.
I hope this make sense.
create a new zone and make sure it is in the untrust-vr. Give it a name like IP2 or ISP2.
edit the loop back interface and change its zone to IP2
go to the routing table Network > routing > destination; you will need to create a couple of new routes.
untrust-vr
i) 0.0.0.0/0 -> **.**.63.225, interface = loopback
ii) LANIP -> trust-vr
Now instead of the untrust intrazone policy. that will be replaced by 1 policy from untrust-ip2 and another from ip2 to untrust.
I hope this make sense.
ASKER
Many thanks for your assistance, it transpires that we weren't sending the IP through the original bank but the very kind man on the support desk is in the process of changing our configuration to do just that.
OK they have finished and now I get a response back from the Firewall stating that TTL expired in transit but it is from the Firewall's exposed IP address.
Your help has been brilliant.
OK they have finished and now I get a response back from the Firewall stating that TTL expired in transit but it is from the Firewall's exposed IP address.
Your help has been brilliant.
ASKER
Really sorry for keeping hassling you on this. You have been so helpful and it feels really close to the end now.
The logging is now showing my other IP and it is showing that I am sending to the IP where I have a server able to respond. The downside is that the Firewall responds with Reply from <external firewall ip>: TTL expired in transit.
Could you suggest how I could fix this?
The logging is now showing my other IP and it is showing that I am sending to the IP where I have a server able to respond. The downside is that the Firewall responds with Reply from <external firewall ip>: TTL expired in transit.
Could you suggest how I could fix this?
Ya not a problem.
Tell me how you are setup right now. You are either missing a policy or a route.
is there a policy from trust to ip2 zone?
if there is, can you ping the new ip that is configured on the loopback? or trace route to it from a workstation?
what is the routes in the unrust-vr?
Tell me how you are setup right now. You are either missing a policy or a route.
is there a policy from trust to ip2 zone?
if there is, can you ping the new ip that is configured on the loopback? or trace route to it from a workstation?
what is the routes in the unrust-vr?
ASKER
If you could let me have an email address I will email them over. I just don't want to publish our live IP's in the forum if possible?
Our provider made the second range of IP go to the 1st range. So I have stayed with the initial settings you described.
In Network.Routing.Destinatio
*.*.63.224/28 as a loopback.1
In Policy.Policies, I have
Untrust Intra-zone, ANY,ANY,ANY
Finally I have created
In Policy, Policies
Untrust (*.*.63.226) to DMZ(*.*.1.10), Allowing PING service
My device is sat on *.*.1.10 and is able to ping respond locally.
Many thanks again...
Which is a loopback.1 bringing back all traffic on the /28
I have a route set which is identical to the loopback.1
Our provider made the second range of IP go to the 1st range. So I have stayed with the initial settings you described.
In Network.Routing.Destinatio
*.*.63.224/28 as a loopback.1
In Policy.Policies, I have
Untrust Intra-zone, ANY,ANY,ANY
Finally I have created
In Policy, Policies
Untrust (*.*.63.226) to DMZ(*.*.1.10), Allowing PING service
My device is sat on *.*.1.10 and is able to ping respond locally.
Many thanks again...
Which is a loopback.1 bringing back all traffic on the /28
I have a route set which is identical to the loopback.1
i think its against ee policy to post email addresses, but that ok. I wont need the actual ip address information to get you through the setup.
I think the problem might be the route you set which identical to loopback.1 in the route table. what is the route you set?
below is an example of my route table using the loopback
eth2 is my LAN, eth4 is my WAN
I think the problem might be the route you set which identical to loopback.1 in the route table. what is the route you set?
below is an example of my route table using the loopback
eth2 is my LAN, eth4 is my WAN
IP/Netmask Gateway Interface Protocol Preference Metric Vsys Configure
* 10.160.100.0/24 ethernet2 C Root -
* 10.160.100.1/32 ethernet2 H Root -
* x.x.x.52/30 ethernet4 C Root -
* x.x.x.54/32 ethernet4 H Root -
* 64.140.103.8/29 loopback.1 C Root -
* 0.0.0.0/0 209.42.58.53 ethernet4 S 20 1 Root
ASKER
Hi,
OK here is a list from my route table;
IP/Netmask Gateway Interface Protocol Pref Metric Vsys
* *.*.1.240/28 ethernet0/0 C Root
* *.*.16.0/24 bgroup0 C Root
* *.*.16.1/32 bgroup0 H Root
* *.*.10.0/24 ethernet0/1 C Root
* *.*.10.0/32 ethernet0/1 H Root
* 0.0.0.0/0 *.*.1.241 ethernet0/0 C 1 Root
* *.*.63.224/28 loopback.1 C Root
Looking at my table to yours it doesn't look to dissimilar.
But what now appears to me is that I haven't told the router where to send the loopback.1 too.
Network Interface list;
Ethernet0/0 is *.*.1.254/28 - Untrust
Ethernet0/1 is *.*.10.1/24 - DMZ
Ethernet0/2 is bgroup0 *.*.16.1/24 - Trust
Ethernet0/3 is bgroup0
Ethernet0/4 is 0.0.0.0/0 - Untrust
loopback.1 is *.*.63.225/28 - Untrust
Really hoping you can help me complete the configuration.
Thank you again.
Les.
OK here is a list from my route table;
IP/Netmask Gateway Interface Protocol Pref Metric Vsys
* *.*.1.240/28 ethernet0/0 C Root
* *.*.16.0/24 bgroup0 C Root
* *.*.16.1/32 bgroup0 H Root
* *.*.10.0/24 ethernet0/1 C Root
* *.*.10.0/32 ethernet0/1 H Root
* 0.0.0.0/0 *.*.1.241 ethernet0/0 C 1 Root
* *.*.63.224/28 loopback.1 C Root
Looking at my table to yours it doesn't look to dissimilar.
But what now appears to me is that I haven't told the router where to send the loopback.1 too.
Network Interface list;
Ethernet0/0 is *.*.1.254/28 - Untrust
Ethernet0/1 is *.*.10.1/24 - DMZ
Ethernet0/2 is bgroup0 *.*.16.1/24 - Trust
Ethernet0/3 is bgroup0
Ethernet0/4 is 0.0.0.0/0 - Untrust
loopback.1 is *.*.63.225/28 - Untrust
Really hoping you can help me complete the configuration.
Thank you again.
Les.
ASKER
Thank you for all your help. I have it working and can see the error of my ways from the last post.
The loopback.1 in the network interface needed a minor adjustment, I had it at *.*.63.225/28 and it should of been 63.224/28.
The I didn't have any routes in the root table to take the traffic from the untrust side to the DMZ or trust depending on service. I have now added my first set and all appears to be working now.
Thank you for your time yesterday, you have been a real help.
The loopback.1 in the network interface needed a minor adjustment, I had it at *.*.63.225/28 and it should of been 63.224/28.
The I didn't have any routes in the root table to take the traffic from the untrust side to the DMZ or trust depending on service. I have now added my first set and all appears to be working now.
Thank you for your time yesterday, you have been a real help.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
You are a complete life saver thank you very much for all your extended effort.
Knowing might help suggest setup approaches.