Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Juniper SSG5 multiple public static IP Addresses

Posted on 2012-03-21
7
Medium Priority
?
2,714 Views
Last Modified: 2012-03-31
I have two sets of IP addresses assigned by my ISP.  For the sake of this question, let's say that they are as follows:

x.x.210.84/30
x.x.41.128/29

I currently have my Juniper SSG5 assigned a static IP address of x.x.210.86/32.

From what I understand, I should have full use of these static IP addresses, if I can figure out how to program the SSG5 to use them:

x.x.210.85
x.x.210.86
x.x.41.129
x.x.41.130
x.x.41.131
x.x.41.132
x.x.41.133
x.x.41.134
x.x.41.135

When I change my SSG5 to an address of x.x.210.84/30 or x.x.210.85/32, I lose my outbound connection.

I've found some off-hand references to using MIP or DIP.  I am using VIP on the one x.x.210.86 address; do I use this, also, once MIP and/or DIP are configured?

Thank you.
0
Comment
Question by:Lee Tumbleson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 37749992
You will need to create a loop back interface for the new block of ip addresses. Configure the first ip in the new block as the loop back ip. And create an untrust to untrust intra zone policy to permit traffic. You can then use your additional ips as normal.
0
 

Author Comment

by:Lee Tumbleson
ID: 37750105
Thanks for the response.  But, I'm afraid that I need a little more 'hand holding'.

I created the loopback with x.x.41.128/29.  I put this in the same untrust zone that ethernet0/0 is on, which has the x.x.210.86 address.

Now what?  Do I define something in the MIP? DIP? I tried to add x.x.41.129 to the VIP on x.x.210.86, but it generated an error stating that the IP must be in the same subnet as the interface IP.

I'm ultimately trying to direct the IP addresses directly to internal IP addresses.
0
 

Author Comment

by:Lee Tumbleson
ID: 37750120
I see that the loopback also has MIP, DIP and VIP settings.  I tried to redirect port 80, for x.x.41.129 directly to an internal server, but it isn't connecting.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 18

Expert Comment

by:Sanga Collins
ID: 37750252
after creating a the loopback, did you also create a new policy from untrust to untrust action = permit?

This will allow traffic to reach the loopback interface and vice-versa.
Once that is configured, you should be able to create a MIP to an internal IP. I usually setup my MIP to allow all traffic just for testing, and once i know its working i lock it down to the specific traffic i need
0
 

Accepted Solution

by:
Lee Tumbleson earned 0 total points
ID: 37754853
I already had an untrust to untrust policy to allow ANY source, ANY destination, ANY service.

"create a MIP to an internal IP"  Is this on the x.x.210.86 (ethernet0/0) or on the loopback?

I set up x.x.41.130 to forward to 192.168.1.4, which has IIS.  I can explore this page, internally at http://192.168.1.4.  I can't get to it at http://x.x.41.130.

What do I select for the 'Host Virtual Router Name' in the MIP?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 37755273
In the the host virtual router is the vr that contains your internal ips. In this case it would be the trust virtual router
0
 

Author Closing Comment

by:Lee Tumbleson
ID: 37790417
Evidently I asked this in the wrong forum.  I'll try going directly to Juniper.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question