Juniper SSG5 multiple public static IP Addresses

I have two sets of IP addresses assigned by my ISP.  For the sake of this question, let's say that they are as follows:

x.x.210.84/30
x.x.41.128/29

I currently have my Juniper SSG5 assigned a static IP address of x.x.210.86/32.

From what I understand, I should have full use of these static IP addresses, if I can figure out how to program the SSG5 to use them:

x.x.210.85
x.x.210.86
x.x.41.129
x.x.41.130
x.x.41.131
x.x.41.132
x.x.41.133
x.x.41.134
x.x.41.135

When I change my SSG5 to an address of x.x.210.84/30 or x.x.210.85/32, I lose my outbound connection.

I've found some off-hand references to using MIP or DIP.  I am using VIP on the one x.x.210.86 address; do I use this, also, once MIP and/or DIP are configured?

Thank you.
Lee TumblesonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanga CollinsSystems AdminCommented:
You will need to create a loop back interface for the new block of ip addresses. Configure the first ip in the new block as the loop back ip. And create an untrust to untrust intra zone policy to permit traffic. You can then use your additional ips as normal.
Lee TumblesonAuthor Commented:
Thanks for the response.  But, I'm afraid that I need a little more 'hand holding'.

I created the loopback with x.x.41.128/29.  I put this in the same untrust zone that ethernet0/0 is on, which has the x.x.210.86 address.

Now what?  Do I define something in the MIP? DIP? I tried to add x.x.41.129 to the VIP on x.x.210.86, but it generated an error stating that the IP must be in the same subnet as the interface IP.

I'm ultimately trying to direct the IP addresses directly to internal IP addresses.
Lee TumblesonAuthor Commented:
I see that the loopback also has MIP, DIP and VIP settings.  I tried to redirect port 80, for x.x.41.129 directly to an internal server, but it isn't connecting.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Sanga CollinsSystems AdminCommented:
after creating a the loopback, did you also create a new policy from untrust to untrust action = permit?

This will allow traffic to reach the loopback interface and vice-versa.
Once that is configured, you should be able to create a MIP to an internal IP. I usually setup my MIP to allow all traffic just for testing, and once i know its working i lock it down to the specific traffic i need
Lee TumblesonAuthor Commented:
I already had an untrust to untrust policy to allow ANY source, ANY destination, ANY service.

"create a MIP to an internal IP"  Is this on the x.x.210.86 (ethernet0/0) or on the loopback?

I set up x.x.41.130 to forward to 192.168.1.4, which has IIS.  I can explore this page, internally at http://192.168.1.4.  I can't get to it at http://x.x.41.130.

What do I select for the 'Host Virtual Router Name' in the MIP?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sanga CollinsSystems AdminCommented:
In the the host virtual router is the vr that contains your internal ips. In this case it would be the trust virtual router
Lee TumblesonAuthor Commented:
Evidently I asked this in the wrong forum.  I'll try going directly to Juniper.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.