Juniper SSG5 ScreenOS - two ISPs

m1979
m1979 used Ask the Experts™
on
I am a Cisco guy but need to set up a Juniper firewall. What I had to do: there are two Internet connections going to this firewall and I had to change the backup line to sth else. So all I did:
- I changed the IP address under the interface (e0/5)
- I changed the default route under routing for this v-router
I HAVE NOT CHANGED ANYTHING ELSE.

It is similar to the diagram that I attached. diagram

I ssh-ed to the firewall and tried the following:
- ping 2.2.2.1 using the source interface e0/5 - does not work
- ping 2.2.2.1 using the source LAN interface - it works

And of course I cannot ping the Internet using this 2.2.2.2 interface.

Can you advise what else to check? I have never worked with Juniper before so please tell me step by step what to check and change...
it DID work before I made all these changes... but all I did... I changed the IP address and the default route
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Can you pOst the results of the following commands (sanitized)

Get int
Get route

Author

Commented:
Name           IP Address                        Zone        MAC            VLAN State VSD
serial0/0      0.0.0.0/0                         Null        N/A               -   D   -
eth0/0         1.1.1.18/29                  MAIN LINE    -   U   -
eth0/1         0.0.0.0/0                         DMZ         0    -   D   -
eth0/2         0.0.0.0/0                         Null        6    -   D   -
eth0/3         0.0.0.0/0                         Null        07    -   D   -
eth0/4         0.0.0.0/0                         Null            -   D   -
eth0/5         2.2.2/29                 bkp     -   U   -
bgroup0        192.168.100.254/24                  Trust           -   U   -
  eth0/6       N/A                               N/A         N/A               -   U   -
bgroup1        0.0.0.0/0                         Null            -   D   -
bgroup2        0.0.0.0/0                         Null           -   D   -
bgroup3        0.0.0.0/0                         Null        e    -   D   -
tun.1          unnumbered                        xxxxx _~ ethernet0/0       -   R   -
vlan1          0.0.0.0/0                         VLAN            1   D   -
null           0.0.0.0/0                         Null        N/A               -   U   0




IPv4 Dest-Routes for <untrust-vr> (4 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*         4          0.0.0.0/0         eth0/0   1.1.1.17   S   20      1     Root
*         3       x.x.0.0/16          tun.1         0.0.0.0   S   20      1     Root
*         2   1.1.1.18/32         eth0/0         0.0.0.0   H    0      0     Root
*         1   1.1.1.16/29         eth0/0         0.0.0.0   C    0      0     Root



IPv4 Dest-Routes for <trust-vr> (5 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*         4          0.0.0.0/0            n/a      untrust-vr   S   20      1     Root
*         5          0.0.0.0/0            n/a         bkp-vr   S   20      1     Root
*         1     192.168.100.0/24        bgroup0         0.0.0.0   C    0      0     Root
*         2   192.168.100.254/32        bgroup0         0.0.0.0   H    0      0     Root
*         3     192.168.100.0/24        bgroup0     192.168.100.1   S   20      1     Root



IPv4 Dest-Routes for <bkp-vr> (3 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr
--------------------------------------------------------------------------------------
*         9          0.0.0.0/0         eth0/5  2.2.2.1   S   20      5
*         4  2.2.2.144/29         eth0/5         0.0.0.0   C    0      0
*         5  2.2.2/32         eth0/5         0.0.0.0   H    0      0

Commented:
Sorry for the late reply, work emergency had my back against the wall for a while.

Looking at the route table for bkp-vr i am abit confused by what values you have. Even though it is sanitized is there maybe a typo with route ID4?

if the gateway is 2.2.2.1 and the subnet mask is 29 bits; route id 4 should be 2.2.2.0/29 and route id 5 would be 2.2.2.2/32
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

Author

Commented:
Sangamc, thx for your reply. I think it is ok. We got a pool of IP addresses and the network address is x.x.x.144/29, the DG is .145 and the firewall was assigned with .146
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Check the managment IP address for eth0/5 (though we should see it in the interface list if set).
If you say you cannot ping 2.2.2.2 from eth0/5, did you just try to do a tracert/traceroute from LAN when doing so? It might work from LAN, and even using the correct default gateway. As I read your config, the untrust-vr DG will win when coming from trust-vr, and that is why it works, but I want to be sure about that.
And test by adding a specific route to trust-vr for bkp.

BTW, having different VRs doesn't make much sense in this environment, unless you have routing protocols like OSPF active. It overcomplicates the setup.
Commented:
Escalated to JUniper to fix it for us

Author

Commented:
...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial