Juniper SSG5 ScreenOS - two ISPs

m1979 used Ask the Experts™
I am a Cisco guy but need to set up a Juniper firewall. What I had to do: there are two Internet connections going to this firewall and I had to change the backup line to sth else. So all I did:
- I changed the IP address under the interface (e0/5)
- I changed the default route under routing for this v-router

It is similar to the diagram that I attached. diagram

I ssh-ed to the firewall and tried the following:
- ping using the source interface e0/5 - does not work
- ping using the source LAN interface - it works

And of course I cannot ping the Internet using this interface.

Can you advise what else to check? I have never worked with Juniper before so please tell me step by step what to check and change...
it DID work before I made all these changes... but all I did... I changed the IP address and the default route
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Can you pOst the results of the following commands (sanitized)

Get int
Get route


Name           IP Address                        Zone        MAC            VLAN State VSD
serial0/0                         Null        N/A               -   D   -
eth0/0                  MAIN LINE    -   U   -
eth0/1                         DMZ         0    -   D   -
eth0/2                         Null        6    -   D   -
eth0/3                         Null        07    -   D   -
eth0/4                         Null            -   D   -
eth0/5         2.2.2/29                 bkp     -   U   -
bgroup0                  Trust           -   U   -
  eth0/6       N/A                               N/A         N/A               -   U   -
bgroup1                         Null            -   D   -
bgroup2                         Null           -   D   -
bgroup3                         Null        e    -   D   -
tun.1          unnumbered                        xxxxx _~ ethernet0/0       -   R   -
vlan1                         VLAN            1   D   -
null                          Null        N/A               -   U   0

IPv4 Dest-Routes for <untrust-vr> (4 entries)
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
*         4         eth0/0   S   20      1     Root
*         3       x.x.0.0/16          tun.1   S   20      1     Root
*         2         eth0/0   H    0      0     Root
*         1         eth0/0   C    0      0     Root

IPv4 Dest-Routes for <trust-vr> (5 entries)
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
*         4            n/a      untrust-vr   S   20      1     Root
*         5            n/a         bkp-vr   S   20      1     Root
*         1        bgroup0   C    0      0     Root
*         2        bgroup0   H    0      0     Root
*         3        bgroup0   S   20      1     Root

IPv4 Dest-Routes for <bkp-vr> (3 entries)
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr
*         9         eth0/5   S   20      5
*         4         eth0/5   C    0      0
*         5  2.2.2/32         eth0/5   H    0      0

Sorry for the late reply, work emergency had my back against the wall for a while.

Looking at the route table for bkp-vr i am abit confused by what values you have. Even though it is sanitized is there maybe a typo with route ID4?

if the gateway is and the subnet mask is 29 bits; route id 4 should be and route id 5 would be
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.


Sangamc, thx for your reply. I think it is ok. We got a pool of IP addresses and the network address is x.x.x.144/29, the DG is .145 and the firewall was assigned with .146
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Check the managment IP address for eth0/5 (though we should see it in the interface list if set).
If you say you cannot ping from eth0/5, did you just try to do a tracert/traceroute from LAN when doing so? It might work from LAN, and even using the correct default gateway. As I read your config, the untrust-vr DG will win when coming from trust-vr, and that is why it works, but I want to be sure about that.
And test by adding a specific route to trust-vr for bkp.

BTW, having different VRs doesn't make much sense in this environment, unless you have routing protocols like OSPF active. It overcomplicates the setup.
Escalated to JUniper to fix it for us



Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial