?
Solved

Can a Juniper Netscreen NS25 have more than one ISP connection?

Posted on 2012-08-20
15
Medium Priority
?
1,527 Views
Last Modified: 2012-12-12
We have a Juniper Netscreen NS25 that is providing services to a few different offices and several outside people that connect in via Citrix. We are getting a new internet pipe with a different ISP. Is the NS25 capable of setting up a separate internet pipe into it and moving those people through it into the LAN for services so that I don't have any down time. I want to be able to slowly migrate them all if I can.
0
Comment
Question by:aando
  • 7
  • 7
15 Comments
 
LVL 18

Assisted Solution

by:deimark
deimark earned 75 total points
ID: 38312703
Yup, we can do this bud.

We can set up 2 WAN connections and 2 default routes and "prefer" the default route over the existing WAN connection.

We can then slowly start to migrate users across onto the new connection by adding static routes to the destinations to use the new WAN connection

Once all across, delete the default route to the old WAN and then only use the new WAN.

HTH
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 1425 total points
ID: 38312714
Yes it can, and it does so quite nicely :)

Here are the basic steps.

create your new LAN and WAN in the untrust-vr. This way you can have both your new gateway to the ISP and the old gateway active at the same time.

For the trust VR, enable monitoring on the WAN port. and configure a new default route with metric 10 that points to the untrust-vr. Basically what this does is if ISP1 goes down, the monitoring feature on the port will detect it and mark the interface and 'logically down' The defualt route will become inactive and the backup route to untrust-vr will take over.

In the untrust-vr make sure you have a route statement referencing the original LAN. Basically <lan-ip> --> trust-vr. This will ensure that the return traffic for the backup circuit gets to your computers.

These are the fundamentals of Dual wan connectivity, ofcourse if you need details on any specifc steps dont hesitate to post. I just didnt want to write a whole chapters worth of information on th message thread.
0
 

Author Comment

by:aando
ID: 38312832
Out of the four ports I have on the NS25, I have 1 open. Do I just use it for the connection to the New ISP?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Expert Comment

by:Sanga Collins
ID: 38312898
Yes, you will need to use the additional port for the ISP2. For the LAN its not so bad since you can create sub interfaces with VLAN tagging. But for WAN i recommend 1 port per carrier.
0
 

Author Comment

by:aando
ID: 38326738
You said on here, "create your new LAN and WAN in the untrust-vr. This way you can have both your new gateway to the ISP and the old gateway active at the same time." I don't want to create a new LAN. I want to only add a New WAN. Can I use both WAN's over the same LAN. I want to do as the first poster said. I want to Setup the second WAN and then start moving all the traffic to the Second WAN and off the first WAN.
0
 

Author Comment

by:aando
ID: 38326814
When I try to make this a V1-untrust it doesn't allow me to assign the IP addresses to it.
0
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 1425 total points
ID: 38327495
you do not have to create a new LAN to have the 2nd WAN usable by your existing network.

The best way to do this is:

- create a new zone ie: ISP2 and make sure the zone is in the untrust-vr
- Edit the interface you want to use for the secondary internet. For example eth0/3. Configure it with the zone ISP2 and the first usable IP from the secondary internet.
- In the routing table, create a new route in the untrust-vr as follows: 0.0.0.0/0 -> eth0/3 <gateway IP from ISP>

Now you have the 2nd internet connected. The next step is making it available to use.  First thing i do is:

- create a route in untrust-vr with the IP and subnet of your lan and the target = trust-vr.
- create a route in trust-vr as follows 0.0.0.0/0 -> untrust-vr with metric=10. This will allow you to have 2 default routes, but the one with the higher metric only becomes active if the primary route is not available.

Since you are trying to migrate to a NEW ISP, you can use source based routing to send traffic out of the 2nd internet. Assuming your server is 192.168.1.10, you can create a srouce based route that states all traffic from 192.168.1.10 -> untrust-vr this will send all traffic out of the secondary ISP.

Lastly you just need a policy to allow the traffic. trust -> ISP2 source=any, dest=any, action=permit.

Once you are satisfied the ISP2 is good enough for your needs. You can delete the ISP1 default route, and change the ISP2 default route metric from 10 to 0.

I hope this fills in the blanks for you. As usual post if you get stuck. no question is to small :)
0
 

Author Comment

by:aando
ID: 38327619
I am assuming when I create the New Zone with untrust-vr I keep the default Zone Type Layer 3 and change the drop down to Untrust instead of the default Trust?
0
 

Author Comment

by:aando
ID: 38327655
When I go into the "Routing Entries" it already has under "untrust-vr" a route that has the External IP's main Gateway which I don't understand. So like the ISP2 that I just created has as an example, 212.23.123.50/28 as the first usable. But when I go into the Routing is has listed under the "untrust-vr" IP/Subnet as 212.23.123.48/28. Then under Gateway it says, 0.0.0.0 and interface is ethernet4 where I put the other, protocol "c", metric 0, vsys = Root and Configure has -.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 38327658
For the new zone: Yes, you keep the deafult L3 and change the drop down to untrust-vr instead of trust-vr
0
 

Author Comment

by:aando
ID: 38327676
Another question about this...if we have a Citrix Access Gateway in a DMZ that has a different subnet as well, will I still be able to access it and access the LAN from this?
0
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 1425 total points
ID: 38327678
Is ISP2 giving you IP via DHCP, or did you configure the first usable manually when editing the interface. The default route is only populated automatically when getting IP via DHCP.

When you manually configure a static IP, other entries are put into the table to reference the subnet ID and the interface IP. So in one of my devices i have the following

eth4 / ISP2 / ip= 209.42.42.54/30

route table: untrust-vr

*      209.42.58.52/30             ethernet4      C                    Root       -
*      209.42.58.54/32             ethernet4      H                    Root       -
*      0.0.0.0/0      209.42.58.53      ethernet4      S      20      1      Root       Remove
*      192.168.100.0/24      trust-vr      -      S      20             Root       Remove
0
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 1425 total points
ID: 38327683
for the citrix access gateway, you will be able to use the new internet connection. just need to make sure in untrust-vr there is a route statement referencing that LAN. So for example in mine

*      192.168.100.0/24      trust-vr      -      S      20             Root       Remove
*      172.100.100.0/24      trust-vr      -      S      20             Root       Remove

that references 2 different LANs i have in the trust-vr

I know at first it appears mind boggling, but once you see it in action it will be like a light bulb lit up!
0
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 1425 total points
ID: 38327689
typo in my post

eth4 / ISP2 / ip= 209.42.42.54/30

should be

eth4 / ISP2 / ip= 209.42.58.54/30
0
 

Author Closing Comment

by:aando
ID: 38384882
It was difficult, hard to follow. I feel this way because my box had so many fields and routes not explained and I was getting pretty confused on it.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question