Solved

Does Juniper support IP pool like Cisco router

Posted on 2013-01-23
10
35 Views
Last Modified: 2016-01-15
hello Experts
i have Juniper NS25 firewall, untrust interface connected with ISP via 1.1.1.0/30, and ISP did assign 2.2.2.0/24 to me, my question is how can i configure the Juniper firewall, which internal users go to internet via 2.2.2.x IP range.
such as Cisco router support ip nat pool, looks like Juniper doesn't support this.

thank you
0
Comment
Question by:beardog1113
  • 4
  • 2
  • 2
10 Comments
 
LVL 12

Expert Comment

by:DarinTCH
ID: 38812927
Juniper does support address pools
NAT has changed signifcantly in SRX
it is ....troublesome in the older Netscreen

r u just setting up a static NAT pool?
0
 

Author Comment

by:beardog1113
ID: 38812940
hello
my question is not about static NAT, in this scenario if i am using a Cisco router:
ip nat pool 2.2.2.1 2.2.2.2 netmask 255.255.255.0
ip nat inside source list 10 pool IP_Pool overload

via this command and configure nat, user go to internet is using 2.2.2.x public IP.

if i am using Juniper firewall, it via the interface IP go to internet, how can i configure it via 2.2.2.x go to internet?

thanks
0
 
LVL 12

Accepted Solution

by:
DarinTCH earned 250 total points
ID: 38812951
thats very close to NAT in SRX

byt not in Netscreen
so ur referring to a DIP if your discussing the pool
and it can be assigned to any int u choose
either the 1.1.1.1
0r
2.2.2.2

A Dynamic IP (DIP) pool is a range of IP addresses that the NetScreen device can use, when performing network address translation (NAT). There are three kinds of interfaces that you can link to - Dynamic IP (DIP) pools, physical interfaces, sub interfaces for network and VPN traffic, and tunnel interfaces for VPN tunnels only.
DIP pools can be used in the following applications:

Many-to-many address translations. This can be used in VPN networks where connected sites have overlapping IP subnets. To allow them to be connected without IP address conflicts, IP addresses need to be translated either before the traffic is sent into the VPN tunnel or after it is decrypted at the other gateway. DIPs are used in either case to translate one subnet to another to allow overlapping networks to communicate.

One-to-many address translations. This is often used when policy-based NAT is utilized. Policy-based NAT only translates traffic that meets the policy, allowing other traffic to be routed through the firewall. This allows for mixed networks of public and private IP addresses. This DIP application is very similar to NAT, except that it is done on a policy basis instead of by interface.

good article
http://www.juniper.net/techpubs/software/screenos/screenos5.1.0/CE_v7.pdf
0
 

Author Comment

by:beardog1113
ID: 38812966
hello
while i try to define DIP range, it said the DIP range must be same subnet with interface IP address or it's secondary IP address, but there is no option to configure secondary IP, unless i configure the interface to Trust zone, not Untrust.

any ideas?

thanks
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 250 total points
ID: 38814574
If the interface is in the untrust-zone and you have a seperate block of IPS from your service provider, what you actually want to do is configure a 'Loopback interface' You can assign one of your 2.2.2.2 IPs to it. After it is configured, you a need a policy from untrust to untrust allow all so that the loopback and the untrust interface can communicate with each other.


Once this is setup the loopback acts just like the untrust interface meaning you can make MIP, VIP DIP etc ...

Hope this helps
0
 

Author Comment

by:beardog1113
ID: 38816874
hi Sangamc
then in this case as you mentioned
outside interface: 1.1.1.2/30
loopback interface 2.2.2.1/24
for internal users access internet, i need create a policy which is trust to untrust, then how Juniper identify on which interface go to internet? or i should configure outside interface to another zone?

thanks
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 38818857
The default route will determine which gateway and therefore which IP will show as source IP when the local users are going to the internet.

I would like to know. Are you specifically trying to give local users different IPs from the pool 2.2.2.1/24 when they go to the internet, or do you just want them to use 2.2.2.1 as their gateway?
0
 

Author Comment

by:beardog1113
ID: 38825250
hello Sangamc
i want define a pool which in 2.2.2.2/24, local user using this pool to access internet.

thanks
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Transparency shows that a company is the kind of business that it wants people to think it is.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now