Does Juniper support IP pool like Cisco router

hello Experts
i have Juniper NS25 firewall, untrust interface connected with ISP via 1.1.1.0/30, and ISP did assign 2.2.2.0/24 to me, my question is how can i configure the Juniper firewall, which internal users go to internet via 2.2.2.x IP range.
such as Cisco router support ip nat pool, looks like Juniper doesn't support this.

thank you
beardog1113Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DarinTCHSenior CyberSecurity EngineerCommented:
Juniper does support address pools
NAT has changed signifcantly in SRX
it is ....troublesome in the older Netscreen

r u just setting up a static NAT pool?
0
beardog1113Author Commented:
hello
my question is not about static NAT, in this scenario if i am using a Cisco router:
ip nat pool 2.2.2.1 2.2.2.2 netmask 255.255.255.0
ip nat inside source list 10 pool IP_Pool overload

via this command and configure nat, user go to internet is using 2.2.2.x public IP.

if i am using Juniper firewall, it via the interface IP go to internet, how can i configure it via 2.2.2.x go to internet?

thanks
0
DarinTCHSenior CyberSecurity EngineerCommented:
thats very close to NAT in SRX

byt not in Netscreen
so ur referring to a DIP if your discussing the pool
and it can be assigned to any int u choose
either the 1.1.1.1
0r
2.2.2.2

A Dynamic IP (DIP) pool is a range of IP addresses that the NetScreen device can use, when performing network address translation (NAT). There are three kinds of interfaces that you can link to - Dynamic IP (DIP) pools, physical interfaces, sub interfaces for network and VPN traffic, and tunnel interfaces for VPN tunnels only.
DIP pools can be used in the following applications:

Many-to-many address translations. This can be used in VPN networks where connected sites have overlapping IP subnets. To allow them to be connected without IP address conflicts, IP addresses need to be translated either before the traffic is sent into the VPN tunnel or after it is decrypted at the other gateway. DIPs are used in either case to translate one subnet to another to allow overlapping networks to communicate.

One-to-many address translations. This is often used when policy-based NAT is utilized. Policy-based NAT only translates traffic that meets the policy, allowing other traffic to be routed through the firewall. This allows for mixed networks of public and private IP addresses. This DIP application is very similar to NAT, except that it is done on a policy basis instead of by interface.

good article
http://www.juniper.net/techpubs/software/screenos/screenos5.1.0/CE_v7.pdf
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

beardog1113Author Commented:
hello
while i try to define DIP range, it said the DIP range must be same subnet with interface IP address or it's secondary IP address, but there is no option to configure secondary IP, unless i configure the interface to Trust zone, not Untrust.

any ideas?

thanks
0
Sanga CollinsSystems AdminCommented:
If the interface is in the untrust-zone and you have a seperate block of IPS from your service provider, what you actually want to do is configure a 'Loopback interface' You can assign one of your 2.2.2.2 IPs to it. After it is configured, you a need a policy from untrust to untrust allow all so that the loopback and the untrust interface can communicate with each other.


Once this is setup the loopback acts just like the untrust interface meaning you can make MIP, VIP DIP etc ...

Hope this helps
0
beardog1113Author Commented:
hi Sangamc
then in this case as you mentioned
outside interface: 1.1.1.2/30
loopback interface 2.2.2.1/24
for internal users access internet, i need create a policy which is trust to untrust, then how Juniper identify on which interface go to internet? or i should configure outside interface to another zone?

thanks
0
Sanga CollinsSystems AdminCommented:
The default route will determine which gateway and therefore which IP will show as source IP when the local users are going to the internet.

I would like to know. Are you specifically trying to give local users different IPs from the pool 2.2.2.1/24 when they go to the internet, or do you just want them to use 2.2.2.1 as their gateway?
0
beardog1113Author Commented:
hello Sangamc
i want define a pool which in 2.2.2.2/24, local user using this pool to access internet.

thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Operations

From novice to tech pro — start learning today.