Solved

Does Juniper support IP pool like Cisco router

Posted on 2013-01-23
10
36 Views
Last Modified: 2016-01-15
hello Experts
i have Juniper NS25 firewall, untrust interface connected with ISP via 1.1.1.0/30, and ISP did assign 2.2.2.0/24 to me, my question is how can i configure the Juniper firewall, which internal users go to internet via 2.2.2.x IP range.
such as Cisco router support ip nat pool, looks like Juniper doesn't support this.

thank you
0
Comment
Question by:beardog1113
  • 4
  • 2
  • 2
10 Comments
 
LVL 12

Expert Comment

by:DarinTCH
ID: 38812927
Juniper does support address pools
NAT has changed signifcantly in SRX
it is ....troublesome in the older Netscreen

r u just setting up a static NAT pool?
0
 

Author Comment

by:beardog1113
ID: 38812940
hello
my question is not about static NAT, in this scenario if i am using a Cisco router:
ip nat pool 2.2.2.1 2.2.2.2 netmask 255.255.255.0
ip nat inside source list 10 pool IP_Pool overload

via this command and configure nat, user go to internet is using 2.2.2.x public IP.

if i am using Juniper firewall, it via the interface IP go to internet, how can i configure it via 2.2.2.x go to internet?

thanks
0
 
LVL 12

Accepted Solution

by:
DarinTCH earned 250 total points
ID: 38812951
thats very close to NAT in SRX

byt not in Netscreen
so ur referring to a DIP if your discussing the pool
and it can be assigned to any int u choose
either the 1.1.1.1
0r
2.2.2.2

A Dynamic IP (DIP) pool is a range of IP addresses that the NetScreen device can use, when performing network address translation (NAT). There are three kinds of interfaces that you can link to - Dynamic IP (DIP) pools, physical interfaces, sub interfaces for network and VPN traffic, and tunnel interfaces for VPN tunnels only.
DIP pools can be used in the following applications:

Many-to-many address translations. This can be used in VPN networks where connected sites have overlapping IP subnets. To allow them to be connected without IP address conflicts, IP addresses need to be translated either before the traffic is sent into the VPN tunnel or after it is decrypted at the other gateway. DIPs are used in either case to translate one subnet to another to allow overlapping networks to communicate.

One-to-many address translations. This is often used when policy-based NAT is utilized. Policy-based NAT only translates traffic that meets the policy, allowing other traffic to be routed through the firewall. This allows for mixed networks of public and private IP addresses. This DIP application is very similar to NAT, except that it is done on a policy basis instead of by interface.

good article
http://www.juniper.net/techpubs/software/screenos/screenos5.1.0/CE_v7.pdf
0
 

Author Comment

by:beardog1113
ID: 38812966
hello
while i try to define DIP range, it said the DIP range must be same subnet with interface IP address or it's secondary IP address, but there is no option to configure secondary IP, unless i configure the interface to Trust zone, not Untrust.

any ideas?

thanks
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 250 total points
ID: 38814574
If the interface is in the untrust-zone and you have a seperate block of IPS from your service provider, what you actually want to do is configure a 'Loopback interface' You can assign one of your 2.2.2.2 IPs to it. After it is configured, you a need a policy from untrust to untrust allow all so that the loopback and the untrust interface can communicate with each other.


Once this is setup the loopback acts just like the untrust interface meaning you can make MIP, VIP DIP etc ...

Hope this helps
0
 

Author Comment

by:beardog1113
ID: 38816874
hi Sangamc
then in this case as you mentioned
outside interface: 1.1.1.2/30
loopback interface 2.2.2.1/24
for internal users access internet, i need create a policy which is trust to untrust, then how Juniper identify on which interface go to internet? or i should configure outside interface to another zone?

thanks
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 38818857
The default route will determine which gateway and therefore which IP will show as source IP when the local users are going to the internet.

I would like to know. Are you specifically trying to give local users different IPs from the pool 2.2.2.1/24 when they go to the internet, or do you just want them to use 2.2.2.1 as their gateway?
0
 

Author Comment

by:beardog1113
ID: 38825250
hello Sangamc
i want define a pool which in 2.2.2.2/24, local user using this pool to access internet.

thanks
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ACS TACACS server - adding a secondary 2 63
ethernet cat5e lenght 80m 9 57
Network Switch Connections 8 53
Fortigate 100D NTP Issue 4 51
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Is your computer hacked? learn how to detect and delete malware in your PC
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now