Solved

Does Juniper support IP pool like Cisco router

Posted on 2013-01-23
10
41 Views
Last Modified: 2016-01-15
hello Experts
i have Juniper NS25 firewall, untrust interface connected with ISP via 1.1.1.0/30, and ISP did assign 2.2.2.0/24 to me, my question is how can i configure the Juniper firewall, which internal users go to internet via 2.2.2.x IP range.
such as Cisco router support ip nat pool, looks like Juniper doesn't support this.

thank you
0
Comment
Question by:beardog1113
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
10 Comments
 
LVL 12

Expert Comment

by:DarinTCH
ID: 38812927
Juniper does support address pools
NAT has changed signifcantly in SRX
it is ....troublesome in the older Netscreen

r u just setting up a static NAT pool?
0
 

Author Comment

by:beardog1113
ID: 38812940
hello
my question is not about static NAT, in this scenario if i am using a Cisco router:
ip nat pool 2.2.2.1 2.2.2.2 netmask 255.255.255.0
ip nat inside source list 10 pool IP_Pool overload

via this command and configure nat, user go to internet is using 2.2.2.x public IP.

if i am using Juniper firewall, it via the interface IP go to internet, how can i configure it via 2.2.2.x go to internet?

thanks
0
 
LVL 12

Accepted Solution

by:
DarinTCH earned 250 total points
ID: 38812951
thats very close to NAT in SRX

byt not in Netscreen
so ur referring to a DIP if your discussing the pool
and it can be assigned to any int u choose
either the 1.1.1.1
0r
2.2.2.2

A Dynamic IP (DIP) pool is a range of IP addresses that the NetScreen device can use, when performing network address translation (NAT). There are three kinds of interfaces that you can link to - Dynamic IP (DIP) pools, physical interfaces, sub interfaces for network and VPN traffic, and tunnel interfaces for VPN tunnels only.
DIP pools can be used in the following applications:

Many-to-many address translations. This can be used in VPN networks where connected sites have overlapping IP subnets. To allow them to be connected without IP address conflicts, IP addresses need to be translated either before the traffic is sent into the VPN tunnel or after it is decrypted at the other gateway. DIPs are used in either case to translate one subnet to another to allow overlapping networks to communicate.

One-to-many address translations. This is often used when policy-based NAT is utilized. Policy-based NAT only translates traffic that meets the policy, allowing other traffic to be routed through the firewall. This allows for mixed networks of public and private IP addresses. This DIP application is very similar to NAT, except that it is done on a policy basis instead of by interface.

good article
http://www.juniper.net/techpubs/software/screenos/screenos5.1.0/CE_v7.pdf
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:beardog1113
ID: 38812966
hello
while i try to define DIP range, it said the DIP range must be same subnet with interface IP address or it's secondary IP address, but there is no option to configure secondary IP, unless i configure the interface to Trust zone, not Untrust.

any ideas?

thanks
0
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 250 total points
ID: 38814574
If the interface is in the untrust-zone and you have a seperate block of IPS from your service provider, what you actually want to do is configure a 'Loopback interface' You can assign one of your 2.2.2.2 IPs to it. After it is configured, you a need a policy from untrust to untrust allow all so that the loopback and the untrust interface can communicate with each other.


Once this is setup the loopback acts just like the untrust interface meaning you can make MIP, VIP DIP etc ...

Hope this helps
0
 

Author Comment

by:beardog1113
ID: 38816874
hi Sangamc
then in this case as you mentioned
outside interface: 1.1.1.2/30
loopback interface 2.2.2.1/24
for internal users access internet, i need create a policy which is trust to untrust, then how Juniper identify on which interface go to internet? or i should configure outside interface to another zone?

thanks
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 38818857
The default route will determine which gateway and therefore which IP will show as source IP when the local users are going to the internet.

I would like to know. Are you specifically trying to give local users different IPs from the pool 2.2.2.1/24 when they go to the internet, or do you just want them to use 2.2.2.1 as their gateway?
0
 

Author Comment

by:beardog1113
ID: 38825250
hello Sangamc
i want define a pool which in 2.2.2.2/24, local user using this pool to access internet.

thanks
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
FTP Access rule on TMG 1 43
Expanding Subnet Mask 20 283
HP Storage and Cisco Nexus 4 72
Ip scheme change 1 32
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question