• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1029
  • Last Modified:

How can a physical interface host multiple IP addresses on an SSG 5 Juniper firewall?

I'm trying to setup a lab environment for a Pluralsight video course that I'm trying to follow along with.  I've already sent them this data, but have yet to hear back from them more than 1 week later :(  Anyway, here's why I think I need to do, but really this is sort of a somewhat educated guess.  Any and all assistance is greatly appreciated:

I believe I will need to create 3 separate bridge group interfaces (called "bgroup"s in Juniper terminology), one for each Ethernet port (ethernet0/2, ethernet0/3, and ethernet0/4), because each of these groups constitutes its own broadcast domain.  Each newly created bgroup needs to then be assigned a static IP address/subnet mask to define its broadcast domain/lan segment (in this case, they will be: 172.16.5.254/24; 172.16.6.254/24 & 172.16.7.254/24), and all will be assigned to the Trust zone. I then need to enable DHCP for each bgroup (i.e., per interface) and make sure the scopes match the aforementioned segments with DHCP exclusions for the static IP addresses to be used by the servers in each segment.

I believe this shows me how to do that:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4243

Finally, I believe I need to setup a mapped IP (MIP) for each bgroup interface in order to connect the external firewall port IP address of 192.168.10.5, etc., to the respective internal IP address for each interface (172.16.5.254, etc.).  I think this is the process here:

http://www.howtonetworking.com/Routers/juniper1.htm

I'm assuming the host virtual router name to be selected should be trust-vr.

I am attaching the relevant network diagrams for confirmation of this analysis.
Lab-Setup---Windows-7-Administration---G
Lab-Setup---Windows-7-Administration---P
0
vpassenheim
Asked:
vpassenheim
  • 3
  • 2
1 Solution
 
RafaelCommented:
You would have to create sub interfaces off a regular interfaces.Once done you can add the IP's as needed. Don't forget to update your routes and policy rules.

HTH
-Rafael
0
 
Sanga CollinsSystems AdminCommented:
You also do not need bridge groups for each interface. bgroups are used to assign multiple interfaces to a single subnet. for example:

bgroup1  ip = 192.168.1.1/24
assign eth0/1 0/2 and 0/3 to it so that they are all part of the 192.168.1.1/24 subnet (behaves like a switch)

Other than that you have the right plan
0
 
vpassenheimAuthor Commented:
Rafael,

Thanks for your quick response! I just want to clarify, when I create the subinterfaces (http://kb.juniper.net/InfoCenter/index?page=content&id=KB4480), will I be essentially creating 3 VLANs with a single IP address comprising the VLAN ( a /32 'network' designation).  So I will be using the 192.168.10.5; 192.168.10.6; & 192.168.10.7 in the VLANs and then make route entries for 1 to 1 mappings from 172.16.5.254/192.168.10.5, etc...?  The part that confuses me from the diagram is firewall section (I'm highlighting it on the diagram).  Am I completely off?  Once again, newbie here, so please bear with me.  I REALLY appreciate anything you have to say.

Thanks,
Victor
Lab-Setup---Windows-7-Administration---P
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
vpassenheimAuthor Commented:
Sanga,

I'm doing it that way because I require 3 subnets:  172.16.5.x, 172.16.6.x, 172.16.7.x.  Each subnet will be connecting via the corresponding gateway (.254 address) on the "internal" side of the firewall and going out on the "external" side of the firewall via the 192.168.10.5 ; 192.168.10.6; 192.168.10.7 corresponding addresses.  I'm just trying to interpret the diagrams - am I understanding this wrong?

Thanks,
Victor
0
 
Sanga CollinsSystems AdminCommented:
Looking at the diagrams on my pc instead of phone, I think I see an easier way that does not require subinterfaces. Since this is a lab exercise Lets assumes the public IP address is a 24 bit subnet. To configure as shown in the diagram you can do the following

WAN
eth0/0 = 192.168.10.1/24 zone untrust

LAN
eth0/2 = 172.16.5.254/24 zone trust
eth0/3 = 172.16.6.254/24 zone trust
eth0/4 = 172.16.7.254/24 zone trust

Mapped IP
edit the interface eth0/0 and choose MIP. You can then configure the 3 mapped IPs as described in the lab. Finally you need to create 3 Policies to allow the traffic to the mapped IPs.

Here is an example of a policy. It is cookie cutter for the rest

Source = Any
Destination = MIP
Service = Any ( this can be restricted to http, ping, smtp etc)
action = allow
logging = on

Hope this helps :)
0
 
vpassenheimAuthor Commented:
Oh Sanga, you're a lifesaver!

I'm going to try it, but I'm sure it will work!

Thanks,

Victor
0

Featured Post

The eGuide to Automating Firewall Change Control

Today‚Äôs IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now