Solved

How can a physical interface host multiple IP addresses on an SSG 5 Juniper firewall?

Posted on 2014-12-21
6
811 Views
Last Modified: 2014-12-21
I'm trying to setup a lab environment for a Pluralsight video course that I'm trying to follow along with.  I've already sent them this data, but have yet to hear back from them more than 1 week later :(  Anyway, here's why I think I need to do, but really this is sort of a somewhat educated guess.  Any and all assistance is greatly appreciated:

I believe I will need to create 3 separate bridge group interfaces (called "bgroup"s in Juniper terminology), one for each Ethernet port (ethernet0/2, ethernet0/3, and ethernet0/4), because each of these groups constitutes its own broadcast domain.  Each newly created bgroup needs to then be assigned a static IP address/subnet mask to define its broadcast domain/lan segment (in this case, they will be: 172.16.5.254/24; 172.16.6.254/24 & 172.16.7.254/24), and all will be assigned to the Trust zone. I then need to enable DHCP for each bgroup (i.e., per interface) and make sure the scopes match the aforementioned segments with DHCP exclusions for the static IP addresses to be used by the servers in each segment.

I believe this shows me how to do that:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4243

Finally, I believe I need to setup a mapped IP (MIP) for each bgroup interface in order to connect the external firewall port IP address of 192.168.10.5, etc., to the respective internal IP address for each interface (172.16.5.254, etc.).  I think this is the process here:

http://www.howtonetworking.com/Routers/juniper1.htm

I'm assuming the host virtual router name to be selected should be trust-vr.

I am attaching the relevant network diagrams for confirmation of this analysis.
Lab-Setup---Windows-7-Administration---G
Lab-Setup---Windows-7-Administration---P
0
Comment
Question by:vpassenheim
  • 3
  • 2
6 Comments
 
LVL 10

Expert Comment

by:Rafael
ID: 40512186
You would have to create sub interfaces off a regular interfaces.Once done you can add the IP's as needed. Don't forget to update your routes and policy rules.

HTH
-Rafael
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40512290
You also do not need bridge groups for each interface. bgroups are used to assign multiple interfaces to a single subnet. for example:

bgroup1  ip = 192.168.1.1/24
assign eth0/1 0/2 and 0/3 to it so that they are all part of the 192.168.1.1/24 subnet (behaves like a switch)

Other than that you have the right plan
0
 

Author Comment

by:vpassenheim
ID: 40512301
Rafael,

Thanks for your quick response! I just want to clarify, when I create the subinterfaces (http://kb.juniper.net/InfoCenter/index?page=content&id=KB4480), will I be essentially creating 3 VLANs with a single IP address comprising the VLAN ( a /32 'network' designation).  So I will be using the 192.168.10.5; 192.168.10.6; & 192.168.10.7 in the VLANs and then make route entries for 1 to 1 mappings from 172.16.5.254/192.168.10.5, etc...?  The part that confuses me from the diagram is firewall section (I'm highlighting it on the diagram).  Am I completely off?  Once again, newbie here, so please bear with me.  I REALLY appreciate anything you have to say.

Thanks,
Victor
Lab-Setup---Windows-7-Administration---P
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:vpassenheim
ID: 40512305
Sanga,

I'm doing it that way because I require 3 subnets:  172.16.5.x, 172.16.6.x, 172.16.7.x.  Each subnet will be connecting via the corresponding gateway (.254 address) on the "internal" side of the firewall and going out on the "external" side of the firewall via the 192.168.10.5 ; 192.168.10.6; 192.168.10.7 corresponding addresses.  I'm just trying to interpret the diagrams - am I understanding this wrong?

Thanks,
Victor
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 40512310
Looking at the diagrams on my pc instead of phone, I think I see an easier way that does not require subinterfaces. Since this is a lab exercise Lets assumes the public IP address is a 24 bit subnet. To configure as shown in the diagram you can do the following

WAN
eth0/0 = 192.168.10.1/24 zone untrust

LAN
eth0/2 = 172.16.5.254/24 zone trust
eth0/3 = 172.16.6.254/24 zone trust
eth0/4 = 172.16.7.254/24 zone trust

Mapped IP
edit the interface eth0/0 and choose MIP. You can then configure the 3 mapped IPs as described in the lab. Finally you need to create 3 Policies to allow the traffic to the mapped IPs.

Here is an example of a policy. It is cookie cutter for the rest

Source = Any
Destination = MIP
Service = Any ( this can be restricted to http, ping, smtp etc)
action = allow
logging = on

Hope this helps :)
0
 

Author Comment

by:vpassenheim
ID: 40512333
Oh Sanga, you're a lifesaver!

I'm going to try it, but I'm sure it will work!

Thanks,

Victor
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
fabric 1 32
Dell PowerConnect 6248 switch - set to unmanaged mode? 5 121
How to export list of ssl vpn users in a dell sonicwall 4 103
Cisco Edge Routers for BGP 6 52
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question