Solved

How can a physical interface host multiple IP addresses on an SSG 5 Juniper firewall?

Posted on 2014-12-21
6
846 Views
Last Modified: 2014-12-21
I'm trying to setup a lab environment for a Pluralsight video course that I'm trying to follow along with.  I've already sent them this data, but have yet to hear back from them more than 1 week later :(  Anyway, here's why I think I need to do, but really this is sort of a somewhat educated guess.  Any and all assistance is greatly appreciated:

I believe I will need to create 3 separate bridge group interfaces (called "bgroup"s in Juniper terminology), one for each Ethernet port (ethernet0/2, ethernet0/3, and ethernet0/4), because each of these groups constitutes its own broadcast domain.  Each newly created bgroup needs to then be assigned a static IP address/subnet mask to define its broadcast domain/lan segment (in this case, they will be: 172.16.5.254/24; 172.16.6.254/24 & 172.16.7.254/24), and all will be assigned to the Trust zone. I then need to enable DHCP for each bgroup (i.e., per interface) and make sure the scopes match the aforementioned segments with DHCP exclusions for the static IP addresses to be used by the servers in each segment.

I believe this shows me how to do that:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4243

Finally, I believe I need to setup a mapped IP (MIP) for each bgroup interface in order to connect the external firewall port IP address of 192.168.10.5, etc., to the respective internal IP address for each interface (172.16.5.254, etc.).  I think this is the process here:

http://www.howtonetworking.com/Routers/juniper1.htm

I'm assuming the host virtual router name to be selected should be trust-vr.

I am attaching the relevant network diagrams for confirmation of this analysis.
Lab-Setup---Windows-7-Administration---G
Lab-Setup---Windows-7-Administration---P
0
Comment
Question by:vpassenheim
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 10

Expert Comment

by:Rafael
ID: 40512186
You would have to create sub interfaces off a regular interfaces.Once done you can add the IP's as needed. Don't forget to update your routes and policy rules.

HTH
-Rafael
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40512290
You also do not need bridge groups for each interface. bgroups are used to assign multiple interfaces to a single subnet. for example:

bgroup1  ip = 192.168.1.1/24
assign eth0/1 0/2 and 0/3 to it so that they are all part of the 192.168.1.1/24 subnet (behaves like a switch)

Other than that you have the right plan
0
 

Author Comment

by:vpassenheim
ID: 40512301
Rafael,

Thanks for your quick response! I just want to clarify, when I create the subinterfaces (http://kb.juniper.net/InfoCenter/index?page=content&id=KB4480), will I be essentially creating 3 VLANs with a single IP address comprising the VLAN ( a /32 'network' designation).  So I will be using the 192.168.10.5; 192.168.10.6; & 192.168.10.7 in the VLANs and then make route entries for 1 to 1 mappings from 172.16.5.254/192.168.10.5, etc...?  The part that confuses me from the diagram is firewall section (I'm highlighting it on the diagram).  Am I completely off?  Once again, newbie here, so please bear with me.  I REALLY appreciate anything you have to say.

Thanks,
Victor
Lab-Setup---Windows-7-Administration---P
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:vpassenheim
ID: 40512305
Sanga,

I'm doing it that way because I require 3 subnets:  172.16.5.x, 172.16.6.x, 172.16.7.x.  Each subnet will be connecting via the corresponding gateway (.254 address) on the "internal" side of the firewall and going out on the "external" side of the firewall via the 192.168.10.5 ; 192.168.10.6; 192.168.10.7 corresponding addresses.  I'm just trying to interpret the diagrams - am I understanding this wrong?

Thanks,
Victor
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 40512310
Looking at the diagrams on my pc instead of phone, I think I see an easier way that does not require subinterfaces. Since this is a lab exercise Lets assumes the public IP address is a 24 bit subnet. To configure as shown in the diagram you can do the following

WAN
eth0/0 = 192.168.10.1/24 zone untrust

LAN
eth0/2 = 172.16.5.254/24 zone trust
eth0/3 = 172.16.6.254/24 zone trust
eth0/4 = 172.16.7.254/24 zone trust

Mapped IP
edit the interface eth0/0 and choose MIP. You can then configure the 3 mapped IPs as described in the lab. Finally you need to create 3 Policies to allow the traffic to the mapped IPs.

Here is an example of a policy. It is cookie cutter for the rest

Source = Any
Destination = MIP
Service = Any ( this can be restricted to http, ping, smtp etc)
action = allow
logging = on

Hope this helps :)
0
 

Author Comment

by:vpassenheim
ID: 40512333
Oh Sanga, you're a lifesaver!

I'm going to try it, but I'm sure it will work!

Thanks,

Victor
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I wrote this article to help simplify the process of combining multiple subnets. This can be used for route summarization also but there are other better ways to summarize routes, This article is a result of questions I participate in here at Ex…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question