How to use 2nd range of Public IP on Juniper Firewall?

this is using Juniper SSG 140 firewall. As for the interfaces, only 2 - one for WAN (untrusted) and the other one for LAN (trusted), are in use. We were subscribing an Internet line with 32 public IPs - x.y.z.160/27. The ISP told us to use x.y.z.161 on untrusted interface and use x.y.z.162 as default gateway. We have almost used up the remaining public IPs as MIP (port-forwarding) and all are working fine. For example, we configured x.y.z.165 to map with 192.168.1.80 web server, and web browsing from Internet is working fine.

Now, The ISP gave us one additional segment of 8 public IPs - x.a.b.88/29. How can we make use of these IPs for port-forwarding? As we even try to configure MIP, for example, configure x.a.b.92 to map to a web server 192.168.1.80, and browsing from Internet doesn't work.

Thanks in advance.
LVL 1
MichaelBalackAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanga CollinsSystems AdminCommented:
The first usable IP in the new block should be configured as a loopback on the untrust interface. You then need a policy from untrust to untrust with source = any, dest = any and service = any. You can then use the subsequent IPs for MIPs
MichaelBalackAuthor Commented:
Hi Sanga,

can you show step-by-step?
Sanga CollinsSystems AdminCommented:
From the web interface goto:

Network > Interfaces > New Loopback interface
- The zone should be the same zone as your current WAN
- IP address / netmask should be the first usable IP in the new block
click ok to save.

Policies > Policy
- Configure a new untrust to untrust policy allowing all traffic from any source to x.y.z.160/27 (the original block of public IPs)

Finally you can now create a MIP by going to the edit menu of your new loopback interface and creating a MIP just as you have before. The policy for the MIP will be untrust to trust and you should be able to select the NEW IP from the MIP drop down list.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

MichaelBalackAuthor Commented:
Hi Sanga,

Thanks for showing steps in details.

I know this may a stupid question. Does this mean that now i have the original untrusted interface for x.y.z.160/27, and the newly created loopback interface for x.a.b.88/29?
Sanga CollinsSystems AdminCommented:
Yes that is correct. Both IP blocks are now available to use. Please note the IP address assigned to the original untrust and the IP assigned for the loop back. can not be used for MIP's only VIP's.

Let me know if you have additional questions?
MichaelBalackAuthor Commented:
Hi Sanga,

Got it abd thanks for your thorough explanation. I will suggest to my boss. Please for my updates.
MichaelBalackAuthor Commented:
I have proposed the stated suggestions to my boss and now is waiting for his approval.  Very much appreciate Sanga's help in pointing out setting a new Loopback interface for the new and subsequent additional different subnets. Before this, I don't even think of it is possible.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.