Link to home
Avatar of Dougj182
Dougj182Flag for Canada

asked on

Juniper SSG5 dual external IP Addresses forwarding the same port to different internal servers.

Hi Experts!

I currently have a Juniper SSG5 with FW 6.3. I have a working setup for external access for mail, HTTP/S, RDP etc through a single external untrust IP. I need to add a new internal server for HTTP/S access. My ISP has assigned us two static IPs. We currently only use one. Can I use the SSG5 for our 2nd IP (maybe ethernet0/1) and assign it the second static external IP and forward HTTP/S (80/443) through to the existing trust zone interface (same internal network) and onto the new server? If so, how?
Avatar of Sanga Collins
Sanga Collins
Flag of United States of America image

you can use the 2nd IP as part of a MIP (mapped IP address)

This will allow you to point it to an internal IP address and using a policy specify what kind of traffic you want to allow to reach your server.

The outbound traffic from the server will show as the 2nd static IP which is very good for email servers or other services where the source IP is important.

Here is the KB article with step by step for configuring a MIP:
The difficulty is understanding how the ISP delivered you a second IP.
The same rule you have for the existing can be used to create the second with a new external IP that you will too need to add as an object to the untrust side, then you will add the internal system as an object and then create the paths.
Avatar of Dougj182


Thanks for your replies. This project is a couple of weeks away so I'll get back to you.
@ Arnold: The ISP delivers the IPs as such...

Single IP: Modem > Router/firewall - Static IP is bound the the MAC address of the device via DHCP.

Dual IP: Modem > Switch > 2 x router/firewall - Each MAC address receives a static bound IP via DHCP.

Do you have a guide that I can follow to setup the SSG5? The install is this weekend. has different examples on their site's knowledge base.

Not sure presumably dual means, second and 2x means second port on the ssg5.

You would place the two interfaces for the wan into the untrust zone where you will add all tge public ips you are getting as untrusted  object
The remaining interfaces depending on your need will gave at least one in the trust zone (LAN) connection

Then you create the policy
Any source any port to Public ip1  port => internal ip object port
Any source any port to public ip2 port => internal ip object port

It's a Y. Two in on WAN one feed to LAN
Yes, this is exactly what I'm attempting to do. I'll have a browse through the juniper KB articles.
Do you use the CLI or the web interface? Which junos/screenos do you have 9.x?
Hi, I have run into an issue with this. here is the network layout.

                                       / Juniper SSG5 ethernet0/0 (Untrust)
ISP > Modem > Switch
                                       \ Juniper SSG5 ethernet0/1 (untrust)

The issue I'm having is that E0/1 will not receive it's static IP address from the ISP, only a much different temporary address. If I attempt to set it as a static IP I get the error  "ethernet0/1 ip change pre-checking failed. Interface: Illegal overlapping subnet"

I'm assuming that e0/1 is not using it's allocated static IP due to this error message.

Any advice?
You have to look at the setup:
How does your ISP allocate IPs did you get a WAN IP and a LAN segment.

The modem, what mode it is in, it might not be in routed mode but rather in bridged mode
Plugging a switch behind a device does not necessarily make two devices behind it functional.

Does the LAN side of the modem (not counted to the ISP) have an IP address? Can you access the modem config?
Avatar of Sanga Collins
Sanga Collins
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial