Avatar of Dougj182
Dougj182
Flag for Canada asked on

Juniper SSG5 dual external IP Addresses forwarding the same port to different internal servers.

Hi Experts!

I currently have a Juniper SSG5 with FW 6.3. I have a working setup for external access for mail, HTTP/S, RDP etc through a single external untrust IP. I need to add a new internal server for HTTP/S access. My ISP has assigned us two static IPs. We currently only use one. Can I use the SSG5 for our 2nd IP (maybe ethernet0/1) and assign it the second static external IP and forward HTTP/S (80/443) through to the existing trust zone interface (same internal network) and onto the new server? If so, how?
Hardware FirewallsRoutersNetworking Protocols

Avatar of undefined
Last Comment
Sanga Collins

8/22/2022 - Mon
Sanga Collins

you can use the 2nd IP as part of a MIP (mapped IP address)

This will allow you to point it to an internal IP address and using a policy specify what kind of traffic you want to allow to reach your server.

The outbound traffic from the server will show as the 2nd static IP which is very good for email servers or other services where the source IP is important.

Here is the KB article with step by step for configuring a MIP: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10923
arnold

The difficulty is understanding how the ISP delivered you a second IP.
The same rule you have for the existing can be used to create the second with a new external IP that you will too need to add as an object to the untrust side, then you will add the internal system as an object and then create the paths.
Dougj182

ASKER
Thanks for your replies. This project is a couple of weeks away so I'll get back to you.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Dougj182

ASKER
@ Arnold: The ISP delivers the IPs as such...

Single IP: Modem > Router/firewall - Static IP is bound the the MAC address of the device via DHCP.

Dual IP: Modem > Switch > 2 x router/firewall - Each MAC address receives a static bound IP via DHCP.

Do you have a guide that I can follow to setup the SSG5? The install is this weekend.
arnold

Juniper.net has different examples on their site's knowledge base.

Not sure presumably dual means, second and 2x means second port on the ssg5.

You would place the two interfaces for the wan into the untrust zone where you will add all tge public ips you are getting as untrusted  object
The remaining interfaces depending on your need will gave at least one in the trust zone (LAN) connection

Then you create the policy
Any source any port to Public ip1  port => internal ip object port
Any source any port to public ip2 port => internal ip object port

It's a Y. Two in on WAN one feed to LAN
Dougj182

ASKER
Yes, this is exactly what I'm attempting to do. I'll have a browse through the juniper KB articles.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
arnold

Do you use the CLI or the web interface? Which junos/screenos do you have 9.x?
Dougj182

ASKER
Hi, I have run into an issue with this. here is the network layout.

                                       / Juniper SSG5 ethernet0/0 (Untrust) xxx.xxx.210.172/24
ISP > Modem > Switch
                                       \ Juniper SSG5 ethernet0/1 (untrust) xxx.xxx.210.137/24

The issue I'm having is that E0/1 will not receive it's static IP address from the ISP, only a much different temporary address. If I attempt to set it as a static IP I get the error  "ethernet0/1 ip change pre-checking failed. Interface: Illegal overlapping subnet"

I'm assuming that e0/1 is not using it's allocated static IP due to this error message.

Any advice?
arnold

You have to look at the setup:
How does your ISP allocate IPs did you get a WAN IP and a LAN segment.

The modem, what mode it is in, it might not be in routed mode but rather in bridged mode
Plugging a switch behind a device does not necessarily make two devices behind it functional.

Does the LAN side of the modem (not counted to the ISP) have an IP address? Can you access the modem config?
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER CERTIFIED SOLUTION
Sanga Collins

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.