Juniper SSG5 dual external IP Addresses forwarding the same port to different internal servers.

Hi Experts!

I currently have a Juniper SSG5 with FW 6.3. I have a working setup for external access for mail, HTTP/S, RDP etc through a single external untrust IP. I need to add a new internal server for HTTP/S access. My ISP has assigned us two static IPs. We currently only use one. Can I use the SSG5 for our 2nd IP (maybe ethernet0/1) and assign it the second static external IP and forward HTTP/S (80/443) through to the existing trust zone interface (same internal network) and onto the new server? If so, how?
Dougj182Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanga CollinsSystems AdminCommented:
you can use the 2nd IP as part of a MIP (mapped IP address)

This will allow you to point it to an internal IP address and using a policy specify what kind of traffic you want to allow to reach your server.

The outbound traffic from the server will show as the 2nd static IP which is very good for email servers or other services where the source IP is important.

Here is the KB article with step by step for configuring a MIP: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10923
arnoldCommented:
The difficulty is understanding how the ISP delivered you a second IP.
The same rule you have for the existing can be used to create the second with a new external IP that you will too need to add as an object to the untrust side, then you will add the internal system as an object and then create the paths.
Dougj182Author Commented:
Thanks for your replies. This project is a couple of weeks away so I'll get back to you.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Dougj182Author Commented:
@ Arnold: The ISP delivers the IPs as such...

Single IP: Modem > Router/firewall - Static IP is bound the the MAC address of the device via DHCP.

Dual IP: Modem > Switch > 2 x router/firewall - Each MAC address receives a static bound IP via DHCP.

Do you have a guide that I can follow to setup the SSG5? The install is this weekend.
arnoldCommented:
Juniper.net has different examples on their site's knowledge base.

Not sure presumably dual means, second and 2x means second port on the ssg5.

You would place the two interfaces for the wan into the untrust zone where you will add all tge public ips you are getting as untrusted  object
The remaining interfaces depending on your need will gave at least one in the trust zone (LAN) connection

Then you create the policy
Any source any port to Public ip1  port => internal ip object port
Any source any port to public ip2 port => internal ip object port

It's a Y. Two in on WAN one feed to LAN
Dougj182Author Commented:
Yes, this is exactly what I'm attempting to do. I'll have a browse through the juniper KB articles.
arnoldCommented:
Do you use the CLI or the web interface? Which junos/screenos do you have 9.x?
Dougj182Author Commented:
Hi, I have run into an issue with this. here is the network layout.

                                       / Juniper SSG5 ethernet0/0 (Untrust) xxx.xxx.210.172/24
ISP > Modem > Switch
                                       \ Juniper SSG5 ethernet0/1 (untrust) xxx.xxx.210.137/24

The issue I'm having is that E0/1 will not receive it's static IP address from the ISP, only a much different temporary address. If I attempt to set it as a static IP I get the error  "ethernet0/1 ip change pre-checking failed. Interface: Illegal overlapping subnet"

I'm assuming that e0/1 is not using it's allocated static IP due to this error message.

Any advice?
arnoldCommented:
You have to look at the setup:
How does your ISP allocate IPs did you get a WAN IP and a LAN segment.

The modem, what mode it is in, it might not be in routed mode but rather in bridged mode
Plugging a switch behind a device does not necessarily make two devices behind it functional.

Does the LAN side of the modem (not counted to the ISP) have an IP address? Can you access the modem config?
Sanga CollinsSystems AdminCommented:
You can not configure IPs from the same subnet on different interfaces. You can however configure the first usable IP on eth0/0 then the next IP as a MIP for eth0/0. In configuring the MIP, you map it to an internal IP, then configure a policy from untrust to trust with the MIP as the destination

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.