Configuration of two Public IP Subnet



  • Hi all,

    I got from our ISP two subnets of Public IP. The subnet 1.1.1.1/29 is configured on the if 0/0 (zone: untrust). Now I got a second subnet range 2.2.2.2/29 and I have a spare if 1/0.
    How I have to implement the second range on the ssg device? I could not find any kb article on the juniper support net.

    Following questions I think I have to resolve:
    Could I bind the if 1/0 to the zone untrust?
    Which routing entries do I have to configure?

    Or alltogether. Did anybody implement such a scenario, and can give me some input?

    Thanks & kind regards



  • Well, as don_stupido said, you can get MIPs working. Don’t worry about default gateway. I’ve done that on SSG-140. Sadly, VIPs didn’t work.

    I remember I’ve set up an SSG-5 firewall with three different public addressblocks, and maybe even from different ISPs. The client wanted all of them working in the same time (not just for backup, which you can easily configure with the SSG-5’s “backup interface” in which case the backup is not usable when the main connection is OK).

    I started creating different virtual routers, first I used Untrust-VR and then created another one. Each one of them had their own 0.0.0.0/0 route and when I neede some traffic between them I just routed 🙂



  • The first step is to implement the second subnet on the spare interface. On this interface I can use MIP, etc…

    I think I will create a second zone “Untrust Zone” untrust2 for this interface, if it possible and if no stumbling blocks are known?



  • No, you are right NetCohort, I was wrong. But I think you can set a MIP anyway or do you need the second range as source IP?



  • IMHO you cannot use a secondary ip within the untrust zone… Or is it possible with an actual ScreenOS?



  • Do you want to use two interfaces? Otherwise “set int eth0/0 ip 2.2.2.2/29 secondary”


 

27
Online

38.4k
Users

12.7k
Topics

44.5k
Posts