Public IP to DMZ interface on NetSreen 25 - Firewalls

This is a discussion on Public IP to DMZ interface on NetSreen 25 - Firewalls ; Hi all! I've got a rage of 5 useable public IPs 217.xxx.xxx.xxx/29 My Juniper NS25 is directcly attached to an SDSL router via Ethernet 3 interface (untrust). The SDSL router has got only one port IP 217.xxx.xxx. 249/29, NS25 ethernet3 ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Public IP to DMZ interface on NetSreen 25

  1. Public IP to DMZ interface on NetSreen 25

    Hi all!

    I've got a rage of 5 useable public IPs 217.xxx.xxx.xxx/29 My Juniper
    NS25 is directcly attached to an SDSL router via Ethernet 3 interface
    (untrust). The SDSL router has got only one port IP 217.xxx.xxx.
    249/29, NS25 ethernet3 IP is 217.xxx.xxx.250/29

    I want to assign 217.xxx.xxx.252/29 to another interface which is
    ethernet2 (DMZ) however it doesn't appear to work.

    Ideally I want to put another router behind ethernet2 (DMZ) with an
    outside IP of 217.xxx.xxx.253/29

    Has anyone had a similar configuration scenario and managed to resolve
    the problem without using NAT or MIP?


    I heard about subnetting and using two blocks of 217.xxx.xxx.xxx/30
    however I don't think it's practical in this case since my basic SDSL
    router has only got one port


  2. Re: Public IP to DMZ interface on NetSreen 25

    In article <1176465990.437705.270120@d57g2000hsg.googlegroups. com>,
    inventica wrote:
    >Hi all!
    >
    >I've got a rage of 5 useable public IPs 217.xxx.xxx.xxx/29 My Juniper
    >NS25 is directcly attached to an SDSL router via Ethernet 3 interface
    >(untrust). The SDSL router has got only one port IP 217.xxx.xxx.
    >249/29, NS25 ethernet3 IP is 217.xxx.xxx.250/29
    >
    >I want to assign 217.xxx.xxx.252/29 to another interface which is
    >ethernet2 (DMZ) however it doesn't appear to work.
    >
    >Ideally I want to put another router behind ethernet2 (DMZ) with an
    >outside IP of 217.xxx.xxx.253/29
    >
    >Has anyone had a similar configuration scenario and managed to resolve
    >the problem without using NAT or MIP?
    >
    >
    >I heard about subnetting and using two blocks of 217.xxx.xxx.xxx/30
    >however I don't think it's practical in this case since my basic SDSL
    >router has only got one port


    Actually NAT (policy based) or MIP are the correct way
    to do this and you should assign some public number (192.168.x.x)
    to the DMZ.

    If you set the untrust to a /32 or and NAT/MIP the .252 IP
    the Netscreen will proxy ARP for this IP (you want this). The mistake
    most people make is exactly what you are doing - assigning the
    whole /29 to the untrust and then trying to use an IP out of this
    range. Cannot do. The IP must not be 'previously' used.
    Non-intuitive, yes, but that's how it works.

    So from the Internet someone connects to 217.xxx.xxx.252 but this
    will be translated into whatever you're hiding it to on the DMZ.
    I prefer policy based NAT but MIPs are fine too. With a router on
    the DMZ be sure to add routes for the networks behind the router as
    the netscreen has no idea of these. I guess if you _must_ use the
    217.xxx.xxx.252 IP you could NAT at the router but it's a kludge.

    alan

+ Reply to Thread