Public IP to DMZ interface on NetSreen 25

Public IP to DMZ interface on NetSreen 25

am 13.04.2007 14:06:30 von inventica

Hi all!

I've got a rage of 5 useable public IPs 217.xxx.xxx.xxx/29 My Juniper
NS25 is directcly attached to an SDSL router via Ethernet 3 interface
(untrust). The SDSL router has got only one port IP 217.xxx.xxx.
249/29, NS25 ethernet3 IP is 217.xxx.xxx.250/29

I want to assign 217.xxx.xxx.252/29 to another interface which is
ethernet2 (DMZ) however it doesn't appear to work.

Ideally I want to put another router behind ethernet2 (DMZ) with an
outside IP of 217.xxx.xxx.253/29

Has anyone had a similar configuration scenario and managed to resolve
the problem without using NAT or MIP?


I heard about subnetting and using two blocks of 217.xxx.xxx.xxx/30
however I don't think it's practical in this case since my basic SDSL
router has only got one port

Re: Public IP to DMZ interface on NetSreen 25

am 14.04.2007 17:23:58 von paleale

In article <1176465990.437705.270120@d57g2000hsg.googlegroups.com>,
inventica wrote:
>Hi all!
>
>I've got a rage of 5 useable public IPs 217.xxx.xxx.xxx/29 My Juniper
>NS25 is directcly attached to an SDSL router via Ethernet 3 interface
>(untrust). The SDSL router has got only one port IP 217.xxx.xxx.
>249/29, NS25 ethernet3 IP is 217.xxx.xxx.250/29
>
>I want to assign 217.xxx.xxx.252/29 to another interface which is
>ethernet2 (DMZ) however it doesn't appear to work.
>
>Ideally I want to put another router behind ethernet2 (DMZ) with an
>outside IP of 217.xxx.xxx.253/29
>
>Has anyone had a similar configuration scenario and managed to resolve
>the problem without using NAT or MIP?
>
>
>I heard about subnetting and using two blocks of 217.xxx.xxx.xxx/30
>however I don't think it's practical in this case since my basic SDSL
>router has only got one port

Actually NAT (policy based) or MIP are the correct way
to do this and you should assign some public number (192.168.x.x)
to the DMZ.

If you set the untrust to a /32 or and NAT/MIP the .252 IP
the Netscreen will proxy ARP for this IP (you want this). The mistake
most people make is exactly what you are doing - assigning the
whole /29 to the untrust and then trying to use an IP out of this
range. Cannot do. The IP must not be 'previously' used.
Non-intuitive, yes, but that's how it works.

So from the Internet someone connects to 217.xxx.xxx.252 but this
will be translated into whatever you're hiding it to on the DMZ.
I prefer policy based NAT but MIPs are fine too. With a router on
the DMZ be sure to add routes for the networks behind the router as
the netscreen has no idea of these. I guess if you _must_ use the
217.xxx.xxx.252 IP you could NAT at the router but it's a kludge.

alan