1

I've configured a Juniper SSG20 to have some clients natted to the internet with the main ip address (X.X.27.90/30) of my IPoA ADSL connection but i have also some servers i wish to connect with a public ip address (coming from another subnet (X.X.234.88~95/29) but from the same adsl) directly to the internet.

I wish, for example, to add a server with ip X.X.234.90/29 to the ethernet0/0 or on the clients side (bgroup0).

My situation is:

interface adsl1/0 has now ip X.X.27.90 with default gateway X.X.27.89

interface bgroup0 (ethernet0/2+ethernet0/3+ethernet0/4) has ip 192.168.1.1/24, dhcp server and nat

Francesco
  • 11
  • 2

1 Answers1

1

Not entirely clear what you are asking, but I'll take a stab. I think you are saying you were assigned an additional public IP block from your ISP and you want to direct traffic sent to the public IPs to servers located in your LAN.

If that's the case, you need to edit the ADSL interface, and add MIP entries that map the public IP to the related LAN IP for that server. (I don't think VIP entries will work since it's a separate subnet block.)

Be sure to also add appropriate routing/security policies to allow the traffic.

jlehtinen
  • 1,958
  • 2
  • 13
  • 15
  • It's exactly what I mean but... I don't want to map a public ip to a lan ip (it works right now using MIP) i just want to give a public ip on the server ethernet interface. For example: PROVIDER GATEWAY 1.1.1.1/30 SSG20 Primary IP: 1.1.1.2/30 SSG20 ADDITIONAL IP 2.2.2.1/29 (MY ADDITIONAL IP BLOCK IS 2.2.2.0/29) SERVER IP: 2.2.2.3/29 – Francesco Apr 06 '15 at 19:42
  • Do you have spare interfaces on the SSG20? If yes, you could assign the spare interface an IP from your second block (i.e., 2.2.2.1/29), then hook that interface to a switch (or direct to your server), then configure the server to have 2.2.2.3/29. Remove the MIP config and adjust your routing rules so that all traffic for the 2.2.2.0/29 subnet goes to that interface. Keep in mind, the policy rules for traffic there might have to be Untrust->Untrust rules depending on what zone you put the interface in... – jlehtinen Apr 06 '15 at 20:08
  • Note, that Juniper latest documentation favors policy based NAT over MIP as it gives an extra degree of flexibility. – dtoubelis Sep 15 '15 at 13:59