I have a Juniper SSG 5 firewall in a datacenter. The first interface (eth0/0) has been assigned a static IP address and has three other addresses configured for VIP Nat. I have a static route configured at the lowest priority for 0.0.0.0/0 to my hosting company's gateway.
Now I need to configure a second IP block. I have the IPs assigned to the second interface (eth0/1) which is in the same security zone and virtual router as the first. However, with this interface enabled I (a) can't initiate outbound sessions (browse the internet, ping, DNS lookup, etc) even though I can access servers behind the firewall just fine from the outside and (b) can't ping the management IP of the firewall/gateway.
I've tried anything I can think of but I guess this is a little above my head. Could anyone point me in the right direction?
Interfaces:
ethernet0/0 xxx.xxx.242.4/29 Untrust Layer3
ethernet0/1 xxx.xxx.152.0/28 Untrust Layer3
Routes:
Best Answer
Since the IPs both come from the same ISP, you can just apply the addresses from the new block to the MIPs on the existing untrust interface. You don't have to define a second physical interface.
This works because the Netscreen is also a router.
So, when the world wants to send packets to the new block, the ISP will ARP for the IP on the new block, and your Netscreen will respond.
When the Netscreen needs to send packets back to the rest of the world from an IP on the new block, it will use the default router from the existing block; the ISP should accept this traffic.
This isn't intuitive, but it works.