Routing

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
Expand all | Collapse all

Can I use MIP & Alternate Virtual Router to communicate between Untrust zone & 2 identical subnets ?

  • 1.  Can I use MIP & Alternate Virtual Router to communicate between Untrust zone & 2 identical subnets ?

    Posted 11-22-2021 18:02
    I have an SSG5 and am wondering if I can use it to enable a monitoring device on an untrust zone to communicate with  a couple of  service devices on other zones having identical subnetting to each other.

    I have  put 1 of the service devices on the 'trust' zone on the same 'trust-vr' as the untrust zone
    and the other on an 'alt-zone' on a seperate 'alt-vr'

    added a MIP on the untrust interface with a unique untrust IP translating to the service side IP for each device ...

    I expected pings to the MIP ip configured on the 'trust-vr' to be isolated from pings to the MIP ip configured on the 'alt-vr'...
    but no matter which MIP ip I ping from the monitoring host, i get replies whether I plug  a service device into the 'trust-vr' port or the 'alt-vr' port...

    so:
    Monitor at 10.10.10.12
    wired to port 0/0 ( untrust zone on trust-vr ) 10.10.10.10/24

    service device at 192.168.1.100
    wired to port 0/6 ( trust zone on trust-vr) 192.168.1.99/24

    service device at 192.168.1.100
    wired to port 0/5 (alt-zone on alt-vr) 192.168.1.99/24

    MIP on port 0/0 (10.10.10.19) to host 192.168.1.100/32 vr "alt-vr"
    MIP on port 0/0 (10.10.10.20) to host 192.168.1.100/32 vr "trust-vr"

    if i attach service device to just port 0/5 i get replies when pinging either 10.10.10.19 or .20 from the monitoring device.
    likewise if i attach service device to just port 0/6...

    Does global zone prevent me from isolating the service devices or do I just need to get smart on routing and policy?

    Thanks for any help.



    ------------------------------
    JOHN JOHN
    ------------------------------


  • 2.  RE: Can I use MIP & Alternate Virtual Router to communicate between Untrust zone & 2 identical subnets ?

    Posted 11-23-2021 16:29
    I am not sure I have drawn what you have here correctly, but I think what you need to do is create a link in a different subnet between the two virtual routers and run another layer of nat for this to work.

    trust-vr
    10.10.10.10/24
    192.168.1.99/24

    connection between trust-vr and alt-vr example: 172.16.0.0/24

    alt-vr
    192.168.1.99/24

    nat rule for trust to local is normal

    nat rule for trust to other uses a destination of one of the 172.16.0.0/24 addresses
    second nat rule goes from cross zone to alt-vr zone taking the 172 address to the 192 one

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------