Routing

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Can I use MIP & Alternate Virtual Router to communicate between Untrust zone & 2 identical subnets ?

  • 1.  Can I use MIP & Alternate Virtual Router to communicate between Untrust zone & 2 identical subnets ?

    Posted 8 days ago
    I have an SSG5 and am wondering if I can use it to enable a monitoring device on an untrust zone to communicate with  a couple of  service devices on other zones having identical subnetting to each other.

    I have  put 1 of the service devices on the 'trust' zone on the same 'trust-vr' as the untrust zone
    and the other on an 'alt-zone' on a seperate 'alt-vr'

    added a MIP on the untrust interface with a unique untrust IP translating to the service side IP for each device ...

    I expected pings to the MIP ip configured on the 'trust-vr' to be isolated from pings to the MIP ip configured on the 'alt-vr'...
    but no matter which MIP ip I ping from the monitoring host, i get replies whether I plug  a service device into the 'trust-vr' port or the 'alt-vr' port...

    so:
    Monitor at 10.10.10.12
    wired to port 0/0 ( untrust zone on trust-vr ) 10.10.10.10/24

    service device at 192.168.1.100
    wired to port 0/6 ( trust zone on trust-vr) 192.168.1.99/24

    service device at 192.168.1.100
    wired to port 0/5 (alt-zone on alt-vr) 192.168.1.99/24

    MIP on port 0/0 (10.10.10.19) to host 192.168.1.100/32 vr "alt-vr"
    MIP on port 0/0 (10.10.10.20) to host 192.168.1.100/32 vr "trust-vr"

    if i attach service device to just port 0/5 i get replies when pinging either 10.10.10.19 or .20 from the monitoring device.
    likewise if i attach service device to just port 0/6...

    Does global zone prevent me from isolating the service devices or do I just need to get smart on routing and policy?

    Thanks for any help.



    ------------------------------
    JOHN JOHN
    ------------------------------


  • 2.  RE: Can I use MIP & Alternate Virtual Router to communicate between Untrust zone & 2 identical subnets ?

     
    Posted 7 days ago
    I am not sure I have drawn what you have here correctly, but I think what you need to do is create a link in a different subnet between the two virtual routers and run another layer of nat for this to work.

    trust-vr
    10.10.10.10/24
    192.168.1.99/24

    connection between trust-vr and alt-vr example: 172.16.0.0/24

    alt-vr
    192.168.1.99/24

    nat rule for trust to local is normal

    nat rule for trust to other uses a destination of one of the 172.16.0.0/24 addresses
    second nat rule goes from cross zone to alt-vr zone taking the 172 address to the 192 one

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------