Hi
Currently, I'm using my home NS5-GT (OS 5.4.0) Extended in a dual DMZ setup, with 1 public IP, assigned by my ISP.
This is rather limited, since the single Untrust allows me to use only one VIP or MIP for HTTPS server on port 443.
Fortunately, my ISP is willing to provide me some extra IP addresses. It will probably be a continuous range of IP's.
It is, however, a bit unclear to me how to configure my Netscreen for the use of multiple IP's on my 1 physical untrust interface.
I've read at the forum, that using multiple VIP's might not work with multipe public IP's in this ScreenOS version (see forum thread here), so I guess I have to use MIP's.
It is the configuration of the Untrust interface that puzzles me:
In another thread, it is stated that MIP's can be used for IP's that are not assigned to the physical interface. That suprises me, since it is unclear to me how traffic is routed to my firewall in thise case. Can someone confirm this will work?
It all seemed pretty straightforward after reading the disscussion here : a range of IP addresses can be assigned by using a subnet, such as using xxx.xxx.xxx.71/30 for the range 71 through 74 in the xxx.xxx.xxx.0 subnet.
However, my current public IP comes with a /24 subnet (?)
That leaves me with two questions:
- Is it possible to get multiple IP addresses assigned to a single physical Untrust interface, by a DHCP server?
- If so, how about the subnet mask, compared to my current situation?
- Is it correct that I can use multiple MIP's with a range of public IP's on my Untrust interface?
Thank you very much for you help!
#untrust#multiple#MIP#ip