Results 1 to 8 of 8
  1. #1
    Join Date
    Aug 2003
    Location
    Singapore
    Posts
    382

    Simple Juniper SSG140 Firewall Setup Help

    Hey!

    Got a Juniper SSG140 Firewall. Need some help for simple setup. Appreciate any help or feedback.

    Q1. Basically I've got a switch, with servers connected to this switch. So servers are being accessed directly by the dedicated IP.

    But currently I'm adding this firewall. By default it comes with 3 port setup, (trusted, DMZ and untrusted), the rest are or NULLS.

    So I'm adding this Firewall on the edge, between the INTERNET and the SWITCH.

    To my understanding, the network port from the INTERNET should be plugged into the untrusted port, and then the switch should be connected to the firewall port which is setup as trusted zone. Am I right?

    Because I want the initial setup to be free flowing, from external Internet traffic to internal network and from internal to the Internet without restriction, is that okay? Anything else I need to do?



    Q2. And another question is with the assigning of IPs (whether static or DCHP) when doing the initial setup. Basically I need to assign IPs to 3 default port with trusted, DMZ and untrusted.
    -> Should I set DHCP option for all of them? Or assign static IP for them? What are the advantage/disadvantage of the 2?
    -> If setting them with static IPs, should public IP or private IP be used instead?

    Many thanks!!
    Jackson Yap
    APC Hosting
    http://www.apc.sg/

  2. #2
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    If your are using public IP addresses, you will need a /30 or /29 to route all the traffic through to the interface that has your switch. I used an SSG5 as an example when I did this:

    http://www.google.com/#sclient=psy&h...ce1e11ecd3b0b1

  3. #3
    Join Date
    Aug 2003
    Location
    Singapore
    Posts
    382
    Is it better to use public IP for interfaces in firewall? Private IP is good enough? But usage of private IP, does it allow public IPs to reach internally?
    Jackson Yap
    APC Hosting
    http://www.apc.sg/

  4. #4
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    I wouldn't recommend any NAT for a hosting environment. Get a few different IP blocks from your hosting provider and do a "public" zone so servers will have a public IP but still be protected by the SSG.

  5. #5
    If you're looking to do NAT you'll configure VIP (virtual IPs) for each of the WAN IPs and map specific ports to the internal IPs. You'll then need to create a policy from ANY to the VIP interface and allow specific traffic.

    If you're looking for routing this too can be done in ScreenOS. You will configure this with policies and would need your provider to route your IPs to a single address on their network. For example if you had a /29 or larger block they can route this to you on a single IP they will provide you. You can then use the IPs on any internal interfaces and filter traffic as it passes between zones.

    If you plan to use this as a switch too (there are a lot of ports on the SSG140 for a firewall) you can create a "bgroup" and add the physical ports.

  6. #6
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    nyzch is correct, but you may want to consider using MIPs over VIPs. It gives you more flexibility when creating policies.

  7. #7
    MIPs (static NAT) creates more of a two-way relationship in that traffic outbound will use the same WAN IP that you're using for inbound.

    In some ways this is better on a 1-to-1 basis (less to configure) but will be less flexible in that you can't have multiple services on a single WAN IP hitting different LAN IPs behind the firewall.

  8. #8
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    Quote Originally Posted by nzych View Post
    MIPs (static NAT) creates more of a two-way relationship in that traffic outbound will use the same WAN IP that you're using for inbound.

    In some ways this is better on a 1-to-1 basis (less to configure) but will be less flexible in that you can't have multiple services on a single WAN IP hitting different LAN IPs behind the firewall.
    You are 100% correct. I was assuming he was going to have dedicated servers behind the firewall and wouldn't want to share a WAN IP.

Similar Threads

  1. Firewall: Juniper SSG140 and Cisco 1841
    By jacksony in forum Colocation and Data Centers
    Replies: 12
    Last Post: 03-28-2011, 09:21 AM
  2. Juniper Firewall Config
    By skullbox in forum Colocation and Data Centers
    Replies: 5
    Last Post: 02-26-2010, 05:19 PM
  3. Monitoring Juniper Firewall Sessions with Nagios
    By skullbox in forum Colocation and Data Centers
    Replies: 3
    Last Post: 02-01-2010, 03:46 AM
  4. Firewall Advice - Looking at Juniper
    By marsupillami in forum Colocation and Data Centers
    Replies: 21
    Last Post: 10-11-2009, 06:03 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •