Juniper Firewalls can be configured in Nat/Route mode or Transparent mode, in simple terms L3 or L2 mode.
L3 :: Pure route mode where all the interfaces bear ip addresses and routing is run.
L2 :: Pure layer2 mode where all the interfaces are pass along and no ip addresses.
There is a 3rd mode which can be configured and is Mixed Mode. Say the situation demands, one of the network to be in transparent mode and others in nat/route mode.
A typical example is if you have the Firewall connected to different networks and at the same time you want to have 2 ports receive dhcp assigned ip addresses (I have this config at desk since I maintain a VPN network for testing. On the other hand on my desk I have my laptop and desktop both of which gets corporate dhcp leased ip addresses. So I have configured the SSG-20 in this mode).
1: set interface "bgroup0" zone "Trust"
2: set interface bgroup0 port ethernet0/2
3:
4: The above is connected to a network which is routed
5:
6: set interface "bgroup1" zone "V1-Trust"
7: set interface bgroup1 port ethernet0/0
8: set interface bgroup1 port ethernet0/3
9: set interface bgroup1 port ethernet0/4
10:
11: The above is connected to a network which is transparent;
12:
13: ethernet0/0 is connected to corporate network
14: ethernet0/3 is connected to Desktop
15: ethernet0/4 is connected to Laptop
16:
So both laptop and desktop gets ip addresses leased from corporate DHCP server (Bgroup1 acts as transparent)
Hello,
Have a doubt , as in we have a Netscreen 5GT that has been configured with the default Trust – Untrust mode and the untrust is configured with the ISP address details and the Trust has been configured with the internal LAN ip address details but now we have a MPLS link has been setup from our remote office to this office and we have to terminate this link at the netscreen firewall , the MPLS providers have provided an ip address to be configured on the netscreen’s interface … So where do i configure this additional ip address in the Netscreen firewall ? Any input would be helpful..
Thanks & Regards,
Jai
While I’m not sure about the MPLS capability of this box, you can try assigning this ip on the same interface as secondary ip address. Look for secondary keyword in the ip assigning command.
–Rajesh
MPLS link has been set up by the service provider as in they have provided RAD ASMi 52 Modem at both ends but they have just asked us to configure one of our ports with the Ip address that they have provided ( It’s a private ip address ).So if am going to assign it as secondary ip address , where do i do it as in Netscreen 5GT where do i do it? I did check in Network —> Interfaces —> but all it has is Loopback if , Tunnel if and VSI IF …
Thanks,
Jai
Please check the user guide for OS for SSG and you can find out how to assign the secondary ip address.
–Rajesh