# Juniper ssg550 configuration



## techcare2u (Jun 11, 2016)

I need to configure 9 servers with public ip under the trust zone and a untrust zone to ISP connection using juniper ssg550. ISP has given me some parameters like my ip range 111.111.111.20 - 111.111.111.30 with mask 255.255.255.240 GW 111.111.111.17 (ip is sample only). how should I set? my servers need to put in the public ip instead of a lan ip..


----------



## MitchConner (May 8, 2015)

Hi mate,

You'll need to create static nats on your SSG, you can do this either using the CLI or GUI. Following this guide will be easier than me typing it out 

Juniper Networks - How to configure 1-to-1 mapping of a public address to a private address in the WebUI? - Knowledge Base


----------



## techcare2u (Jun 11, 2016)

Hi mate,
my servers have to set the public ip address that assigned by ISP. is there any way I can create rules that from trust zone to untrust zone..trust zone is the public ip address and untrust zone oso the public ip address..like allow 111.111.111.20 to any..or untrust to trust like allow any to 111.111.111.20 http port?


----------



## MitchConner (May 8, 2015)

I personally don't think it's a good idea to have your public addresses in the trust zone. I would NAT my privately addressed servers onto my public addresses, similar to this:



You can then create your zone to zone firewall rules.


----------



## techcare2u (Jun 11, 2016)

I'm looking a configuration like this is because I need to migrate to another ISP and I have around 200 servers need to bring over to this new network..I'm thinking just change server IP to new IP and control their access/rules at juniper. So do you think this is possible to setup?


----------



## MitchConner (May 8, 2015)

Well you should be controlling access at the Juniper anyway 

It's a lot easier, if your servers have private addresses, to simply change the NAT'ing on your gateway than it is to re-address each and every one of your servers each time you change providers.

So, to expand on my previous post, I would do this:

1. Servers addressed using RFC1918 (private) addressing.
2. Configure your NAT on the Juniper (either 1-to-1 or PAT)
3. Create the access rules (based on your examples):

set policy id 1 from Trust to Untrust ANY HTTP permit - That will allow internet access from your servers.

* For more 'custom' rules, you'll need to create a new service if the rule you need to create requires a service that is not defined in the SSG as a default.


----------



## techcare2u (Jun 11, 2016)

My problem is the servers are now all on public IP with internal firewall. If I need to change it to LAN and do Nat would be lot of jobs..:-(..So I'm thinking later will control at juniper level and off the internal firewalls..it is easy for me to do administration job..I would no need to ssh or rdp to servers to change internal rules by requirement..


----------



## MitchConner (May 8, 2015)

I wouldn't try changing the IP's using anything but the DRAC mate, otherwise you might have a problem 

It's not for me to tell you how to setup your network, so if you need to do it in the way you describe, you can definitely do it.


----------



## MitchConner (May 8, 2015)

Again, to save me typing everything out, you can use the ScreenOS knowledge base which has both GUI and CLI instructions:

Juniper Networks - Knowledge Base - Knowledge Base


----------



## techcare2u (Jun 11, 2016)

Anyway thank you for your info, advice and time..thanks again and have a good day!


----------



## MitchConner (May 8, 2015)

You're very welcome mate.

If you get stuck at all, just give me a shout


----------

