Juniper SSG 5 to Cisco 881

mike1210

mike1210

mike1210

Associate
Joined
20 Jan 2006
Posts
313
Hi All,
I have won an 881 off the bay, got it for a decent price and the RAM has been upped to 512MB.

I was planning as an experiment to use SSG5 as purely firewall, and the 881 to do the routing, DHCP, VLAN's, RADIUS etc.

This will trunk down to 2 2940 switches, gigabit link goes from upstairs to downstairs.

I have a /29 with Zen so the setup I hope to have is

Draytek 120 Modem > SSG5 > 881> 2940 > 2940 > access point downstrais

Can someone please give me pointers on how to get the SSG5 and 881 talking to each other?

Am I right in thinking I will need to give the SSG5 and 881 a public IP for it to work correctly?
 
Disable DHCP on the SSG5 set its DG as your Modem.
Set the DG on the 881 as the SSG5 and enable DHCP on this?

Been aaaages since I've worked with cisco stuff so probably a lot more to it than that :p
 
They say a picture paints 1000 words:

options.jpg



The best you can hope for is D as it's simple but does mean Zen will need to allocate you an additional /30.
Next is C, a little more complicated, leaves NAT completely out of it but requires Zen to allocate you 2x additional /30.
Next is B, Double NAT is never good, but this does mean you do no need additional IPs from Zen. You will need to look into the problems double NAT could give you.
Lastly is A - Triple NAT. Simply yuck and should only be used as a last resort.
 
Last edited:
Thanks all.

Many thanks Pete for making the diagrams, I had to look up ZIPB if I'm being honest lol but I'm sure the Draytek 120 is ideal in this situation. Double NAT could be an issue though as you say.

This should mean B as the 120 is a bridge but I only have one /29 range

--------------------------------------------------------------------------

The DrayTek Vigor 120 is an ADSL modem with an Ethernet connection; it is not a router but a true ADSL Ethernet Modem. By providing a PPPoE to PPPoA bridge, the connected device (firewall, router or PC) can log into the Internet (your ISP) directly and have full control over the ADSL connection - that makes the Vigor 120 a unique product. You can connect any device to the Vigor 120 which has a PPPoE client facility, which includes PCs, most Ethernet-WAN routers and the Apple Airport/Time Capsule™ products.

Other ADSL Ethernet 'modems' use workarounds to get a public IP address 'through' to your secondary device/client, requiring non-standard operation and complicated dual-stage setup (modem logs in, router routes) but the Vigor 120 provides the secondary device with a real routed IP connection and the ability to fully manage the connection, making setup easy. In most cases, the Vigor 120 needs no setup or configuration - just plug it in and set up your PC or router. All login/ISP details are entered on the connected client device, not the Vigor 120. The actual connection to your ISP is still PPPoA (unlike other modems which only provide PPPoE native bridging), which is the unique feature of this product and makes it compatible with all UK ISPs, where PPPoA is used as standard.

This method also differs from using a regular ADSL router which logs in itself and then uses NAT or multiple public IP addresses to create an onward client connection for your secondary device; that is not IP Address thrifty, or introduces secondary NAT compromises. With the Vigor 120 bridge/modem, you get a true single public IP address (or multiple, if you have them) straight through to your firewall/router, which also has complete control of the ISP connection.

--------------------------------------------------------------------------
 
an extra /30 was a no go with Zen, was emailing an engineer at Zen today.

Am I right in thinking as my Draytek 120 is a bridge:

The Juniper can take the Public IP range (/29)

I can assign the 881 a Public IP and NAT from that therefore meaning only one load of NATting will take place

Am I also right in thinking that the rest of my Public IP's with this setup would not be useable (even with static NAT entries) by clients behind the Cisco 881?

So in a sense the 881 would have one static public IP address and NAT from that

Mike :)
 
mike1210 said:
Am I right in thinking as my Draytek 120 is a bridge:

The Juniper can take the Public IP range (/29)

I can assign the 881 a Public IP and NAT from that therefore meaning only one load of NATting will take place

Am I also right in thinking that the rest of my Public IP's with this setup would not be useable (even with static NAT entries) by clients behind the Cisco 881?

So in a sense the 881 would have one static public IP address and NAT from that

Mike :)
Click to expand...

In that setup, yes.

However, you might get away with creating subinterfaces on the outside interface of the Cisco and putting all of the /29 on there and doing 1:1 NAT mappings to the inside... you'd end up with private addresses on the inside of your Cisco, but they'd appear public on the outside of the Juniper.
 
You must log in or register to reply here.
Back
Top Bottom