Unanswered Question
Apr 7th, 2009
User Badges:

Hi all, our company just signed up for a T3 account from ATT, they gave us an IP block. Also leasing a 2800 series as well, our old network was in a public IP range, we've never done this before so we wanted to see what the best scenario for migrating over to the new ISP without too much downtime, I've heard of NAT with one public address and PAT, but we have our own DC, DNS, email, web servers in house and is a medium size business of about 100 employees (but only about 75 users) and a remote office, I have requested some DNS changes and ATT made some changes to get us reverse DNS.

Can anyone chime in on how to move fwd, thanks in advanced.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Leo Laohoo Tue, 04/07/2009 - 15:41
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Try the following:

IPSec/GRE with NAT on IOS Router Configuration Example

Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between Private Networks

Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static

I would like to recommend that if you and/or your company is unsure, it is best to engage an consultancy agency.

Hope this helps you. If you have any more questions, please feel free to ask.

Carlo Cirexx Wed, 04/08/2009 - 07:54
User Badges:

Thanks for the reply, I forgot to mention we don't have access to the router since we're leasing it from ATT, our plan was to use a Netscreen 25 between the 2800 and our network, the netscreen will provide DHCP to the clients and the servers will have public addresses from the IP block given by ATT, Will that work. Thanks.

greg.washburn Wed, 04/08/2009 - 08:03
User Badges:

You should be able to do everything from the juniper firewall - including creating a vpn tunnel to your remote office unless I'm completely missing something.

DHCP and NAT turned on the netscreen (assuming there is a license for all the features) create a site to site vpn tunnel to a smaller net 5, 10 or a cisco router for example located at the remote site.

Carlo Cirexx Wed, 04/08/2009 - 08:25
User Badges:

Hi Greg, yeah our branch office has broadband with NAT inside their Linksys access point, they use RDP to our servers here, we can look into VPN too, the netscreen's got that.I'll keep you guys posted as we move fwd, thanks.

Carlo Cirexx Thu, 04/09/2009 - 10:20
User Badges:

Hello all, we tried to configure the netscreen to connect to the 2800 using what was given to us by ATT, somehow we can't get it working, this is what we tried -

put the ip gateway of the 2800 to the untrust ip of netscreen, then on the trust of the netscreen we left it, we're trying to NAT the internal network, but we still have our old dhcp servers giving out addresses (this is the old IP block from the old ISP), we know we're doing something wrong, can anyone get us some pointers on how to get connected. thanks

greg.washburn Thu, 04/09/2009 - 11:20
User Badges:

I would just configure the juniper device to have an address on your internal network. Give the trusted interface a valid internal ip address. Then use the external address as your NAT'd address.

I'm not sure does the Netscreen have a dmz port. If so you could use that for your web server (if external traffic needs to get to it). You would need a big enough subnet of valid external ip addresses to give your web server, the dmz port and broadcast and network ip. Alternatively, you can configure the juniper device to say anything coming in to port 80 (assuming you use standard web port on your web server) go to internal web server.

I wonder if I get negative ratings for referencing Juniper/Netscreen so many times in one post?

Carlo Cirexx Thu, 04/09/2009 - 12:49
User Badges:

Hi Greg, yeah we tried to do that, we used a private address (192.168.1.xx) internally and then on the untrusted port we used the ATT address (12.54.xx.xx). There's no DMZ

We got the DHCP to work(on the trusted port), it gives out IP's but no internet.

We have a Netscreen 25 firewal.

Carlo Cirexx Sat, 04/18/2009 - 11:03
User Badges:

Hi all, we tried to use our existing ip block from our old ISP (208.36.7.xx) but it won't work somehow with ATT's gateway of 12.54.120.x

It looks like it would only work with private addresses (192.168.1.x), can anyone shed any light on this, we would like to keep the old network intact so we don't have to change anything internally, and nat it with ATT's public addresses. Or should we get a whole set of IP's and do the whole network over. thanks in advanced.


This Discussion