Public IP to DMZ interface on NetSreen 25

Hi all!

I've got a rage of 5 useable public IPs 217.xxx.xxx.xxx/29 My Juniper NS25 is directcly attached to an SDSL router via Ethernet 3 interface (untrust). The SDSL router has got only one port IP 217.xxx.xxx.

249/29, NS25 ethernet3 IP is 217.xxx.xxx.250/29

I want to assign 217.xxx.xxx.252/29 to another interface which is ethernet2 (DMZ) however it doesn't appear to work.

Ideally I want to put another router behind ethernet2 (DMZ) with an outside IP of 217.xxx.xxx.253/29

Has anyone had a similar configuration scenario and managed to resolve the problem without using NAT or MIP?

I heard about subnetting and using two blocks of 217.xxx.xxx.xxx/30 however I don't think it's practical in this case since my basic SDSL router has only got one port

Actually NAT (policy based) or MIP are the correct way to do this and you should assign some public number (192.168.x.x) to the DMZ.

If you set the untrust to a /32 or and NAT/MIP the .252 IP the Netscreen will proxy ARP for this IP (you want this). The mistake most people make is exactly what you are doing - assigning the whole /29 to the untrust and then trying to use an IP out of this range. Cannot do. The IP must not be 'previously' used. Non-intuitive, yes, but that's how it works.

So from the Internet someone connects to 217.xxx.xxx.252 but this will be translated into whatever you're hiding it to on the DMZ. I prefer policy based NAT but MIPs are fine too. With a router on the DMZ be sure to add routes for the networks behind the router as the netscreen has no idea of these. I guess if you _must_ use the 217.xxx.xxx.252 IP you could NAT at the router but it's a kludge.

alan