cancel
Showing results for 
Search instead for 
Did you mean: 

Defining DHCP scope on different subnet than internal interface

Highlighted
New Contributor

Defining DHCP scope on different subnet than internal interface

Hi,

I'm currently setting up a MAG2600. This is the first time for me so everything is new. The web portal works fine, I have one user realm and two user roles that are assigned depending on AD membership.

Now I'm setting up the Pulse client for our company's laptops and I need to assign a DHCP scope. The SA is connected with its internal interface to our DMZ switch and has the DMZ interface of our firewall as standard gateway. The subnet is 10.0.0.0/24.

Now I don't really want to assign the client's with IPs from that DMZ subnet but rather use a new one. An internal one like 172.17.191.0/24. When I configure such a scope and even put in a static route pointing to our DMZ firewall (Juniper Netscreen) interface this isn't working. I can connect the laptop, get an IP from that scope but cannot access any internal resources. A trace ends at the VPN tunnel IP.

Our firewall acts as central rounting device as well, so has all the routes to all subnets etc. I put a new route in place for the way back sending packets with 172.17.191.X back to the DMZ interface. Still not working.

Is there a way to set this up without using the SA's other interface plugged in to the LAN? That would circumvent our firewall and is not really an option.

 

Katja

8 REPLIES 8
Highlighted
Super Contributor

Re: Defining DHCP scope on different subnet than internal interface

Hi,

 

Add the static route on the firewall so that :

 

Destination : 172.17.191.0/24

Next hop or gateway : SA/MAG's internal interface IP or cluster internal VIP in case of A/P Cluster

 

Thanks,

Jay

Highlighted
New Contributor

Re: Defining DHCP scope on different subnet than internal interface

Hi Jay,

 

thanks for the suggestion, doesn't work unfortunately Smiley Sad The config I'm using looks like this:

 

Intended pool: 172.17.191.10 - 172.17.191.250

 

Internal Interface SA: 10.0.0.220

 

routes on the SA

0.0.0.0 0.0.0.0 -> 10.0.0.254 (firewall dmz int)

10.0.0.0 255.255.255.0 -> 0.0.0.0

both have been put in automatically

 

on the juniper firewall

172.17.191.0/24 -> 10.0.0.220 (dmz int)

There are also routes on the firewall in place to all other subnets as we use it as central routing device.

 

Katja

 

Highlighted
Contributor

Re: Defining DHCP scope on different subnet than internal interface

What's an IP of an "internal resource" you are trying to reach from the client connected with Pulse?


Have you looked at your Firewall ACL's to make sure you are allowing traffic appropriately in/out of the DMZ zone to the zone that has those "internal resources" ? 

Highlighted
Super Contributor

Re: Defining DHCP scope on different subnet than internal interface

Hi Katja,

 

The configuration looks correct,what does a tracert output look like when connected via VPN to an internal resource.

 

Regards,

Jay

Highlighted
New Contributor

Re: Defining DHCP scope on different subnet than internal interface

The tracert ends at the VPN tunnel server IP. After that nothing. When my client is on the DMZ subnet I can ping the firewall, clients inside our LAN can also ping the firewall. So this should be possible in general.

Highlighted
Super Contributor

Re: Defining DHCP scope on different subnet than internal interface

Yes, this is possible.

 

Looks like the return route to the NC client IP is the issue.

 

Could you take a TCP dump on the SA/MAG internal interface when pinging an internal resource

 

Mention the resource IP and NC client IP.

 

Thjanks,

Jay

Highlighted
New Contributor

Re: Defining DHCP scope on different subnet than internal interface

Ok. Issue solved. Since my intended IP range is different from the network segment the MAG is in, I needed to put a source NAT in place on the firewall. So clients are "hiding" behind the DMZ interface on the firewall and the firewall maps pakets back to their original IP.

Highlighted
Super Contributor

Re: Defining DHCP scope on different subnet than internal interface

glad to know issue is solved.

 

Regards,

Jay