Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Can I mapped two different public IP to one internal host (bi-directional) using MIP?

    Posted 12-07-2010 08:20

    Hi all,

     

    I have an SSG 550M with firmware 6.2.0

     

    My requirement is to translate my server in dmz zone to two different public IP address in the untrust zone.

    The public IP address is in different subnet than my untrust interface IP address.

     

    So if customer A want to access my DMZ server from the internet, they point to public IP address a.a.a.a

    If customer B want to access my DMZ server from the internet, they point to public IP address b.b.b.b

     

    I understand that I can use policy based dst NAT for this scenario, but the think is I also need to establish bi-directional traffic from my DMZ server to the customer (outbound and inbound).

     

    Is it possible to create two different MIP on the untrust interface & tied it to the same host?

    Will the NAT works if I do it that way?

     

    Thanks!



  • 2.  RE: Can I mapped two different public IP to one internal host (bi-directional) using MIP?

    Posted 12-07-2010 09:18

    What about setting 2 internal IP's on that server under TCP/IP properties.  Say 10.10.10.1 and 10.10.10.2.  Then just create a MIP for each IP.



  • 3.  RE: Can I mapped two different public IP to one internal host (bi-directional) using MIP?

    Posted 12-07-2010 12:31

    Have you considered usings VIPs ?

     

    So, each customer will connect to the external IP on a different port, but connect to the same server.

     

    Jude



  • 4.  RE: Can I mapped two different public IP to one internal host (bi-directional) using MIP?

    Posted 12-07-2010 17:58

    @ SaffaJay

     

    Thanks for the reply.

     

    But I think VIP won't fulfill my requirement, because when the customer initiate connection to my server, it uses a specific TCP port. My server needs to listen on a specific TCP port.

     

    CMIIW, but VIP means I'll be using two different TCP ports, right?

     

     

    @ TheCleaner

    Yeah, I think your suggestion will work.

     

    But when I used Cisco firewall, I was able to do this without setting secondary IP on my server.

     

    Just want to know whether Juniper can also do this.

     

    Thanks for your reply!




  • 5.  RE: Can I mapped two different public IP to one internal host (bi-directional) using MIP?
    Best Answer

    Posted 12-07-2010 23:45

    Hi,

     

    Policy based NAT is exactly what you need. Using MIPs/VIPs you will not be able to meet all your requirements. I would suggest the following scenario:

    1.Configure two DIP pools, each containing a single IP: a.a.a.a  and b.b.b.b. As both IPs do not belong to the interface net the option "extended IP" should be used for their creation.

    2. Configure two routes for these IPs through the dmz interface. The gateway field can be left blank.

    3. Create two address objects a.a.a.a. and b.b.b.b in dmz zone.

    4. Inbound Untrust-to-dmz policies can be configured in this manner:

         Customer A --> a.a.a.a, dst-NAT to the private IP

         Customer B --> b.b.b.b, dst-NAT to the same private IP

         Any --> a.a.a.a & b.b.b.b, deny

    5. Outbound policies dmz-to-Untrust:

         Server --> Customer A, src-NAT to the first DIP

         Server --> Customer B, src-NAT to the second DIP

         Server --> Any, src-NAT to Untrust interface IP. 

     

    Hopefully this will work for you.



  • 6.  RE: Can I mapped two different public IP to one internal host (bi-directional) using MIP?

    Posted 12-08-2010 10:08

    Hi Edouard,

     

    Thanks very much for your help. I never knew that it's possible to combine dst-NAT and source-NAT together.