Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Can a MIP host also be configured with NAT-DST with port mapping?

    Posted 01-04-2010 15:24

    Using an ISG-1000 cluster with IDP:

     

    Networks involved:
    untrust network (209.194.180.187/29) on aggregate1.16 (in Route mode)
    trust network (10.1.32.1/20) on aggregate1.2 (in Route mode)

     

    Hosts involved:
    Client on the Internet
    MIP entry on aggregate 1.16 for a public IP which maps to a host (10.1.32.13), which is on the trust network.

     

    Current rule:
    I have a global firewall rule that allows traffic from any network to my MIP mapped host for a published service (NNTP @ TCP 119).  This is working great.

     

    Problem:
    I need to create a NAT-DST with port mapping rule to redirect an incoming request to the public IP of that host (at dst port 143), and redirect it to the MIP host at a different port (port 119).  Every rule combination I have tried so far has failed to allow connectivity.  I am attempting to build these rules through NSM and not directly on the box if possible.

     

    I am a bit of a noob at screenos debug so if you need more info please be detailed in how to get what you need.  Public IP on untrust was purposely changed to protect the innocent. 😉



  • 2.  RE: Can a MIP host also be configured with NAT-DST with port mapping?

    Posted 01-04-2010 15:34

    I can hear people wondering:  Why would you do this?

     

    We offer a private NNTP service to our clients.  We find alot of ISP's and corporate firewalls that block NNTP because they figure it is just Usenet junk.  We use normal ports for NNTP for everyone that supports it, but if their network blocks it we can often make it work by connecting on a non-standard port (which is not blocked), which is then just redirected to the actual port.

     

    For this, we commonly use POP3 or SMTP ports (or the TLS versions of those).  Curiosity averted. 😉



  • 3.  RE: Can a MIP host also be configured with NAT-DST with port mapping?
    Best Answer

    Posted 01-06-2010 07:37

    So I tried a bunch of different ways to make this work, but in the end I simply ditched the MIP entry and configured a series of NAT-DST rules that accomplished the task.  It is a little unfortunate, because what took one global rule before takes 12 rules to accomplish now (due to all the zones that need access to this published service), but I only have to do it with this one server so it will be OK.

     

    Basic steps (after removing all MIP config):

    • Created Address List entry for the public IP of the host on trust network.
    • Created routing entry for public IP of host pointing to the trust interface.
    • Created a firewal rule allowing access from untrust zone to the trust zone at the new address list entry with NAT-DST changing the destination IP to the internal IP of the host and the port to 119.
    • Repeated the firewall rule for any source zones that need access (the trust to trust rule also needed SRC-NAT to allow access to the public IP from the same subnet).

    I just wanted to leave here what worked for me in case it helps someone else.  I was not able to have both a global MIP rule/entry and a seperate NAT-DST rule pointed at the MIP entry.