Screen OS

Hi,

I have multiple SSG5 connecting back with a route base VPN tunnel to my SSG320.  All my different sites are currently using a 10.253.x.x networks for their internal devices.  I will be connecting a few more sites, but these sites are using a range of 172.168.x.x networks for their internal devices.  Because I want to keep a standard, and use 10.253.x.x networks for all sites connecting back to my SSG320, can I use MIP to translate 172.168.x.x to 10.253.x.x from the SSG5 at their location? Is there a document I can use so I can follow “best practices” to configure MIP?

Thanks.

You can use a MIP to do the translation.  You would need to place the MIP on either the tunnel interface or a loopback interface.

I would recommend looking at the C&E chapters for NAT and VPNs. 

https://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_VPN.pdf

https://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_AddressTranslation.pdf

Hi,

Thanks for your reply!

I created the mip on the SSG5, and now ping the devices on the tunnel frm the SSG5 to the SSG320.  But I can't ping from the other end of the tunnel from the SSG320 to the SSG5.  Do I need to create the mip on the SSG320 also?

Hi,

It is not necessary to have a MIP on the 320. It might be a routing issue.

Do you have a route on the 320 for the new 10.253.x.x network? If you check 'get route ip 10.253.x.x' for the MIP subnet on the 320, does it point to the right tunnel interface?

If you can share the related config from both firewalls, that would help.

To confirm that the routing/policies were good,  I remove the mip from the SSG5, and then configure the SSG5 on the. 10.253.x.x network, Then the SSG320 can ping devices on the SSG5, and the 320 can ping the devices on the SSG5

But when I configure back the SSG5 on the old network and add the mip, the devices on the SSG5 can ping devices on the 320, but the devices on the 320 cannot ping the devices on the SSG5.

Ok, the routing should be good then.

How about policy on the SSG-5 side? Do you have a policy that says ==> From SSG-320 subnet, To 'MIP', Permit?

This policy is necessary to trigger the MIP and allow traffic on the SSG5. There is no need for a MIP policy for traffic initiated from SSG-5, so it might be working fine.

Hi,

I did not have a poicy from untrust (SSG320 subnet) to trust on the ssg5 for MIP.  I added the policy, and it's still not working.

OK, in that case, debugs will help...

set ff src-ip <IP of test machine in 320 subnet> dst-ip <MIP being tested>

set ff src-ip <IP of test machine in 320 subnet> dst-ip <Actual IP of test machine in SSG-5 subnet>

set ff <Reverse of 2 filters above>

undebug all

clear db

debug flow basic

<<<Test traffic and hit 'ESC' key once test fails>>>

set console page 0

get db st

The last command will print the debug data, which would explain what is happening to the packets. You can also share it here.

Hi,

I just got the MIP to work both ways.

I had to put the mip I created on the SSG5 in the Trust-vr (nstead of untrust-vr) and then created a policy on the SSG5 (untrust to trust) with the mip.

Everything is now working.