Screen OS

hi

iam absolut beginner on this Juniper but this are intress me!

yesterday i was update to last Firmware now it's running with 6.2.0r16 🙂

with me little network that i run i will configure diffrent ip zones but i'am not understand how i need todo,

please it's possible to become here any more informations/hints that i can initiant me first step with me 5GT.

also i create now little Picture for understanding me idea.

(my english are not the best but with Picture possible give more Information about me qusetion.)

Thanks, and Best regards

Mauri

Hi Mauri,

The zone are used to control trafic from and to networks parts. In your case you would problably need untrust for the internet and trust for you devices. When the 5gt is in trust-unterst mode, the defaul"t, the first port is called "untrust" and the other ports ar bridged together in the trust interface. I noticed you place the unix host in a different subnet. If this is what you want you need to give the trust interface a secondary IP address in the same subnet as the host. I think it would be easier to give alle you device an IP address is the 192.168.1.0/24 subnet, since there are'nt many devices. If you dont run any server you just need a policy from trust to untrust aloowing the services you need. The default is to allow everything fron trust to untrust and nothing from untrust to trust.

Hello Screenie

Thanks for your Help, i think you help me Yes!

i was thinking me Unix it's in a seperate IP range whil on this running any Apache, and this need reachable from

outside. Also i so played with the idea to define any ip in a other range that the internal definition, but it's need

to be reachable from both side.

-Also i have any understandable problem with the 4 ports, if define one/two static adress on witch port nr. 1-4 are this configured? (its equal ?)

are also possible that exist any Manual from the hole configuration possiblities that exist?

i don't know meny points on thsi Router that for me not are direct understandable, for example MIP DIP VIP Secondary IP IGMP  IRDP

I wolud thank you for your first answer, for me was a big Help!

Best regards from rained Switzerland

Mauri

. You can use one range on the inside and use address translation from outside to inside. For the natting there are two easy ways (VIP/MIP) and a difficult way (destination nat in the policy). Let's focus on the first two.

A VIP is one way translation from untrust to trust. You can define a VIP (on the untrust interface) on the interface address or on a seperate address. After that you configure a service on the VIP. This service you map to a trusted address. It's like portforwarding on many cheap routers work, Just translating the address doesn't allow the traffic. You need to configure a policy as well. From unrust to trust any VIP(IPadress_of the vip) HTTP by example. any beining source, VIP(IP) the destination HTTP the service.

Address translation only occurs from untrust to trust, not the other way around. so when the host start a session the default natting is use: source is translated to the IP of the untrust interface.

The MIP on the other hand allways gets an IP address other than the interface. It's a one on one mapping. All traffic ditrected to the MIP is translated to the host address you configures for the MIP. You also configure it on the untrust interface. Again you need a policy, but the destinaion is MIP(IP_OF_MIP) now instead of VIP. The big difference is that when the host initates a session the source address will be translated to the MIP address, not the interface IP. This is very usefull when you want a SMTP server running on another address then the interface IP adress.

VIP: unidirectional natting

MIP: Bi-directional natting.

You can find a lot of configurration examples here: http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/ce_v8.pdf 

Hope this helps a litle more. I've been rather busy, so you had to wait a while for my reply, sorry.