ScreenOS Firewalls (NOT SRX)
Reply
Contributor
GraffitiKnight
Posts: 11
Registered: ‎08-12-2009
0
Accepted Solution

MIP on an Untrust Zone Interface

We have a Juniper SSG140 and I'm having a heck of a time trying to get port forwarding working. Specifically trying to get ports 80 and 443 for a publicly accessible web server. Previously I had configured it with MIP with a Untrust to Trust policy. This isn't working. In the guide it says:


set interface ethernet2 mip 1.1.1.5 host 10.1.1.5 netmask 255.255.255.0 vrouter trust-vr
set policy from untrust to trust any mip(1.1.1.5) http permit

 

When I do this I can see in the logs that traffic is arriving to the server but either isn't getting to the client or is appearing to be from a different IP (we have a range of IPs and the MIP is not mapped to our default untrust IP). I tried adding a Trust to Untrust policy to allow traffic from the internal server out and messed around with NAT-src but it just doesn't seem to work. Any suggestions?

Distinguished Expert
Screenie
Posts: 1,076
Registered: ‎01-10-2008

Re: MIP on an Untrust Zone Interface

Can you run de debug?

 

set ff dst-ip 1.5.5.5.5

debug flow bacic

clear db

try to connect to the mip

undebug all

get db stream

 

The debug output should show what's happening. You could post it to let us all help you.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009

Re: MIP on an Untrust Zone Interface

Hi,

 

The command should be:

 

set interface ethernet2 mip 1.1.1.5 host 10.1.1.5 netmask 255.255.255.255 vrouter trust-vr

or

 

set interface ethernet2 mip 1.1.1.5 host 10.1.1.5 vrouter trust-vr

 

The command you have used maps a C-net to another C-net. But I do not think that you have 256 public IPs. Besides, you need an one-to-one mapping for a pair of a private and a public IPs.

Kind regards,
Edouard
Contributor
GraffitiKnight
Posts: 11
Registered: ‎08-12-2009
0

Re: MIP on an Untrust Zone Interface

[ Edited ]

Thanks for your help. I had forgot that the server was set with a different gateway than the SSG140. Once I changed that it worked fine. I thought I was going crazy.

 

EDIT: Also yes I made a typo on the netmask on my post but had 255.255.255.255 as the netmask for the MIP on the SSG.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.