ScreenOS Firewalls (NOT SRX)
Reply
Contributor
viks_a
Posts: 48
Registered: ‎05-07-2011
0
Accepted Solution

MIP on loopback interface

Setup : MIP on loopback interface ( VPN Zone ) and clients on Untrust interface ( Untrust Zone ) - all in trust-vr

 

Hi,

 

With the setup mentioned above. Would it be possible for clients on the untrust interface to connect to MIP's configured on the looopback interface ? There are no members for this loopback interface.

 

 

Thanks,

Viks

Super Contributor
jcollazo
Posts: 96
Registered: ‎05-19-2009
0

Re: MIP on loopback interface

Based on the question then you would need a route in trust-vr that points the IP of the MIP to the loopback interface.  Then add a permit policy from Untrust zone to VPN zone source whatever destination the MIP.

 

Contributor
viks_a
Posts: 48
Registered: ‎05-07-2011
0

Re: MIP on loopback interface

[ Edited ]

Cool, I thought that the request to a MIP should come from the same zone :smileysad:. Atleast that's what is mentioned in most of the Netscreen books.

 

 

Your answer has cleared my doubt :smileyvery-happy:

 

btw, the loopback interface network is showing up as connected network in the trust-vr which is the only vr on the box.

Super Contributor
jcollazo
Posts: 96
Registered: ‎05-19-2009
0

Re: MIP on loopback interface

It depends on what you are doing and how the MIP traffic gets to the firewall.  

The convention is correct if you are expecting the MIP to repond to ARP requests that are originating from the network side connected to an Untrust interface that is part of the Untrust zone.  If that is the case, the MIP needs to be on that Untrust interface OR that Untrust interface needs to be a member of the loopback group that has the MIP(also zones need to match).  However, those solutions are not needed if you are routing the MIP traffic to the firewall already via entries on an upstream router. 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.