Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  MIP on one of the trust network IP device for DMZ access

    Posted 11-05-2016 07:08

    Hello,

           It a SG140 FW. I have a device in trust network which I want it to be seen by DMZ device by using MIP 1 to 1. I don't want to use any routing between DMZ and trust network. Anyway to do it?Example of IP below.

    0/0 Trust Network = 192.168.1.254 

    0/1 DMZ network = 10.1.1.254

    Actual trust network IP device=192.168.1.10. I want to map this IP to 10.1.1.250. So my device in DMZ can ping 10.1.1.250 which are refering to 192.168.1.10 host.

    Appreciate any advise.

     

     

     



  • 2.  RE: MIP on one of the trust network IP device for DMZ access

    Posted 11-06-2016 05:08

    I don't see why this would not work.  A little unusual application, but the feature seems to apply.

     

    Create the MIP on the DMZ interface

    Create the policy from "any" address or the specific ones you want in the DMZ to the MIP object destination in the Trust zone



  • 3.  RE: MIP on one of the trust network IP device for DMZ access

    Posted 11-07-2016 04:46

    Thanks for your feedback.

    Yes it special request for this to work on in such a way.

     

    I did on what you mentioned on the DMZ interface create the MIP as below

    MAPPED IP is 10.1.1.250

    Host IP is = 192.168.1.10

    MASK = 255.255.255.255

    On the policy level just for testing purposes. I allow "ANY ANY" from DMZ to TRUST & TRUST to DMZ "ANY ANY".

    I still NOT able to ping 10.1.1.250 NATTED IP from my DMZ network.

     

    On contrast and weirdness

    I created MIP on Trust interface

    MAPPED IP is 10.1.1.250

    Host IP is = 192.168.1.10

    MASK = 255.255.255.255

    Policy level same for testing purposes "ANY ANY" from DMZ to TRUST & TRUST to DMZ "ANY ANY".

    I CAN to ping 10.1.1.250 NATTED IP from TRUST  network.

     

    BTW my DMZ interface is routed  mode & my TRUST interface is NAT mode not sure if it make any difference.



  • 4.  RE: MIP on one of the trust network IP device for DMZ access

    Posted 11-07-2016 14:26

    You have the use the MIP object on the Trust side of the policy to be sure to involk the translation, not the "any" object.



  • 5.  RE: MIP on one of the trust network IP device for DMZ access

    Posted 11-08-2016 01:14

    Hello thanks for the feedback.

     

    Tried on it still no luck. Policy as below.

    Trust (source-any)  DMZ(destination-MIP 10.1.1.250) permit.

    DMZ(destination-MIP 10.1.1.250) Trust (source-any) permit.

     



  • 6.  RE: MIP on one of the trust network IP device for DMZ access
    Best Answer

    Posted 11-08-2016 02:31

    Sorry for the confustion, but you have the policy backwards.

     

    Your policy should be any device in the DMZ zone and your MIP is the server in your Trust zone.



  • 7.  RE: MIP on one of the trust network IP device for DMZ access

    Posted 11-08-2016 05:00

    Sweet child of mine!!!!!!!!!!!!!!!!!! Works!