ScreenOS Firewalls (NOT SRX)
Posts: 4
Registered: ‎03-30-2011

Re: MIP or proxy ARP configuration, SSG5

[ Edited ]

Hi Melodie,


I hit your post because I'm having a horrible time with policy based dst-nat and proxy arp. I need this type of setup because I have many IPs and need to leverage ALG for SIP, but after reading your initial post I think you're sniffing down the wrong path with proxy ARP or MIP for that matter.


Everyone howls when they see someone suggest VIP, but it just magically works. Here are the steps in the GUI to setup simple "port forwarding" like you'd expect it to work. I use the GUI mostly, which can be buggy, but it's always worked fine for me.


From scratch config:


- Ensure the trust interface is setup in NAT, not ROUTE configuration. This is the default, but some people change it immediately. This keeps your trust interface set up as Interface NAT, not policy NAT.


- Assign a public IP to the untrust interface using the proper subnet mask


- Setup a default route ( through the physical untrust interface to the proper upstream gateway IP


- Create a VIP (Interfaces/List/Edit/VIP) that is "Same as the interface IP address" - Do this first before adding any other public IPs from your subnet.


- Once the VIPs have been created, create VIP services using the New VIP Service button. This is where you setup the service ports and target IP address. The target can be in the trust or dmz zone.


- Once you create your VIPs and VIP services, add a simple policies from Untrust to Trust from ANY to VIP (the VIP addresses will be listed in the drop-down, prefixed with VIP) with traffic/service of ANY. No need to go to the advanced section, the policy is not there to determine traffic type, just allow traffic to move across zones for the VIPs. The VIP Services you've created will determine what traffic for what ports are allowed to move through the router.


- If you have VIP service targets in the dmz zone, you may have to setup a simple policy that allows ANY traffic from Trust to DMZ. You will also have to setup a policy to allow traffic from DMZ to Untrust, but this one will have to be source-natted so click the Advanced buttton and check the Source Translastion box with None-Use Egress Port as the DIP setting.


Hope that made sense. This has always worked for me for simple remote access setups. There are limitations to the number of VIPs you can setup and the number of VIP services you can setup, but I've rarely had a problem hitting those limits.



Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.