Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  NAT-ing Issue - URGENT

    Posted 02-26-2017 06:14

    Dears,

     

    i would appreciate your help in the below case as i couldnt find a solution yet.

     

    Trust - 192.168.1.1

    Untrust - x.x.x.34

                - x.x.x.35

     

    i want to do NAT for the private IP address with the two public IP addresses, my issue here is whenever the traffic is going from 192.168.1.1 to the internet, it takes x.x.x.35 as its public IP, while i need to enforce it to have x.x.x.35 when going outside the network.

     

    i have configured two MIP entries for this and its working, i only need to inforce it to go using x.x.x.34

     

    thanks in advance



  • 2.  RE: NAT-ing Issue - URGENT

    Posted 02-26-2017 13:46

    I'm not sure I understand all the requirements here.  But I'm pretty sure you do not want MIP as the method.

     

    You want outbound traffic from 192.168.1.1 to source nat to x.x.x.34

     

    You want inbound traffic to x.x.x.35 to destination nat to 192.168.1.1

     

    If this is correct, you want to use a DIP with a policy for the the outbound traffic and you can use policy destinaiton nat on the advanced tab for the inbound traffic.



  • 3.  RE: NAT-ing Issue - URGENT

    Posted 02-27-2017 00:13

    thanks dear for your reply, let me give you more details which will give you a better image,

     

    i'm trying to configure VOIP trunks with a VOIP-SP, the setup is like this:
    -----------------------------------------------------------------------------------------------------
    i have two nated IPs MIP(x.x.x.34) for 192.168.1.1 and MIP(x.x.x.35) for 192.168.1.1
    -----------------------------------------------------------------------------------------------------
    policies:

    Trust to Untrust
    192.168.1.1 to VOIP-SP (source nat option on the policy is enabled)

    Untrust to Trust
    VOIP-SP to MIP(x.x.x.34)
    VOIP-SP to MIP(x.x.x.35)
    -----------------------------------------------------------------------------------------------------

    the VOIP-SP is sending RTP Traffic to x.x.x.35 and SIP-signaling Traffic to x.x.x.34 , i recieve the traffic successfully.

    the issue is, when initiating outbound traffic from 192.168.1.1 to VOIP-SP the traffic should take x.x.x.34 as a source nat towards VOIP-SP, but the logs are showing that the outbound traffic is taking x.x.x.35 as a source nat towards VOIP-SP , and i dont have the option on the policy(from trust to untrust) to enforce the outbound traffic to use x.x.x.34
    -----------------------------------------------------------------------------------------------------

    i think the MIP is not the optimal solution for my requirements, but i need another solution will give the same setup as above.

     



  • 4.  RE: NAT-ing Issue - URGENT

    Posted 02-27-2017 02:56

    Right, you CANNOT use two MIP to the same address.

     

    So to help with your configuration we need to know why there are two public addresses going to the same server ip addresses.  There has to be some distinction in the ports or direction of the traffic for this to work with other forms of NAT.  

     

    Do you have a table or a service description from your server that explains how the traffic from two ip addresses are actually used by the server?



  • 5.  RE: NAT-ing Issue - URGENT

    Posted 02-27-2017 06:11

     

    yes Dear,

     

    the point is that there was an old setup with the VOIP-SP as below:

     

    192.168.1.1 MIP(x.x.x.34) with SIP ports allowed. (to initiate a call)

    10.10.10.1 MIP(x.x.x.35) with RTP UDP ports allowed. ( to exchange the actual call voice packets)

     

    the new setup is to have only one private IP that needs to be NATed and will handle SIP and RTP UDP packets.

     

    but the VOIP-SP have only the old configurations and its very hard to inform them to change the configuration to send SIP and RTP on one NATed IP (will take much time).

     

    this is why im trying to point both public IPs to the same private IP so all the traffic send to x.x.x.34 and x.x.x.35 will reach 192.168.1.1, and all outbound traffic to use x.x.x.34

     

     

     

     

     

     

     



  • 6.  RE: NAT-ing Issue - URGENT
    Best Answer

    Posted 02-28-2017 03:01

    For the outbound traffic, you will create a dip for the desired address and a matching policy with the desired source and port addresses for the source nat.

     

    See page 38 pdf printed page 20

    http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_AddressTranslation.pdf

     

    For inbound traffic destination nat you also need the policy to match the desired ports using many to one nat example.

     

    see page 59 pdf printed page 41

    http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_AddressTranslation.pdf