Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  NAT on ISG1000

    Posted 10-16-2010 11:54

    Hello Dears,

     

    Can anybody explain me the below NAT ,it is Interface source NAT but what abt the commands down below mark in RED

     

    set interface ethernet2/3 dip 4 10.30.250.5 10.30.250.5
    set interface ethernet2/3 dip 5 10.30.250.6 10.30.250.7
    set interface ethernet2/3 dip 7 10.30.250.8 10.30.250.8
    set interface ethernet2/3 dip 6 10.30.250.9 10.30.250.9
    set interface ethernet2/3 dip interface-ip incoming

     

    set interface ethernet1/1 ip 10.30.8.1/27
    set interface ethernet1/1 nat
    set interface ethernet1/2 ip 10.30.4.1/27
    set interface ethernet1/2 nat
    set interface ethernet1/3 ip 10.30.6.1/27
    set interface ethernet1/3 nat
    set interface ethernet2/1 ip 10.30.7.1/27
    set interface ethernet2/1 nat
    set interface ethernet2/2 ip 10.30.3.1/27
    set interface ethernet2/2 nat
    set interface ethernet2/3 ip 10.30.250.3/27
    set interface ethernet2/3 route
    set interface ethernet2/4 ip 10.28.50.50/28
    set interface ethernet2/4 route
    set interface ethernet3/1 ip 10.30.35.1/26
    set interface ethernet3/1 route

     

    Thanks,

     

     



  • 2.  RE: NAT on ISG1000

    Posted 10-16-2010 12:24

    set interface ethernet2/3 dip 4 10.30.250.5 10.30.250.5

    It is pool based source  nat , but here the dip pool consists of only one ip

    This command Creates a dip object  with the ip 10.30.250.5  on the interface e2/3

    After that you will find that this dip is mentioned at some policies like the below :

    set policy id 5 from "IP-1" to "IP_2"   "HTTP"    nat src dip-id 4 permit

    So , The natting steps are  :

    1- create dip address on the outgoing interafce

    2-mention the dip at the policy

     

    ************  Mark My Post as Accepted if it solved your problem By clicking on the button saying " Accept  as Solution " ************



  • 3.  RE: NAT on ISG1000

    Posted 10-16-2010 12:45

    Hello Dear,

     

    It is used with this policy.

     

    set policy id 20 name "HTTP and HTTPS Access" from "Server" to "FW-to-FW"  "TENT" "Any" "HTTP" nat src dip-id 4 permit log

     

    the above statement what will do with the NAT.

     

    set interface ethernet2/3 ip 10.30.250.3/27
    set interface ethernet2/3 route

     

    Not clear Can u explore more please on the policy command.



  • 4.  RE: NAT on ISG1000

    Posted 10-16-2010 13:00

    set policy id 20 name "HTTP and HTTPS Access" from "Server" to "FW-to-FW"  "TENT" "Any" "HTTP" nat src dip-id 4 permit log

     

    That means that any traffic matching this policy will be source natted using dip 4

    In other words , you created the dip , but who will use it ?  that is what we specify at the policy

    ************  Mark My Post as Accepted if it solved your problem By clicking on the button saying " Accept  as Solution " ************

     



  • 5.  RE: NAT on ISG1000

    Posted 10-16-2010 13:17

    Very Clear,

     

    Just 1 doub't,

     

    set interface "ethernet1/1" zone "Server"
    set interface "ethernet1/2" zone "Database"
    set interface "ethernet1/3" zone "Management"
    set interface "ethernet2/1" zone "DC"
    set interface "ethernet2/2" zone "TAC"
    set interface "ethernet2/3" zone "FW-to-FW"
    set interface "ethernet2/4" zone "Untrust"
    set interface "ethernet3/1" zone "User"
    unset interface vlan1 ip
    set interface mgt ip 192.168.1.1/24
    set interface ethernet1/1 ip 10.30.8.1/27
    set interface ethernet1/1 nat
    set interface ethernet1/2 ip 10.30.4.1/27
    set interface ethernet1/2 nat
    set interface ethernet1/3 ip 10.30.6.1/27
    set interface ethernet1/3 nat
    set interface ethernet2/1 ip 10.30.7.1/27
    set interface ethernet2/1 nat
    set interface ethernet2/2 ip 10.30.3.1/27
    set interface ethernet2/2 nat
    set interface ethernet2/3 ip 10.30.250.3/27
    set interface ethernet2/3 route
    set interface ethernet2/4 ip 10.28.50.50/28
    set interface ethernet2/4 route
    set interface ethernet3/1 ip 10.30.35.1/26
    set interface ethernet3/1 route

     

    When any traffic moving from Server Zone to Database Zone it will Natted to Database Zone egress interface IP ??? Correct me if i m wrong.

     

    Awnser:??????

     

    Then why we require to configure DIP on egress interface when traffic moving from server zone to FW-to-FW zone.???

    Awnser:?????

     

    Thanks



  • 6.  RE: NAT on ISG1000

    Posted 10-16-2010 13:22

    Answer1: Yes because e1/1 is in nat mode

    Answer2: This is not a must , but let's say that for some reason you need some users to be natted to ip  that is not the egress  interface ip  , here is where you can use dip

     

    ************  Mark My Post as Accepted if it solved your problem By clicking on the button saying " Accept  as Solution " ************



  • 7.  RE: NAT on ISG1000

    Posted 10-16-2010 13:27

    This is not a must , but let's say that for some reason you need some users to be natted to ip  that is not the egress  interface ip  , here is where you can use dip

     

    Can u tell me where this can be a situation????

     

    Thanks



  • 8.  RE: NAT on ISG1000
    Best Answer

    Posted 10-16-2010 13:30

    Below is one case :

    Customer wants   managers  to be  natted to  specific dip ip  while normal employees are natted to the egrees interface ip

    He wanst that sothat the next devices ( after the Juniper firewall ) can give them different access privilidges  based on the ip

    ************  Mark My Post as Accepted if it solved your problem By clicking on the button saying " Accept  as Solution " ************