ScreenOS Firewalls (NOT SRX)
Reply
Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

NAT questions, using DIP/VIP instead of NAT

Hi,

it is recommended to not use MIP if possible, but instead use VIP/DIP in policy based NAT.

We have a couple of mailservers in a private network (zone: esafe). Incoming mail is currently routed from zone untrust to zone esafe using MIPs.

Outgoing mail is sent from different mailservers so the MIP does not apply for the outgoing traffic. We are using a DIP pool for this with policy based NAT.

It works fine.

However, for incoming mail we would rather like to use VIPs instead of MIPs (because it is suggested by Juniper and we need to conserve public IP address space).

We would like to have the same IP address for incoming AND outgoing email traffic. So what we would have to do is create a DIP pool with the IP address of the mailserver (say 10.10.10.10), and we would also have to create a VIP for the same address, 10.10.10.10.

However, the documentation says you must not attach IP addreses to a DIP pool that are already assigned to a VIP.

So how do we do this if we don't want to or can not use MIP? How do we apply policy based NAT for a private IP address in both directions (source and destination NAT for the same IP)?

Thanks
Sascha

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: NAT questions, using DIP/VIP instead of NAT

Hi Sascha,

 

I would rather classify the existing NAT types this way: MIP&VIP and Policy based NAT&DIP. DIP is required for the policy based src-NAT in any case. Even when you select "Use interface IP" for the NAT, a pre-defined DIP pool containing the interface IP is used. An IP assigned to a DIP can be used both for src-NAT and dst-NAT with no limitations. If I want to use an IP for the dst-NAT and this IP belongs to the interface subnet, I always configure it as a DIP. This enables the ARP resolution for the given IP.

You also need two routes for the dst-NAT to work. The first route is required for the routing desission before the policy & NAT are applied. The second one is used for packet forwarding after is has been checked against the policy and NATted.

The IPs used for the dst-NAT must be mapped to the destination zone.

 

Kind regards,

Edouard

Kind regards,
Edouard
Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: NAT questions, using DIP/VIP instead of NAT

Hi,

 

I have received a similar reply from the Juniper support folks. But I still can't believe what I read here.

 

A pretty standard requirement: Hide a mailserver behind a public IP for it's outgoing traffic, and redirect incoming mail traffic to the publich IP to the actual mailserver. So basically NAT incoming and outgoing traffic behind the same IP.

 

Regarding to your answer and to the one by Juniper I will have to set up, VIPs, a DIP-Pool, and even create static routes. None of that seems to be properly documented in the official documentation either.

 

Isn't there a more straightforward approach to this?

 

Thanks,

Sascha

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Contributor
skullbox
Posts: 13
Registered: ‎08-29-2010
0

Re: NAT questions, using DIP/VIP instead of NAT

I agree.  The only time I use VIPs is when I have a /30 or temporarly need to forward a port through my firewall (like RDP) for temporary solution.  What's wrong with MIPs?

Contributor
markbwyr
Posts: 47
Registered: ‎04-14-2010
0

Re: NAT questions, using DIP/VIP instead of NAT

A MIP would surely be the best solution. A MIP does Bi-Directional NAT, which is what you need and you will only need to use 1 public address. You should just then restrict it to SMTP.

Visitor
cmcguire
Posts: 6
Registered: ‎01-26-2010
0

Re: NAT questions, using DIP/VIP instead of NAT

If you have multiple public ip's available (other than the IP assigned to the outside interface of the SSG) then you should remove VIP from your vocabulary. This should be a simple NAT SRC (outbound policy based NAT) and NAT DST (inbound policy based NAT configuration). You can apply the outbound NAT (NAT SRC) for as many servers are you like, regardless of the source zone(s). The limitation of NAT DST (for incoming) is simply that you can't have different ports route into different destination zones (interfaces, actually)

If I understand your requirements, it should be straightforward.

Cheers,

Colin
Visitor
cmcguire
Posts: 6
Registered: ‎01-26-2010
0

Re: NAT questions, using DIP/VIP instead of NAT

One other point. MIP clearly won't work, as you need bidirectional NAT coming and going from different internal servers
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.