08-15-2010 02:57 AM
it is recommended to not use MIP if possible, but instead use VIP/DIP in policy based NAT.
We have a couple of mailservers in a private network (zone: esafe). Incoming mail is currently routed from zone untrust to zone esafe using MIPs.
Outgoing mail is sent from different mailservers so the MIP does not apply for the outgoing traffic. We are using a DIP pool for this with policy based NAT.
It works fine.
However, for incoming mail we would rather like to use VIPs instead of MIPs (because it is suggested by Juniper and we need to conserve public IP address space).
We would like to have the same IP address for incoming AND outgoing email traffic. So what we would have to do is create a DIP pool with the IP address of the mailserver (say 10.10.10.10), and we would also have to create a VIP for the same address, 10.10.10.10.
However, the documentation says you must not attach IP addreses to a DIP pool that are already assigned to a VIP.
So how do we do this if we don't want to or can not use MIP? How do we apply policy based NAT for a private IP address in both directions (source and destination NAT for the same IP)?
08-16-2010 12:54 AM
I would rather classify the existing NAT types this way: MIP&VIP and Policy based NAT&DIP. DIP is required for the policy based src-NAT in any case. Even when you select "Use interface IP" for the NAT, a pre-defined DIP pool containing the interface IP is used. An IP assigned to a DIP can be used both for src-NAT and dst-NAT with no limitations. If I want to use an IP for the dst-NAT and this IP belongs to the interface subnet, I always configure it as a DIP. This enables the ARP resolution for the given IP.
You also need two routes for the dst-NAT to work. The first route is required for the routing desission before the policy & NAT are applied. The second one is used for packet forwarding after is has been checked against the policy and NATted.
The IPs used for the dst-NAT must be mapped to the destination zone.
08-19-2010 04:57 AM
I have received a similar reply from the Juniper support folks. But I still can't believe what I read here.
A pretty standard requirement: Hide a mailserver behind a public IP for it's outgoing traffic, and redirect incoming mail traffic to the publich IP to the actual mailserver. So basically NAT incoming and outgoing traffic behind the same IP.
Regarding to your answer and to the one by Juniper I will have to set up, VIPs, a DIP-Pool, and even create static routes. None of that seems to be properly documented in the official documentation either.
Isn't there a more straightforward approach to this?
09-07-2010 10:31 AM
I agree. The only time I use VIPs is when I have a /30 or temporarly need to forward a port through my firewall (like RDP) for temporary solution. What's wrong with MIPs?
09-09-2010 06:20 AM
A MIP would surely be the best solution. A MIP does Bi-Directional NAT, which is what you need and you will only need to use 1 public address. You should just then restrict it to SMTP.
09-12-2010 05:49 PM