ScreenOS Firewalls (NOT SRX)
Posts: 29
Registered: ‎06-13-2010

Ping back problem in DIP



I have successful to build up a DIP which can translate my internal IP to external IP pool.  E.g ---> ~ 25


Although the internal IP can access to Internet.  However, sometime the Internet are require to trace back to check is it my host is available not, but its fail because it could not ping back for those external IP.  Is it true and how can I enable it?



Super Contributor
Posts: 73
Registered: ‎11-27-2010

Re: Ping back problem in DIP

DIP's only translate addresses for outgoing connections, not incoming like a ping from the untrust side. For incoming you have to use MIP's, VIP's or NAT-dst.

A MIP is actually a one-to-one mapping that works in both directions and is the easiest to implement. See this KB-article for a description:


Because it is a one to one mapping you need an external IP for every server on the trust side. If you don't have that many external IP's available you are forced to use VIP's or NAT-dst.


VIP's can be used for port forwarding. See this KB-article for more information:


But this doesn't work for ping (ICMP doesn't have port numbers). You can use NAT-dst for that:

To only allow pings the example would look like this:


set interface ethernet0/0 zone trust
set interface ethernet0/1 zone untrust
set interface ethernet0/1 ip
set arp nat-dst
set address untrust server-pub
set policy from untrust to untrust any server-pub "PING" nat dst ip permit




Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.