ScreenOS Firewalls (NOT SRX)
Reply
Contributor
machiasiaweb
Posts: 29
Registered: ‎06-13-2010
0

Ping back problem in DIP

Hi,

 

I have successful to build up a DIP which can translate my internal IP to external IP pool.  E.g

 

192.168.80.0/24 ---> 203.181.34.24 ~ 25

 

Although the internal IP can access to Internet.  However, sometime the Internet are require to trace back to check is it my host is available not, but its fail because it could not ping back for those external IP.  Is it true and how can I enable it?

 

Thanks!

Super Contributor
lanman
Posts: 70
Registered: ‎11-27-2010
0

Re: Ping back problem in DIP

DIP's only translate addresses for outgoing connections, not incoming like a ping from the untrust side. For incoming you have to use MIP's, VIP's or NAT-dst.

A MIP is actually a one-to-one mapping that works in both directions and is the easiest to implement. See this KB-article for a description:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10923

 

Because it is a one to one mapping you need an external IP for every server on the trust side. If you don't have that many external IP's available you are forced to use VIP's or NAT-dst.

 

VIP's can be used for port forwarding. See this KB-article for more information:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4740

 

But this doesn't work for ping (ICMP doesn't have port numbers). You can use NAT-dst for that:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB12631

To only allow pings the example would look like this:

 

set interface ethernet0/0 zone trust
set interface ethernet0/1 zone untrust
set interface ethernet0/1 ip 1.1.1.2/24
set arp nat-dst
set address untrust server-pub 1.1.1.100/32
set policy from untrust to untrust any server-pub "PING" nat dst ip 192.168.1.100 permit

 

Steve

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.