Screen OS

I have tried this a couple times and it just won't work. Can someone please help me with the following setup:
- 1 public IP (say 1.1.1.1).
- internal IP range (say 192.168.6.1/24).
- web server 192.168.6.67 serving https.

 I have a VIP setup so that traffic hitting the public IP address 1.1.1.1 on port 12543 goes to the internal server 192.168.6.67 on port 443. When I make a rule from UnTrust to Trust saying Any source to VIP with ANY service then it all works well, but it's not proper and I want to lock it down. I just can't seem to get the UnTrust-Trust Policies rule setup properly, but I'm not sure what I'm doing wrong. Can someone kindly walk me through what I need to do to get this working?

 Thanks in advance.

See the sample setup for vip in kb26891

http://kb.juniper.net/InfoCenter/index?page=content&id=KB26891

When you are doing a translation of one port to another, you write the policy to use the original port:

f the destination port has to be translated for the incoming traffic as well, then the service under the VIP will have to be configured accordingly and the VIP policy will have to consist of both the Virtual port and the Service (port) under the Service options. For example:

set interface ethernet0/1 vip 1.1.1.1 80 "HTTPS" 172.16.0.1

Here, the destination field for the incoming HTTP traffic for 1.1.1.1 will translate to 172.16.0.1 along with the destination port translating to 443 and head across to the internal network.

For this to work, you have to create a policy that includes both the virtual service and the required service:
set policy id 1 from "Untrust" to "Trust" "Any" "VIP(1.1.1.1)" "HTTP" permit log 
set policy id 1
set service "HTTPS"
exit

Awesome, Steve!!! Thank you  🙂  Works like a charm now.

Cheers,