ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Posts: 2
Registered: ‎01-06-2009
0 Kudos
Accepted Solution

Problem acheiving bidirectional translation with MIP!

Hello Forum!

Excuse me if my question is a repeat, but the matter is that I have been following instructions from similar topics from this forum, but no success yet!

I have SSG-350M (6.0.0.r4). On the Untrust interface it is having address (Default Gateway= All the range is available for MIP or DIP. On the Trust interface the ip is I have a server whose ip=, and I want to map it to, so that when this server access Internet (Traffic from Server/Trust to any/Untrust) it will use that address. Also I want any service request to from any/Untrust be forwarded to the On the Untrust interface I created new MIP ( and Host= mask=32. In policies I permit traffic from Server/Trust to any/Untrust. Also I add a second policy to permit any/Untrust towards MIP( any/service. When I use server to access the site, I will get means it works fine in this direction. But when I try to connect to the server using Remote Desktop (RDP) from another Internet connection (I try to connect to nothing happens! I tried to ping also no success! While from my LAN PC ( I can ping that server ( and I can connect to it using RDP!! What could be wrong? Can it be a firmware issue?

Many Thanks in advance for your support!


Trusted Contributor
Posts: 279
Registered: ‎07-14-2008
0 Kudos

Re: Problem acheiving bidirectional translation with MIP!



Is your MIP working for any other addresses?


If not you could check you have the IP addresses the right way around.





Distinguished Expert
Posts: 826
Registered: ‎05-04-2008
0 Kudos

Re: Problem acheiving bidirectional translation with MIP!



If all else fails, I would debug the traffic to see what the Firewalls is doing with it.  Try the following.  If you need help reading the "db str", post the results.  Good luck.


1.  From Firewall:

set ff dst-ip

set ff dst-ip

debug flow basic

clear db


2.  From Test PC:

test from Untrust (e.g. try to RDP)


3.  From Firewall:

undebug all

get db str


4.  Review the stream.  You should see the traffic arrive, route look-up, policy check, and forwarded.





John Judge

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Posts: 2
Registered: ‎01-06-2009
0 Kudos

Re: Problem acheiving bidirectional translation with MIP!

Thank you All!


I did as told, but nothing strange found in the captured data! I made a visit to the site, and I found that the customer is placing a Cyberoam Firewall in Transparent Bridging Mode, between the 192.168.1.x segment and the Juniper LAN. They are using the Cyberoam to control Bandwidth. The Cyberoam administrator added a rule to allow traffic inbound towards the server and now everything is working fine!


Many Thanks for your support!


Mohamed Abdulla