Problem with MIP/DIP in SSG

one-day · ‎12-27-2009

I have the following scenario:

trust (eth0/0) 192.168.0.0/16 (private IP) , multiple PCs here

i have 2 untrust interface, each to a different ISP.

untrust (eth0/1) 210.0.0.0/24, to ISP1

untrust (eth0/2) 220.0.0.0/24, to ISP2

I created 2 default routes of equal cost, one to ISP1 and one to ISP2, so outgoing traffic (from trust to untrust) will go through both ISP1 and 2

the problem here is, I need to do some sort of source IP 'NAT' here:

- for packets destinated to A.A.A.A , source IP 192.168.X.X has to be converted to 200.98.34.129

- for packets destinated to B.B.B.B, source IP 192.168.X.X has to be converted to 245.123.4.53

(both A.A.A.A and B.B.B.B can be reached via either untrust interface eth0/1 or eth0/2)

how can this be done in the Netscreen SSG?

I tried creating a loopback interface , set DIP there, but the problem is I couldn't attach more than 1 loopback-group to both of the untrust interface.

Thanks

mehdi · ‎08-19-2008

Hi

for situation you should be use Policy based routing and source routing and also i don't think that good idea to cretae two default route.

http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_Routing.pdf#xml=http://kb.juniper.net/index?page=answeropen&type=open&searchid=1265807907370&answerid=16777236&iqaction=6&url=http%3A%2F%2Fwww.juniper.net%2Ftechpubs%2Fsoftware%2Fscreenos%2Fscreenos6.3.0%2F630_ce_Routing.pdf&highlightinfo=16790863,51092,51114

thanks

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com

one-day · ‎12-27-2009

thanks for the heads up on the routing

I'll look into that.

But my main problem is how to do the DIP ?

Let's just simply the scenario to only 1 ISP/1 untrust interface (so that we don't need to handle the routing at the moment)

I have no idea how could I do the DIP as I want.

As in:

- for packets destinated to A.A.A.A, soure IP 192.168.X.X shall be converted to 200.98.34.129

- for packets destinated to B.B.B.B, source IP 192.168.X.X has to be converted to 245.123.4.53

I treid creating a loopback interface, set DIP there, but the problem is how can I attach more than 1 loopback-group to my untrust interface? or am I taking the wrong approach?

Asm0deus · ‎01-22-2009

On my ISG's I have about a dozen DIP groups on my Untrust interface; goups of internal servers are translated to different external DIP groups by policies.

Example:

set interface ethernet0/0 dip 21 <public.IP.start> <public.IP.end>
set interface ethernet0/0 dip 22 <public.IP.start> <public.IP.end>
set interface ethernet0/0 dip 23 <public.IP.start> <public.IP.end>
...

set pol id xxxx from Zone10 to Untrust ServerGroupA ANY http nat src dip-id 21 permit count

set pol id xxxx from Zone10 to Untrust ServerGroupB ANY http nat src dip-id 22 permit count

set pol id xxxx from Zone10 to Untrust ServerGroupC ANY http nat src dip-id 23 permit count

That said, you should be able to create multiple rules with the same source address (or group), but different dip-ids. ...but obviously if the src/dst/service are the same, only the first match will "win". So in your case, if you have control over the service your servers are talking to, perhaps you could have the second destination listen on a different port # -- that would ensure a unique policy/rule, which would ensure that the second dip was used. (Or translate the destination port on another device at the other end, etc.)

Ex:

set pol id xxxx from Zone10 to Untrust ServerGroupA ANY svc-tcp7777 nat src dip-id 21 permit count

set pol id xxxx from Zone10 to Untrust ServerGroupA ANY svc-tcp8888 nat src dip-id 22 permit count

one-day · ‎12-27-2009

^ thanks for the above as well. it is very useful

but actually what I got sucked is:

i have 2 untrust interfaces / uplink (for resilence), and obviously i have to apply such DIP to both untrust interfaces

i know that:

1) i have to create a loopback interface, set the DIPs there, apply this loopback interface to the loopback-group of both untrust interfaces so that these DIPs can be shared/applied to more than one interfaces, and

2) i know that i can use extended DIP as the translated address are in different subnets

but then:

--> i need these DIPs for SIP calls, hence i need to have "incoming NAT" to be on at the DIPs such that I can create a untrst->trust policy, and apply incoming DIP there such that incoming calls will work

--> but then "incoming NAT" cannot be set for extended DIPs

--> i can create a separate loopback interface for each of the translated address, make the DIP within the same range of the interface IP such that "incoming NAT" can be enabled, but then i couldn't attached more than 1 loopback-group per untrust interface, so this method doesn't work as well

and I'm then clueless on what to do.

anyone here has any advice?

you may refer to my scnerio in my first post above actually if I sound confusing here

Thanks in advance.

Problem with MIP/DIP in SSG

Re: Problem with MIP/DIP in SSG

Re: Problem with MIP/DIP in SSG

Re: Problem with MIP/DIP in SSG

Re: Problem with MIP/DIP in SSG