ScreenOS Firewalls (NOT SRX)
Reply
Visitor
one-day
Posts: 5
Registered: ‎12-27-2009
0

Problem with MIP/DIP in SSG

I have the following scenario:

 

trust (eth0/0) 192.168.0.0/16 (private IP) , multiple PCs here

 

i have 2 untrust interface, each to a different ISP.

 

untrust (eth0/1) 210.0.0.0/24, to ISP1

untrust (eth0/2) 220.0.0.0/24, to ISP2

 

I created 2 default routes of equal cost, one to ISP1 and one to ISP2, so outgoing traffic (from trust to untrust) will go through both ISP1 and 2

 

the problem here is, I need to do some sort of source IP 'NAT' here:

- for packets destinated to A.A.A.A , source IP 192.168.X.X has to be converted to 200.98.34.129

- for packets destinated to B.B.B.B, source IP 192.168.X.X has to be converted to 245.123.4.53

(both A.A.A.A and B.B.B.B can be reached via either untrust interface eth0/1 or eth0/2)

 

how can this be done in the Netscreen SSG?

 

I tried creating a loopback interface , set DIP there, but the problem is I couldn't attach more than 1 loopback-group  to both of the untrust interface.

 

Thanks

 

Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: Problem with MIP/DIP in SSG

Hi

 

for situation  you should be use Policy based routing and source routing and also i don't think  that good idea to cretae two default route.

http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_Routing.pdf#xml=http://kb.juniper.net/index?page=answeropen&type=open&searchid=1265807907370&answerid=16777236&iqaction=6&url=http%3A%2F%2Fwww.juniper.net%2Ftechpubs%2Fsoftware%2Fscreenos%2Fscreenos6.3.0%2F630_ce_Routing.pdf&highlightinfo=16790863,51092,51114

 

thanks

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Visitor
one-day
Posts: 5
Registered: ‎12-27-2009
0

Re: Problem with MIP/DIP in SSG

 

thanks for the heads up on the routing :smileyhappy:  I'll look into that.

But my main problem is how to do the DIP ?

Let's just simply the scenario to only 1 ISP/1 untrust interface (so that we don't need to handle the routing at the moment)
I have no idea how could I do the DIP as I want.
As in: 
- for packets destinated to A.A.A.A, soure IP 192.168.X.X shall be converted to 200.98.34.129
- for packets destinated to B.B.B.B, source IP 192.168.X.X has to be converted to 245.123.4.53
I treid creating a loopback interface, set DIP there, but the problem is how can I attach more than 1 loopback-group to my untrust interface? or am I taking the wrong approach?

 

Contributor
Asm0deus
Posts: 21
Registered: ‎01-22-2009
0

Re: Problem with MIP/DIP in SSG

On my ISG's I have about a dozen DIP groups on my Untrust interface; goups of internal servers are translated to different external DIP groups by policies.

 

Example:

set interface ethernet0/0 dip 21 <public.IP.start> <public.IP.end>
set interface ethernet0/0 dip 22 <public.IP.start> <public.IP.end>
set interface ethernet0/0 dip 23 <public.IP.start> <public.IP.end>
...

set pol id xxxx from Zone10 to Untrust  ServerGroupA  ANY  http nat src dip-id 21 permit count

set pol id xxxx from Zone10 to Untrust  ServerGroupB  ANY  http nat src dip-id 22 permit count

set pol id xxxx from Zone10 to Untrust  ServerGroupC  ANY  http nat src dip-id 23 permit count

 

 

That said, you should be able to create multiple rules with the same source address (or group), but different dip-ids.  ...but obviously if the src/dst/service are the same, only the first match will "win".    So in your case, if you have control over the service your servers are talking to, perhaps you could have the second destination listen on a different port # -- that would ensure a unique policy/rule, which would ensure that the second dip was used.   (Or translate the destination port on another device at the other end, etc.)

 

Ex:

set pol id xxxx from Zone10 to Untrust  ServerGroupA  ANY  svc-tcp7777 nat src dip-id 21 permit count

set pol id xxxx from Zone10 to Untrust  ServerGroupA  ANY  svc-tcp8888 nat src dip-id 22 permit count

 

 

Visitor
one-day
Posts: 5
Registered: ‎12-27-2009
0

Re: Problem with MIP/DIP in SSG

[ Edited ]

^ thanks for the above as well. it is very useful :smileyhappy:

 

 

but actually what I got sucked is:

 

 

i have 2 untrust interfaces / uplink (for resilence), and obviously i have to apply such DIP to both untrust interfaces

 

 

i know that:

 

1) i have to create a loopback interface, set the DIPs there, apply this loopback interface to the loopback-group of both untrust interfaces so that these DIPs can be shared/applied to more than one interfaces, and

 

2) i know that i can use extended DIP as the translated address are in different subnets

 

 

but then:

 

--> i need these DIPs for SIP calls, hence i need to have "incoming NAT" to be on at the DIPs such that I can create a untrst->trust policy, and apply incoming DIP there such that incoming calls will work

 

--> but then "incoming NAT" cannot be set for extended DIPs

 

--> i can create a separate loopback interface for each of the translated address, make the DIP within the same range of the interface IP such that "incoming NAT" can be enabled, but then i couldn't attached more than 1 loopback-group per untrust interface, so this method doesn't work as well

 

 

and I'm then clueless on what to do.

 

anyone here has any advice? 
you may refer to my scnerio in my first post above actually if I sound confusing here
Thanks in advance.:smileywink:
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.