Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  [SSG5] external IP redirect to internal IP

    Posted 11-12-2012 04:41

    Hello,

     

    I'm trying to capture requests to an external IP and reroute it to one of our internal servers (not in DMZ). So when internal users browse to www.site.com they are actually redirected to an internal webserver. DNS is unfortunately not an option.

     

    I have now been able to redirect the IP by using the MIP function. The MIP has been created on the internal LAN interface (trust) with the mapped IP = the external ip and the host ip = the one of our internal webserver. As VRouter I selected Trust.

     

    When you ping to the external address from our network, you now get a reply from our internal server. But when trying to connect to this IP with your browser the request times out. I tried to create a policy which allowed HTTP traffic between the LAN and the MIP (trust to trust) but this doesn't seem to help.

     

    Am I doing something wrong?



  • 2.  RE: [SSG5] external IP redirect to internal IP
    Best Answer

    Posted 11-12-2012 06:30

    Hi,

     

    You should enable the src-NAT in this policy (to the interface IP). Otherwise the response packets are sent directly to the client and not back to the FW. This works with ping but not with TCP.

    DNS is an option. You can enable DNS proxy on trust interface and create a static DNS entry for www.site.com with it's private IP.

    If the server should be seen in Internet the best palce for the MIP is the untrust interface.



  • 3.  RE: [SSG5] external IP redirect to internal IP

    Posted 11-12-2012 06:43

    Hello Edouard,

     

    Adding src-NAT fixed the issue.

    Thanks for the kind help!