Screen OS

Hello everyone,

I'm trying to forward a couple of ports, but when I try that in "policy's > advanced > Nat"  it gives me an input field with "(DIP on) None (Use Egress Interface IP)". I searched on the net and you can configure DIP on an interface, but my interface is a ADSL 2/2+ A which doesn't have the DIP option. My question is how can I forward a port from my ADSL 2/2+ A interface to one of my trusted interfaces. Because I'm dutch I didn't understand the word Egress but it means something like exit says google. I'm using a Juniper SSG 20 with a ADSL 2/2+ A card.

---

Jonathan

Hi Jonathan,

Egress interface means outgoing interface for this session. (Uitgaande interface dus) This is the interface the initiating flow leaves the ssg on. The interface the initiating flow enters the ssg on is the ingress interface. So for a outbound session (from your net to the internet) the trust interface is ingress and the untrust is egress.  For sessions from the internet to your net the untrust interface is ingress and the trust (or hopefully dmz for inbound traffic) is the egress interface.

Then for portforwarding: If you want to forward traffic from untrust to trust/dmz (what's generaly meant by portforwarding) you need to configure vip's not dip's. Dip are address pools for source nat, vip can send traffic to centrain ports to certain servers. Just configure the vip on the untrust interface and enter the ip of the server. Then configure a policy from untrust to trust or dmz from source any ,destination the VIP, service what you need.

Drop me a private mail in dutch if you want local language support (:-

See the sample configuration in kb12608.  You will want to use the VIP feature as your server is on the same ip address as the interface.  This is the third section on the article.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB12608

Thank you Screenie and Spuluka.

When I go to the DMZ or the other trusted interface it has DIP and VIP, but when I go to adsl1/0 it doesn't have those options, it only has Basic, IGMP and Monitor. I only want to forward a port from adsl1/0 to ethernet0/3. Because of the command

set interface ethernet0/0 vip interface-ip 90 "RDP" 192.168.113.180

 I understand better how VIP works, but as I said it isn't applicable to the ADSL card that I have which is adsl1/0. I added three screenshots that may explain some stuff.

It's a while ago I worked with adsl interfaces on ssgs. But:one thing a saw in the screendump the interface can be in bridge or routed mode. I can imagen that dip's vip's etc (being layer 3 stuff) only can be done in routed mode.

Changing the Protocols from Bridged to Routed didn't help. There must be a way. I googled the google out of goolge and I found nothing .... is this going to be a dead end?

Hi,

You should configure a PPPoE Profile, map it to the ADSL interface and connect to the provider. As soon as PPPoE gets an IP from the ISP you will be able to configure VIP/DIP/MIP. A VIP "same as interface IP" is exactly what you need (and can do) if a single IP is assigned.

You can also temporary assign any static IP to the ADSL interface and configure the VIP. The VIP will not disappear after you have deleted the interface IP or re-map the interface to a PPPoE profile.

Thank you Edouard

My colleague thought so too, but he wasn't sure about it. Because I need to minimize downtime I needed to be sure about it and know I am. Thank you again for the help!

---

Jonathan