Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Static nat between zone .

    Posted 03-23-2014 12:27

    Hi All ,

     

    Need to configure static Nat on Netscreen , vendor users need to access the server from trust side ,but need to isolate the server IP address , Attached the diagram 

     

    How can I implement  ?.

     

    pic1.jpg



  • 2.  RE: Static nat between zone .
    Best Answer

     
    Posted 03-23-2014 19:02

    Hi,

     

    You can get this done via MIP or VIP.

     

    On you Vendor side interface, create a MIP - 192.168.10.10, mapped to 172.16.10.10. Then create a policy, from Vendor zone to server zone, from any source (or specify the source IPs), to MIP (192.168.10.10), Any service (or specify what you want to allow) and selce Action - permit.

     

    Any traffic reaching the firewall from Vendor side and destination IP = 192.168.10.10 will be translated and sent to the server.



  • 3.  RE: Static nat between zone .

    Posted 03-23-2014 21:02

    Thanks gokul

     

    Is it enough below configuration ?

     

     

    set interface "ethernet1/2" zone "Vendors"

    set interface "ethernet1/2.1" tag 10 zone "Vendors"

    set interface ethernet1/2.1 ip 192.168.10.1/24

     

    set interface "ethernet1/2.1" mip 192.168.10.10 host 172.16.10.10 netmask 255.255.255.255 vr "trust-vr"
    set policy from "vendors" to "Trust"  "Any" "MIP(192.168.10.10/32)" "ANY" permit



  • 4.  RE: Static nat between zone .

     
    Posted 03-23-2014 21:32

    Yes,

     

    That looks good. Just enable logging + at session beginning in this policy to view the traffic logs. In case traffic flow is not successful, this can be helpful.