Screen OS

Hi,

I have set my untrust interface with 1.1.1.190/29(1.1.1.184/29 network) and my DMZ with 1.1.1.193/26(1.1.1.192/26 network). On internal interface i have set 192.168.1.0/24.

I set one VIP 1.1.1.206 port 80(to internal ip 192.168.1.101 port 80) on the DMZ interface because on the Untrust i am not allowed. I also configured one polcy for the VIP, but when i test from internet the to 1.1.1.206 port 80 is not opened.

Does anyone has a suggestion how to solve this? I tested using MIP declared on the Untrust interface(same MIP public IP 1.1.1.206 with the appropriate poilcy rule) and it worked but i need VIP because i want it mapped to two different internal IPs/ports. 

Regards,

tcp.

The VIP has to be defined on the ingress interface, in this case, untrust.  You are unable to assign port 80, 443, 22 and 23 as these are defined management services on the device.  To be able to use these ports, you would need to change the default webui/SSL/telnet/SSH ports to custom ports.  http://kb.juniper.net/InfoCenter/index?page=content&id=KB6632 talks about this, and provides steps on how to fix it.

edit: You also are not able to set the VIP on the untrust as the address you are trying to use for the VIP is in the network range for DMZ and not untrust.  As such, traffic would need to come in on the DMZ interface, and your policies would need to be defined from DMZ to trust.