ScreenOS Firewalls (NOT SRX)
Reply
Contributor
r0mm3L
Posts: 77
Registered: ‎05-11-2008
0

port forwarding; one public ip mapped to 3 private IP

[ Edited ]

is it possible?

 

for example i have 58.67.100.1 it will be mapped to 192.168.1.231, 192.168.1.232, 192.168.1.233

 

only one service port; port 21 (FTP)

 

if there is an existing thread, please lead me the way.

 

Thanks for the help,

 

Rommel

Message Edited by r0mm3L on 09-12-2008 12:56 AM
Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: port forwarding; one public ip mapped to 3 private IP

Hi,

 

u can map one sigle publice IP to three private IP addresses but for three different service port using VIP. But u cannt do to map single public IP to three private IP addresses for single serive port.

 

Hope this helps 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Contributor
r0mm3L
Posts: 77
Registered: ‎05-11-2008
0

Re: port forwarding; one public ip mapped to 3 private IP

[ Edited ]

thanks kashif,

 

i need to tell this to our customer and he's comparing it to linksys which is capable forwarding a port to 3 private IPs :smileysad:

Message Edited by r0mm3L on 09-12-2008 02:26 AM
Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: port forwarding; one public ip mapped to 3 private IP

Hi

 

i guess it is impossible to redirect single public IP to three private IP with only one service. It is not logical. 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Visitor
JenPulsifer
Posts: 2
Registered: ‎09-15-2008
0

Re: port forwarding; one public ip mapped to 3 private IP

Hello,

It is possible to map one single public IP (58.67.100.1 in your case) to multiple internal IPs (192.168.1.231, .232, and .233) on one service port using a method of policy-based address translation called Destination-based NAT with IP address shifting.  I've written these examples based on ScreenOS 6.0+.  

 

The configuration method is as follows:

1) Configure an address book entry for the public address and associate the entry with the zone where your internal address block resides.  For example, if your internal addresses in the 192.168.1.x range reside in a zone called "Internal", you'd create an address book entry as follows:

ssg5 -> set address zone addressname address/mask

ssg5 -> set address Internal PublicIP 58.67.100.1

 

2) Configure route and reachability

In order for the firewall to examine policy, a route must be present (and associated with the Internal zone) for the pretranslation address.  You have two choices to configure reachability... either set up a secondary IP on one of the interfaces in the Internal zone or configure a static route.  Here are the two configuration options:

ssg5-> set interface name ip  address/mask secondary

ssg5 -> set interface e0/0 ip 58.67.100.1/32 secondary

--OR--

ssg5 -> set route network/mask int outbound-interface

ssg5 -> set route  58.67.100.1/32 int e0/1

*note- you must use a secondary interface, not an extended interface.  Extended interface IP information is not added to the routing table.  Also, if you decide to use a static route, you do not include a gateway as you would with a static route that is used to actually forward traffic.  This route is not used to forward traffic- it's only used in the packet flow decision making process. 

 

3) Configure the policy from the WebUI.  Browse to Policies > Edit.  Configure the policy from your untrusted or external zone where the traffic will originate to the Internal zone.  Configure the source address as the IPs that will be accesssing this service (could be "any" if you don't know).  Configure the destination address as the IP you configured in step 1... that is, the address book entry for the Public IP that is associated with the private or internal zone.  On the Advanced tab, under the NAT window, check the box for " Destination Translation" and select the radio button for "Translate to IP Range".  This is where you fill in the three IPs that the public IP will translate to.  I also recommend enabling logging, so that when translation is occuring, you can witness the translation in the policy logs.  Note that you are not required to specify the service as part of the policy configuration.  If you leave it set to "any", that means any service will be translated to those three IPs.  You can set it to FTP to restrict access to that port only.

 

This is the recommended Juniper solution that is provided in the Configuring Juniper Firewalls and VPN course, chapter 8 Address Translation.  There is also a discussion of this solution in the O"Reilly book, "ScreenOS Cookbook"  pages 249-250.

 

Please let me know if you have any additional questions or concerns.  I hope this helps!

 

 

Jen Pulsifer
jenhartz@gmail.com
Juniper Networks Certified Instructor
JNCIA-FWV
JNCIA-IDP
JNCIS-M
Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008
0

Re: port forwarding; one public ip mapped to 3 private IP

Hi,

 

Nat-Dst wont work for a single 1 to multiple IPs for the same port. The firewall has no way of knowing which device to send the traffic to because normally it would use the ports to make the decision. Nat-Dst with IP shifting doesnt work in the way described above. I works by using a public range and an internal range and not a single address to a range.

 

For example.

 

set policy id 9 from "Untrust" to "Untrust"  "Any" "1.1.2.28/32" "ICMP-ANY" nat dst ip 10.2.2.4 10.2.2.5 permit

 

Even tough I have multiple addresses in the destinaiton, the firewall will only listen on 1.1.2.28 and only send to the first IP address in the range 10.2.2.4. Traffic will not go to any other addresses in the range as there are no more free addresses on the public side.

 

set policy id 9 from "Untrust" to "Untrust"  "Any" "1.1.2.28/30" "ICMP-ANY" nat dst ip 10.2.2.4 10.2.2.5 permit

 

In this policy IP shifting will work but maps one public ip to one internal ip.

 

1.1.2.28 ----> 10.2.2.4

 

1.1.2.29 ----> 10.2.2.5

 

The netscreen firewall isnt going to be able to do what Rommel is trying to achiev. The only reason that I can think of that you would want to do this and that any deivce could support this config requirement is for load balancing. Where you want to listen on 1 IP and port and load balance across 3 IPs.

 

I think Linksys gives the ability to do some load balancing, thats just from digging around on the net, so I guess this is what is being refered to.

 

Unfortunately you cant do this with the Juniper Firewall, would be nice but Juniper are more a top firewall that does its job really well, rather that a firewall that does a bit of everything.

 

Hope this helps.

 

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Visitor
JenPulsifer
Posts: 2
Registered: ‎09-15-2008
0

Re: port forwarding; one public ip mapped to 3 private IP

Hi again,

I reviewed the documentation again and AndyC is correct- my apologies for the confusion.  The public IP would need to be a range of the same size as the internal range.  The mapping would then "shift",  or occur on a one-to-one basis.  Thanks for clarifying, AndyC.  

Jen Pulsifer
jenhartz@gmail.com
Juniper Networks Certified Instructor
JNCIA-FWV
JNCIA-IDP
JNCIS-M
Juniper Employee
mindwise
Posts: 8
Registered: ‎09-09-2008
0

Re: port forwarding; one public ip mapped to 3 private IP

Actually, :smileywink:

I know i may be cheating a bit, but still the claim i make is valid (albeit probably not usefull in most situations)

The Juniper firewalls ARE able to forward the same port to three different hosts, the linksys is not likely able to do this 

i am not claiming it's a useful solution per-se though


a policy also a has a source address definition, so 3 separate internal hosts pblished on the same port and dst-ip are easily possible with nat-dst.

 

:smileytongue: 

 

Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008
0

Re: port forwarding; one public ip mapped to 3 private IP

Yep agree with you that if you could tie down the source address that you could have 3 nat-dst policies listening on the same IP to 3 back end servers. I was working on the idea of allowing all source IPs :smileywink:

 

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.