09-12-2008 12:44 AM - edited 09-12-2008 12:56 AM
is it possible?
for example i have 188.8.131.52 it will be mapped to 192.168.1.231, 192.168.1.232, 192.168.1.233
only one service port; port 21 (FTP)
if there is an existing thread, please lead me the way.
Thanks for the help,
09-12-2008 01:46 AM
u can map one sigle publice IP to three private IP addresses but for three different service port using VIP. But u cannt do to map single public IP to three private IP addresses for single serive port.
Hope this helps
09-12-2008 02:24 AM - edited 09-12-2008 02:26 AM
i need to tell this to our customer and he's comparing it to linksys which is capable forwarding a port to 3 private IPs
09-12-2008 03:09 AM
i guess it is impossible to redirect single public IP to three private IP with only one service. It is not logical.
09-16-2008 11:02 AM
It is possible to map one single public IP (184.108.40.206 in your case) to multiple internal IPs (192.168.1.231, .232, and .233) on one service port using a method of policy-based address translation called Destination-based NAT with IP address shifting. I've written these examples based on ScreenOS 6.0+.
The configuration method is as follows:
1) Configure an address book entry for the public address and associate the entry with the zone where your internal address block resides. For example, if your internal addresses in the 192.168.1.x range reside in a zone called "Internal", you'd create an address book entry as follows:
ssg5 -> set address zone addressname address/mask
ssg5 -> set address Internal PublicIP 220.127.116.11
2) Configure route and reachability
In order for the firewall to examine policy, a route must be present (and associated with the Internal zone) for the pretranslation address. You have two choices to configure reachability... either set up a secondary IP on one of the interfaces in the Internal zone or configure a static route. Here are the two configuration options:
ssg5-> set interface name ip address/mask secondary
ssg5 -> set interface e0/0 ip 18.104.22.168/32 secondary
ssg5 -> set route network/mask int outbound-interface
ssg5 -> set route 22.214.171.124/32 int e0/1
*note- you must use a secondary interface, not an extended interface. Extended interface IP information is not added to the routing table. Also, if you decide to use a static route, you do not include a gateway as you would with a static route that is used to actually forward traffic. This route is not used to forward traffic- it's only used in the packet flow decision making process.
3) Configure the policy from the WebUI. Browse to Policies > Edit. Configure the policy from your untrusted or external zone where the traffic will originate to the Internal zone. Configure the source address as the IPs that will be accesssing this service (could be "any" if you don't know). Configure the destination address as the IP you configured in step 1... that is, the address book entry for the Public IP that is associated with the private or internal zone. On the Advanced tab, under the NAT window, check the box for " Destination Translation" and select the radio button for "Translate to IP Range". This is where you fill in the three IPs that the public IP will translate to. I also recommend enabling logging, so that when translation is occuring, you can witness the translation in the policy logs. Note that you are not required to specify the service as part of the policy configuration. If you leave it set to "any", that means any service will be translated to those three IPs. You can set it to FTP to restrict access to that port only.
This is the recommended Juniper solution that is provided in the Configuring Juniper Firewalls and VPN course, chapter 8 Address Translation. There is also a discussion of this solution in the O"Reilly book, "ScreenOS Cookbook" pages 249-250.
Please let me know if you have any additional questions or concerns. I hope this helps!
09-16-2008 01:23 PM
Nat-Dst wont work for a single 1 to multiple IPs for the same port. The firewall has no way of knowing which device to send the traffic to because normally it would use the ports to make the decision. Nat-Dst with IP shifting doesnt work in the way described above. I works by using a public range and an internal range and not a single address to a range.
set policy id 9 from "Untrust" to "Untrust" "Any" "126.96.36.199/32" "ICMP-ANY" nat dst ip 10.2.2.4 10.2.2.5 permit
Even tough I have multiple addresses in the destinaiton, the firewall will only listen on 188.8.131.52 and only send to the first IP address in the range 10.2.2.4. Traffic will not go to any other addresses in the range as there are no more free addresses on the public side.
set policy id 9 from "Untrust" to "Untrust" "Any" "184.108.40.206/30" "ICMP-ANY" nat dst ip 10.2.2.4 10.2.2.5 permit
In this policy IP shifting will work but maps one public ip to one internal ip.
220.127.116.11 ----> 10.2.2.4
18.104.22.168 ----> 10.2.2.5
The netscreen firewall isnt going to be able to do what Rommel is trying to achiev. The only reason that I can think of that you would want to do this and that any deivce could support this config requirement is for load balancing. Where you want to listen on 1 IP and port and load balance across 3 IPs.
I think Linksys gives the ability to do some load balancing, thats just from digging around on the net, so I guess this is what is being refered to.
Unfortunately you cant do this with the Juniper Firewall, would be nice but Juniper are more a top firewall that does its job really well, rather that a firewall that does a bit of everything.
Hope this helps.
09-16-2008 01:50 PM
I reviewed the documentation again and AndyC is correct- my apologies for the confusion. The public IP would need to be a range of the same size as the internal range. The mapping would then "shift", or occur on a one-to-one basis. Thanks for clarifying, AndyC.
09-19-2008 03:10 AM
I know i may be cheating a bit, but still the claim i make is valid (albeit probably not usefull in most situations)
The Juniper firewalls ARE able to forward the same port to three different hosts, the linksys is not likely able to do this
i am not claiming it's a useful solution per-se though
a policy also a has a source address definition, so 3 separate internal hosts pblished on the same port and dst-ip are easily possible with nat-dst.
09-19-2008 02:48 PM