ScreenOS Firewalls (NOT SRX)
Reply
Visitor
netguy5440
Posts: 5
Registered: ‎02-24-2012
0

troubles with NAT

Everyone, I am working on a SSG-550M firewall running 6.2 ScreenOS and I am trying to set up some methods to translate 3 ip addresses from private to public, then back again. I have two interfaces that this traffic comes through, so I set up a redundant group to do group the two together. This would be rather easy if I did not need a one to one relationship with a private IP address to a public IP address (trust to untrust). I have used shift dips to successfully get the traffic out with no problems, NAT was good. My biggest problem is getting the traffic back in with NAT changing the IP addresses back to what they were on the trust side. I have been trying to work with MIP but it does not work at all like the many guides say. First off, after successfully creating a MIP on a group, I can't get a policy to leverage the MIP because it says that is undefined. It also does not like me using a CIDR within the policy to call out the MIP which is something I need in order to do a multiple address translation. Finally, I set up DST NAT changes and that works for one, but it may be pulling from the DIP because in takes the form of any of the trusted IP addresses. Any thoughts?
Distinguished Expert
spuluka
Posts: 2,602
Registered: ‎03-30-2009
0

Re: troubles with NAT

I don't fully follow your description of the setup.  I'm not sure how the redundant pair is working with the addresses.

 

But MIP is the tool you are looking for.  This is bi-directional translation.  And it does use CIDR to bulk translate ranges.  Be sure to use the first active address and not the subnet address when you create them.

 

For example

1.1.1.1/24

192.168.1.1/24

 

The MIP is created on the interface where the traffic is translated.  So in this case I guess your redundant interface would be the one.

 

The policy then uses the MIP as the source or destination as you desire and sets up the services and applications assigned.  You will not be using any policy translation features or DIP at all.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.