ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
netguy5440
Visitor
netguy5440
Posts: 5
Registered: ‎02-24-2012
0

troubles with NAT

Options

‎02-24-2012 06:43 AM

Everyone, I am working on a SSG-550M firewall running 6.2 ScreenOS and I am trying to set up some methods to translate 3 ip addresses from private to public, then back again. I have two interfaces that this traffic comes through, so I set up a redundant group to do group the two together. This would be rather easy if I did not need a one to one relationship with a private IP address to a public IP address (trust to untrust). I have used shift dips to successfully get the traffic out with no problems, NAT was good. My biggest problem is getting the traffic back in with NAT changing the IP addresses back to what they were on the trust side. I have been trying to work with MIP but it does not work at all like the many guides say. First off, after successfully creating a MIP on a group, I can't get a policy to leverage the MIP because it says that is undefined. It also does not like me using a CIDR within the policy to call out the MIP which is something I need in order to do a multiple address translation. Finally, I set up DST NAT changes and that works for one, but it may be pulling from the DIP because in takes the form of any of the trusted IP addresses. Any thoughts?
Message 1 of 2 (136 Views)
 
Reply
Distinguished Expert
Distinguished Expert
spuluka
Posts: 1,612
Registered: ‎03-30-2009
0

Re: troubles with NAT

Options

‎02-27-2012 05:24 PM

I don't fully follow your description of the setup.  I'm not sure how the redundant pair is working with the addresses.

 

But MIP is the tool you are looking for.  This is bi-directional translation.  And it does use CIDR to bulk translate ranges.  Be sure to use the first active address and not the subnet address when you create them.

 

For example

1.1.1.1/24

192.168.1.1/24

 

The MIP is created on the interface where the traffic is translated.  So in this case I guess your redundant interface would be the one.

 

The policy then uses the MIP as the source or destination as you desire and sets up the services and applications assigned.  You will not be using any policy translation features or DIP at all.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Message 2 of 2 (107 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.