ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Problem acheiving bidirectional translation with MIP!

01.06.09   |  
‎01-06-2009 04:54 AM

Hello Forum!

Excuse me if my question is a repeat, but the matter is that I have been following instructions from similar topics from this forum, but no success yet!

I have SSG-350M (6.0.0.r4). On the Untrust interface it is having address (Default Gateway= All the range is available for MIP or DIP. On the Trust interface the ip is I have a server whose ip=, and I want to map it to, so that when this server access Internet (Traffic from Server/Trust to any/Untrust) it will use that address. Also I want any service request to from any/Untrust be forwarded to the On the Untrust interface I created new MIP ( and Host= mask=32. In policies I permit traffic from Server/Trust to any/Untrust. Also I add a second policy to permit any/Untrust towards MIP( any/service. When I use server to access the site, I will get means it works fine in this direction. But when I try to connect to the server using Remote Desktop (RDP) from another Internet connection (I try to connect to nothing happens! I tried to ping also no success! While from my LAN PC ( I can ping that server ( and I can connect to it using RDP!! What could be wrong? Can it be a firmware issue?

Many Thanks in advance for your support!


ScreenOS Firewalls (NOT SRX)

Re: Problem acheiving bidirectional translation with MIP!

01.06.09   |  
‎01-06-2009 07:19 AM



Is your MIP working for any other addresses?


If not you could check you have the IP addresses the right way around.





ScreenOS Firewalls (NOT SRX)

Re: Problem acheiving bidirectional translation with MIP!

01.06.09   |  
‎01-06-2009 10:06 AM



If all else fails, I would debug the traffic to see what the Firewalls is doing with it.  Try the following.  If you need help reading the "db str", post the results.  Good luck.


1.  From Firewall:

set ff dst-ip

set ff dst-ip

debug flow basic

clear db


2.  From Test PC:

test from Untrust (e.g. try to RDP)


3.  From Firewall:

undebug all

get db str


4.  Review the stream.  You should see the traffic arrive, route look-up, policy check, and forwarded.





John Judge

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
ScreenOS Firewalls (NOT SRX)
Accepted by topic author Mohamed-Abdulla
‎08-26-2015 01:27 AM

Re: Problem acheiving bidirectional translation with MIP!

01.07.09   |  
‎01-07-2009 11:21 PM

Thank you All!


I did as told, but nothing strange found in the captured data! I made a visit to the site, and I found that the customer is placing a Cyberoam Firewall in Transparent Bridging Mode, between the 192.168.1.x segment and the Juniper LAN. They are using the Cyberoam to control Bandwidth. The Cyberoam administrator added a rule to allow traffic inbound towards the server and now everything is working fine!


Many Thanks for your support!


Mohamed Abdulla