ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

SSG 5 on DHCP with MIP Policies from Untrust to Trust

[ Edited ]
‎05-11-2012 01:46 PM

Hi all, Been reading through the forums for a few days and received a lot of help that way, but now I'm stuck. I have an SSG 5 (non-wireless) that protects a mobile network in the back of a TV van. Occasionally, we can hook up to an outside connection through the untrusted port on the firewall to pass information through a peer to peer messaging service. The outside networks aren't always the same and are usually serving DHCP to assign us a WAN address. So I have a few questions and I'll try to break it up.

 

1) I have a computer with a static IP on the LAN that I would like map to an outside IP. How can I do that when the WAN is assigned through DHCP? It's only one IP so I guess I could always map the SSG 5's WAN IP to it, but I'm still unsure of how to do this with DHCP.

 

2) On a static trial network, I mapped the WAN IP 200.200.200.25 to the LAN IP 192.168.1.25. I then have another device on the WAN with IP 200.200.200.64. I assigned policies from the MIP (untrusted) to Trusted to allow PING and a few other services to pass through. I also permitted all services from Trust to Untrust. 25 can ping 64, but 64 cannot ping 200.200.200.25. Any idea why?

 

3) A similar situation to question 2, using the peer to peer messaging service allows messages to go from 25 to 64 (LAN to WAN) but not vice versa. Is a MIP the way to go or should I be using a VIP instead? Thanks in advance.

3 REPLIES 3
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG 5 on DHCP with MIP Policies from Untrust to Trust

[ Edited ]
‎05-11-2012 02:22 PM
 
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG 5 on DHCP with MIP Policies from Untrust to Trust

‎05-11-2012 03:40 PM

Redefined my problems:

 

1) Not sure how to set MIP to Untrust IP if it is DHCP statically assigned.  Web interface doesn't have an option for it.

 

2) Ping works fine.  I had a configuration error.

 

3) Client messaging will handshake, but then messages only go from Trust to Untrust.  I have a policy in place similar to that on page 66 of Volume 8: Address Translation and even tried service: ANY to no avail.  Any ideas?

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG 5 on DHCP with MIP Policies from Untrust to Trust

‎05-12-2012 03:28 AM
The mip is a full mapping of an ip address to the internal one. You cannot really use this for the shared interface address. Instead you can use the VIP on the interface to forward the ports needed by your application. And this will give you an option to just be the same as the interface without needing to specify the address in advance.
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home