ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

SSG VIP/NAT issue?

‎12-06-2013 07:10 AM

I have an SSG I am having an issue creating a VIP on. The SSG has an external interface (sanitized for this post) at 10.100.220.221.

I created a VIP using an extra address I have at 10.100.220.223. I created a rule to allow the traffic, and the VIP:

myssg-> get config | in 223
set interface ethernet0/0 vip 10.100.220.223 22 "SSH" 10.16.74.5
set address "Trust" "10.100.220.223/32" 10.100.220.223 255.255.255.255
set policy id 52 from "Untrust" to "Trust"  "Any" "10.100.220.223/32" "ANY" nat src dst ip 10.20.30.5 port 22 permit log
set route 10.100.220.223/32 vrouter "untrust-vr" preference 20 metric 1

The SSG can ping the 10.20.30.5 device just fine however, I cannot SSH, nor SFTP anything from the outside world (untrust) and have it forward to the internal side.

eth0/0 (10.100.220.221) is using NAT (set interface ethernet0/0 nat)

So I'm brainfarted on this one.

1 REPLY 1
ScreenOS Firewalls (NOT SRX)

Re: SSG VIP/NAT issue?

‎12-06-2013 11:38 PM

Hi,

 

Please follow the link.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB12652&actp=search&viewlocale=en_US

 

The policy seems to be incorrect. When you create a VIP, there will be a object created , use the VIP object.

 

Let me know if you still have any issue.

 

Thanks & regards,

Venkat