ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

VIP Configurations

‎06-25-2008 03:32 AM

Hi everyone

I am get confused with VIP and NAT-DST. Can anyone help to understand the difference between two.

 

 

Thanks 

Regards,

Awan
5 REPLIES 5
ScreenOS Firewalls (NOT SRX)

Re: VIP Configurations

‎06-25-2008 03:51 AM

Hi,

 

VIP and destination NAT both are used for destination natting with the facility of port translation as well. 

 

With VIP natting take place before route and policy lookup but destination NAT is associated with policy so with detination NAT natting take place after route and policy lookup so another route lookkup and policy lookup take place after natting (which u have to take care of it)

 

 

When u have only one public IP and u want that IP to be translated to private IP of webserver (port 80), email server (port 25) etc means u want port translation as well, then u make separate VIP for each translation. With destination NAT u make separate policy for each translation.

 

Hope this helps u

 

Thanks 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
ScreenOS Firewalls (NOT SRX)

Re: VIP Configurations

‎06-25-2008 04:56 AM

dear Kasif

Thanks for your expalination. I am planning to appear for JNCIA-FW and then JNCIS-FW. For this I need to discusss some issues. Can you give me your msn ID so that I can take help whenever require.. Thanks 

Regards,

Awan
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: VIP Configurations

‎06-25-2008 08:44 AM

Like Kashif indicated, VIPs and NST-DST are basically two different ways to accomplish the same thing -- destination network address and destination port translation.

VIPs came out in the early versions of ScreenOS.
NAT-DST is the newer implementation that was introduced in ScreenOS 5.0 and is done as policy-based NAT.
Juniper's general guidance is with policy-based NAT.

 

 

Resources related to your question are listed below.


1. The ScreenOS Cookbook includes recipes with VIP and NAT-DST configurations. Here's some explanations of the terms:

 

P.232 of the ScreenOS Cookbook:

A VIP is a port destination translation on the ingress interface. It is one way to perform
“port forwarding” in ScreenOS. It is more or less the reverse of a DIP, with the
exception that VIP translations are always static, whereas DIPs are commonly
dynamic. Static means that IP Address A or Port A is always translated to IP Address
B or Port B. In a dynamic translation, the target translation is chosen from a range of
values. A VIP can translate both the IP address and the port. The most common use
for a VIP is to map several DMZ intranet servers to a single public IP address on very
small firewalls.

We already discussed that policy NAT-SRC is a synonym for DIP. On the other
hand, policy NAT-DST was thought to be the successor to MIPs and VIPs. In contrast
to a MIP, policy NAT-DST is unidirectional. Therefore, policy NAT-DST is
more often used to replace a VIP than a MIP. Policy NAT-DST does address and port
translation.

"This exerpt is used by permission of the publisher, O'Reilly Media, © 2008. All rights reserved. Excerpted from ScreenOS Cookbook, by Stefan Brunner, Ken Draper, David Delcourt, Joe Kelley, Vik Drakar, & Sunil Wadhwa. ISBN: 0596510039."

 

 

P.244 of the ScreenOS Cookbook:

The original way to configure this was via a VIP. The new way to configure this is with policy NAT-DST. This example assumes that the public IPs are in the same network with the IP of the ingress interface, which is a requirement for a VIP but not for policy NAT-DST, as previously mentioned. VIPs come with many caveats. The most important is that VIPs before ScreenOS 6.1 can exist only on interfaces in the Untrust zone and must be in the same network with that interface. Policy NAT-DST offers much greater flexibility. But what a VIP can do and policy NAT-DST cannot do is to use the firewall’s own public IP address for translation.

"This exerpt is used by permission of the publisher, O'Reilly Media, © 2008. All rights reserved. Excerpted from ScreenOS Cookbook, by Stefan Brunner, Ken Draper, David Delcourt, Joe Kelley, Vik Drakar, & Sunil Wadhwa. ISBN: 0596510039."



2. Chapter 3 of the Concepts and Examples Guide - Volume 8 - Address Translation has explanations and examples:

 

“Introduction to NAT-Dst” on page 28
“Packet Flow for NAT-Dst” on page 29
“Routing for NAT-Dst” on page 32
“NAT-Dst—One-to-One Mapping” on page 35
“Translating from One Address to Multiple Addresses” on page 38
“NAT-Dst—Many-to-One Mapping” on page 41
“NAT-Dst—Many-to-Many Mapping” on page 44
“NAT-Dst with Port Mapping” on page 47
“NAT-Src and NAT-Dst in the Same Policy” on page 50

 

 

3. KB article on configuring NAT-DST: KB7745 - NAT Destination (NAT-DST) Configuration Guide

 

 

Regards,

Josine

ScreenOS Firewalls (NOT SRX)

Re: VIP Configurations

‎06-25-2008 09:04 AM

Athar - I am studying to take my JNCIA, JNCIS for firewalls also. Pentin mentioned the Screen OS Cookbook - I would highly recommend you get hold of it. It is a great resource for understanding the capabilities of the firewalls. It is published by O'Reilly and you can get it from any major bookseller. Another good resource is the "Juniper Networks Netscreen and SSG Firewalls" manual from Syngress.

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
ScreenOS Firewalls (NOT SRX)

Re: VIP Configurations

‎07-17-2008 03:56 PM

 In the "for what it's worth" department, I found that you NEED to use VIP if you have a typical home cable/dsl setup with a DHCP delivered IP address on the untrust interface.  Only VIP can allow you to map the dynamic untrust interface IP and port to trusted servers and ports.  You are limited to 64 of these. 

 

Also note that in newer SOS versions there's a CLI command that allows multiple ports.  Can't remember the syntax, but you run it from command line and create the VIP rule with the lowest port number first.

 

I also found that for SIP based VOIP (using Callvantage), I only needed to have the SIP ports (5060-5061), and port used for software upgrades (5620), and 5 RTP ports in the 10000 range. 

 

Here's code on SSG5:

set service "CallVantage" protocol udp src-port 0-65535 dst-port 5060-5061

set service "CallVantage" + udp src-port 0-65535 dst-port 5620-5620

set service "CallVantage" + udp src-port 0-65535 dst-port 10000-10005

set service "CallVantage" timeout 30

set address "Trust" "Home-IP-Phone" 10.251.131.221 255.255.255.0

set interface ethernet0/0 route
set interface bgroup0 route
set interface ethernet0/0 bandwidth egress mbw 254

set interface untrust vip untrust 5060 "CallVantage" 10.251.131.221 set interface trust dhcp server ip 10.251.131.221 mac xxxx xxxx xxxx

# Assuming the upload/egress speed is measured at 254 kbps to a close internet test site.
set policy from "Untrust" to "Trust" "Any" "VIP::1" "CallVantage" permit traffic priority 2 mbw 240 application "IGNORE"
set policy from "Trust" to "Untrust" "Home-IP-Phone" "Any" "CallVantage" nat permit traffic priority 2 mbw 240 application "IGNORE"
set policy from "Trust" to "Untrust" any any any nat permit traffic priority 7 mbw 240
 

-=Dan=-