VIP and destination NAT both are used for destination natting with the facility of port translation as well.
With VIP natting take place before route and policy lookup but destination NAT is associated with policy so with detination NAT natting take place after route and policy lookup so another route lookkup and policy lookup take place after natting (which u have to take care of it)
When u have only one public IP and u want that IP to be translated to private IP of webserver (port 80), email server (port 25) etc means u want port translation as well, then u make separate VIP for each translation. With destination NAT u make separate policy for each translation.
Thanks for your expalination. I am planning to appear for JNCIA-FW and then JNCIS-FW. For this I need to discusss some issues. Can you give me your msn ID so that I can take help whenever require.. Thanks
Like Kashif indicated, VIPs and NST-DST are basically two different ways to accomplish the same thing -- destination network address and destination port translation.
VIPs came out in the early versions of ScreenOS. NAT-DST is the newer implementation that was introduced in ScreenOS 5.0 and is done as policy-based NAT. Juniper's general guidance is with policy-based NAT.
Resources related to your question are listed below.
1. The ScreenOS Cookbook includes recipes with VIP and NAT-DST configurations. Here's some explanations of the terms:
P.232 of the ScreenOS Cookbook:
A VIP is a port destination translation on the ingress interface. It is one way to perform “port forwarding” in ScreenOS. It is more or less the reverse of a DIP, with the exception that VIP translations are always static, whereas DIPs are commonly dynamic. Static means that IP Address A or Port A is always translated to IP Address B or Port B. In a dynamic translation, the target translation is chosen from a range of values. A VIP can translate both the IP address and the port. The most common use for a VIP is to map several DMZ intranet servers to a single public IP address on very small firewalls.
We already discussed that policy NAT-SRC is a synonym for DIP. On the other hand, policy NAT-DST was thought to be the successor to MIPs and VIPs. In contrast to a MIP, policy NAT-DST is unidirectional. Therefore, policy NAT-DST is more often used to replace a VIP than a MIP. Policy NAT-DST does address and port translation.
The original way to configure this was via a VIP. The new way to configure this is with policy NAT-DST. This example assumes that the public IPs are in the same network with the IP of the ingress interface, which is a requirement for a VIP but not for policy NAT-DST, as previously mentioned. VIPs come with many caveats. The most important is that VIPs before ScreenOS 6.1 can exist only on interfaces in the Untrust zone and must be in the same network with that interface. Policy NAT-DST offers much greater flexibility. But what a VIP can do and policy NAT-DST cannot do is to use the firewall’s own public IP address for translation.
“Introduction to NAT-Dst” on page 28 “Packet Flow for NAT-Dst” on page 29 “Routing for NAT-Dst” on page 32 “NAT-Dst—One-to-One Mapping” on page 35 “Translating from One Address to Multiple Addresses” on page 38 “NAT-Dst—Many-to-One Mapping” on page 41 “NAT-Dst—Many-to-Many Mapping” on page 44 “NAT-Dst with Port Mapping” on page 47 “NAT-Src and NAT-Dst in the Same Policy” on page 50
Athar - I am studying to take my JNCIA, JNCIS for firewalls also. Pentin mentioned the Screen OS Cookbook - I would highly recommend you get hold of it. It is a great resource for understanding the capabilities of the firewalls. It is published by O'Reilly and you can get it from any major bookseller. Another good resource is the "Juniper Networks Netscreen and SSG Firewalls" manual from Syngress.
In the "for what it's worth" department, I found that you NEED to use VIP if you have a typical home cable/dsl setup with a DHCP delivered IP address on the untrust interface. Only VIP can allow you to map the dynamic untrust interface IP and port to trusted servers and ports. You are limited to 64 of these.
Also note that in newer SOS versions there's a CLI command that allows multiple ports. Can't remember the syntax, but you run it from command line and create the VIP rule with the lowest port number first.
I also found that for SIP based VOIP (using Callvantage), I only needed to have the SIP ports (5060-5061), and port used for software upgrades (5620), and 5 RTP ports in the 10000 range.
Here's code on SSG5:
set service "CallVantage" protocol udp src-port 0-65535 dst-port 5060-5061
set service "CallVantage" + udp src-port 0-65535 dst-port 5620-5620
set service "CallVantage" + udp src-port 0-65535 dst-port 10000-10005
set service "CallVantage" timeout 30
set address "Trust" "Home-IP-Phone" 10.251.131.221 255.255.255.0
set interface ethernet0/0 route set interface bgroup0 route set interface ethernet0/0 bandwidth egress mbw 254
set interface untrust vip untrust 5060 "CallVantage" 10.251.131.221 set interface trust dhcp server ip 10.251.131.221 mac xxxx xxxx xxxx
# Assuming the upload/egress speed is measured at 254 kbps to a close internet test site. set policy from "Untrust" to "Trust" "Any" "VIP::1" "CallVantage" permit traffic priority 2 mbw 240 application "IGNORE" set policy from "Trust" to "Untrust" "Home-IP-Phone" "Any" "CallVantage" nat permit traffic priority 2 mbw 240 application "IGNORE" set policy from "Trust" to "Untrust" any any any nat permit traffic priority 7 mbw 240