ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

troubles with NAT

02.24.12   |  
‎02-24-2012 06:43 AM
Everyone, I am working on a SSG-550M firewall running 6.2 ScreenOS and I am trying to set up some methods to translate 3 ip addresses from private to public, then back again. I have two interfaces that this traffic comes through, so I set up a redundant group to do group the two together. This would be rather easy if I did not need a one to one relationship with a private IP address to a public IP address (trust to untrust). I have used shift dips to successfully get the traffic out with no problems, NAT was good. My biggest problem is getting the traffic back in with NAT changing the IP addresses back to what they were on the trust side. I have been trying to work with MIP but it does not work at all like the many guides say. First off, after successfully creating a MIP on a group, I can't get a policy to leverage the MIP because it says that is undefined. It also does not like me using a CIDR within the policy to call out the MIP which is something I need in order to do a multiple address translation. Finally, I set up DST NAT changes and that works for one, but it may be pulling from the DIP because in takes the form of any of the trusted IP addresses. Any thoughts?
ScreenOS Firewalls (NOT SRX)

Re: troubles with NAT

02.27.12   |  
‎02-27-2012 05:24 PM

I don't fully follow your description of the setup.  I'm not sure how the redundant pair is working with the addresses.


But MIP is the tool you are looking for.  This is bi-directional translation.  And it does use CIDR to bulk translate ranges.  Be sure to use the first active address and not the subnet address when you create them.


For example


The MIP is created on the interface where the traffic is translated.  So in this case I guess your redundant interface would be the one.


The policy then uses the MIP as the source or destination as you desire and sets up the services and applications assigned.  You will not be using any policy translation features or DIP at all.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)