Example: Configuring Mips (Nsm Procedure) - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Related
Documentation

Example: Configuring MIPs (NSM Procedure)

Copyright © 2010, Juniper Networks, Inc.
address of the host to that of the MIP address. You can map an address-to-address or
subnet-to-subnet relationship (the netmask applies to both the mapped IP subnet and
the original IP subnet).
You can also use a MIP to handle overlapping address spaces at two sites connected by
a VPN tunnel (an overlapping address space is when the IP address range in two networks
are partially or completely the same).
However, devices running ScreenOS 6.1 or later remove the overlap restriction between
the MIP and the VIP.
The zone you configure the MIP in determines the subnet of IP address that you can
assign the MIP:
When defining a MIP in a tunnel zone or security zone other than untrust, you must use
the same subnet as a tunnel interface with an IP address and netmask, or in the same
subnet as the IP address and netmask of an interface bound to a Layer 3 (L3) security
zone.
When defining a MIP in an interface in the Untrust zone, you can use a different subnet
than the Untrust zone interface IP address. However, you must add a route on the
external router pointing to an Untrust zone interface so that incoming traffic can reach
the MIP. You must also define a static route that associates the MIP with the interface
that hosts it.
With devices running ScreenOS 6.1 or later, you can assign a MIP the same address as
an interface on any platform. However, you cannot use that MIP address in a DIP pool.
You can use a MIP as the destination addresses in rules between any two zones or in a
Global rule. For the destination zone, use either the Global zone or the zone with the
address to which the MIP points.
Interface Network Address Translation Methods on page 62
Example: Configuring MIPs (NSM Procedure) on page 63
Interface Network Address Translation Using VIPs on page 65
In this example, you create a MIP to handle inbound traffic to your Web server. After
configuring the MIP, you create a Global MIP to represent the MIP you created for the
device, and then use the Global MIP object in a Security Policy rule that permits HTTP
traffic from any address in the Untrust zone to the MIP—and to the host with the address
to which the MIP points—in the Trust zone. All security zones are in the trust-vr routing
domain.
To configure a MIP:
Add a NetScreen-50 security device. Choose Model when adding the device and
1.
configure the device as running ScreenOS 5.x.
Configure the Trust interface for ethernet1.
2.
Chapter 3: Network Settings
63