Example: Translating Source Ip Addresses Into A Different Subnet; Procedure) - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Related
Documentation
Example: Translating Source IP Addresses into a Different Subnet (NSM Procedure)
Copyright © 2010, Juniper Networks, Inc.
For Lower IP, enter 10.10.1.2.
For Upper IP, enter 10.10.1.2.
For Start, enter 10.10.1.1.
6.
For End, enter 10.10.1.1.
7.
For Netmask, enter 24.
8.
Click OK to save your changes to the interface, and then click OK to save your changes
9.
to the device.
Example: Translating Source IP Addresses into a Different Subnet (NSM Procedure)
on page 69
Enabling Managed Devices Using Incoming DIP on page 73
Interface Network Address Translation Using DIPs on page 67
If circumstances require that the source IP address in outbound firewall traffic be
translated to an address in a different subnet from that of egress interface, you can use
the extended interface option. This option enables you to graft a second IP address and
an accompanying DIP pool onto an interface that is in a different subnet. You can then
enable NAT on a per-policy basis and specify the DIP pool built on the extended interface
for the translation.
In this example, two branch offices have leased lines to a central office. The central office
requires them to use only the authorized IP addresses it has assigned them. However,
the offices receive different IP addresses from their ISPs for Internet traffic. For
communication with the central office, you use the extended interface option to configure
the security device in each branch office to translate the source IP address in packets it
sends to the central office to the authorized address. Table 24 on page 69 lists the
authorized and assigned IP addresses for branch offices A and B.
Table 24: Sample Branch Office Addresses
Office A 195.1.1.1/24
Office B 201.1.1.1/24
The security devices at both sites have a Trust zone and an Untrust zone. All security
zones are in the trust-vr routing domain. You bind ethernet1 to the Trust zone and assign
it IP address 10.1.1.1/24. You bind ethernet3 to the Untrust zone and give it the IP address
assigned by the ISPs: 195.1.1.1/24 for Office A and 201.1.1.1/24 for Office B. You then create
an extended interface with a DIP pool containing the authorized IP address on ethernet3:
Office A—extended interface IP 211.10.1.10/24; DIP pool 211.10.1.1 – 211.10.1.1; PAT enabled
Office B—extended interface IP 211.20.1.10/24; DIP pool 211.20.1.1 – 211.20.1.1; PAT enabled
Chapter 3: Network Settings
211.10.1.1/24
211.20.1.1/24
69