KB Home KB Home Back to all Knowledge Base Browse Knowledge Base Categories Printer Friendly Version Printer Friendly

How Do I Configure a 1-to-1 Mapping of a Public Address to a Private Address in the WebUI?
Knowledge Base ID: KB4739
Version: 5.0
Published: 07 Oct 2008
Updated: 07 Oct 2008
Categories: . Firewall/IPSec_VPN
. ScreenOS

Synopsis:
How Do I Configure a 1-to-1 Mapping of a Public Address to a Private Address in the WebUI?

Problem:
A Mapped IP (MIP) is a 1-to-1mapping of a public IP address to a private IP address.   How is it configured in the WebUI?

Solution:


To configure a 1-to-1 mapping of a public address to a private address using the WebUI, perform the following steps:

Note:   For additional information, refer to KB10923 -- MIP – Definition, configuration of MIP to an IP or a subnet, and troubleshooting tips


For this example, we are configuring a MIP for a web server.

Step one: Open the WebUI. For more information on accessing the WebUI, go to Accessing Your NetScreen Using the WebUI.

Step two: From the ScreenOS options menu, click Network, and then click Interfaces.

Image of step two

Step three: From the ethernet3 interface, click Edit.

Image of step three

Step four: Click to select MIP.

Image of step four

Step five: Click New.

Image of step five

Step six: From Interface (MIP), from Mapped IP, enter the public IP address of the web server. From Netmask, enter the netmask.

Note:For the Netmask, if you are specifying a single host, enter 255.255.255.255. If you are specifying a network, enter the appropriate network subnet mask.

Image of step six and seven

Step seven: From Host IP Address, enter the private IP address of the web server.

Step eight: From the Host Virtual Router Name drop-down menu, click to select trust-vr.

Image of step eight and nine

Step nine: Click OK.

Note: Additional MIP information:
  • Do not set the netmask equal to the subnet mask for the Untrust interface IP address. The NetScreen will answer for all addresses in the subnet. Example: If the Untrust IP address is 172.16.5.66/255.255.255.248 and gateway is 172.16.5.67 in the example above, these addresses are included in the netmask and the MIP will break normal traffic.
  • Make sure the combination of the MIP address and netmask does not include the Untrust interface IP address or the default gateway address or any other device's address that is on that subnet.  For example, if the Untrust IP address is 172.16.5.50/255.255.255.0, the gateway is 172.16.5.1, and the MIP is 172.16.5.65 netmask 255.255.255.248; then the configuration is acceptable.
Step ten: From the ScreenOS options menu, click Policies.

Image of step ten

Step eleven: In the From drop-down menu, click to select Untrust. From the To drop-down menu, click to select Trust.

Image of step eleven and twelve.

Step twelve: Click New.

Step thirteen: In Source Address, click to select Address Book. From the Address Book drop-down menu, click to select Any.

Image of step thirteen and fourteen

Step fourteen: From Destination Address, click to select Address Book. From the Address Book drop-down menu, click to select Global:MIP (210.1.1.5).

Step fifteen: From the Service drop-down menu, click to select HTTP. From the Action drop-down menu, click to select Permit.

Image of step fifteen and sixteen

Step sixteen:Click OK.

Purpose:
Troubleshooting

ASK THE KB
Question or KB ID:



RELATED TOPICS