What is a MIP? Access from the Internet to a server or other device on the private network of the Juniper firewall. How do I set up a Mapped IP to a subnet? Trouble passing traffic to a Mapped IP.
Problem or Goal:
What is a MIP?
How do I configure a MIP to access an internal host from the Internet?
How do I set up a Mapped IP to a subnet or multiple internal hosts?
Unable to pass traffic to a Mapped IP (MIP)
After creating a MIP, I can't access some other hosts on my Untrust network
How do I change a MIP?
MIP – Definition:
MIP (Mapped IP) is a 1 to 1 mapping of a public IP address to an IP address on the Internal side of the Juniper firewall.
Configuring a MIP to access a single device on the private network:
Consider the following setup:
Internal host IP is 192.168.1.100.
Public interface (e0/0) IP is 188.8.131.52.
Another public IP - 184.108.40.206 is available for use.
Here is how you can configure a MIP to a single IP, and how to configure a policy to permit ANY host from the Untrust zone to access the internal host:
set interface "ethernet0/0" zone "Untrust" set interface "bgroup0" zone "Trust" set interface ethernet0/0 ip 220.127.116.11/24 set interface bgroup0 ip 192.168.1.1/24 set interface "ethernet0/0" mip 18.104.22.168 host 192.168.1.100 netmask 255.255.255.255 vr "trust-vr" set policy from "Untrust" to "Trust" "Any" "MIP(22.214.171.124)" "ANY" permit
Click on Interfaces
Select the e0/0 Interface
Click on MIP You will be at the Network > Interfaces > Edit > MIP > Configuration for interface e0/0
Enter the following: Mapped IP: 126.96.36.199 Host IP: 192.168.1.100 Netmask: 255.255.255.255 Host Virtual Router Name: trust-vr
Create an incoming policy by going to
Policy > Policies (From Untrust To Trust) Source: Any Destination: MIP(188.8.131.52) Service: ANY Action: Permit
You can limit access to networks and services of your choosing. It is a good idea to start with permitting any service at first to confirm that the MIP is working.
Configuring a MIP to a subnet or multiple internal hosts:
The netmask determines how the mapping is done. If you use a netmask of 255.255.255.255, the mapping is done on a one-to-one basis. If you use a different netmask, then it maps a range of addresses.
Example: To map the addresses public addresses 184.108.40.206--220.127.116.11 to the internal addresses 192.168.1.1--192.168.1.30:
set interface "ethernet0/1" mip 18.104.22.168 host 192.168.1.0 netmask 255.255.255.224 vr "trust-vr" set policy from "Untrust" to "Trust" "Any" "MIP(22.214.171.124/27)" "ANY" permit
This will result in:
126.96.36.199 maps to 192.168.1.1 188.8.131.52 maps to 192.168.1.2 ... ... 184.108.40.206 maps to 192.168.1.30
Change a MIP
If you have a MIP created and want to change the addresses used in the MIP, it may report that the MIP is 'in use'. Therefore, perform the following steps to free up the MIP from being 'in use', and make the changes:
Either remove the policy that has the MIP or remove the MIP from the policy (by temporarily changing the MIP address book entry in the policy to another address).
Configure the MIP and make the changes.
Re-add the policy or change the policy back to the MIP.
Here are some important configuration pointers regarding creating a MIP. If a MIP overlaps with other IP addresses on your network, it could cause the inability to access those other hosts.
If only one address is needed for a MIP, use Netmask of 255.255.255.255 Example: Defining 220.127.116.11/255.255.255.255 as a MIP will map one address to a host address. Do not set the Netmask equal to the subnet mask for Untrust Interface IP address. The Juniper firewall will answer ARP requests for all addresses in the subnet defined in the MIP. If the Untrust IP address is 18.104.22.168/255.255.255.248 and the Gateway is 22.214.171.124 in the above example, these addresses are included in the netmask, and the MIP will break normal traffic.
Make sure the combination of the MIP address and Netmask does not include the Untrust Interface IP address or the Default Gateway address or any other device's address that are on that subnet. Example: If the Untrust IP address is 126.96.36.199/255.255.255.0 and the Gateway is 188.8.131.52, then the MIP configured as 184.108.40.206 NETMASK 255.255.255.248 is an acceptable configuration because it does not include/overlap with the untrust IP or the gateway IP address.
In ScreenOS 6.0 and below, a MIP supports a public address in a different network than that of the ingress interface only if the ingress interface is in the Untrust zone. On all other zones, MIPs must must be in the same network with the IP address of the interface on which they live. However, in ScreenOS 6.1 and above, a MIP supports a public address in a different network than that of the ingress interface in any zone.
Troubleshooting TIPS - Unable to pass traffic to a MIP:
When configuring a MIP, the Virtual Router that the MIP host resides in plays an important role. If the wrong Virtual Router (VR) is specified, traffic may not pass correctly. For example, if the MIP private host resides in the DMZ zone which is in the untrust-vr, be sure to specify the untrust-VR in the configuration of the MIP.
If a MIP is unreachable from the Internet, the next-hop Gateway router from the Juniper firewall may not have an ARP entry for the MIP address OR the MIP IP address may be associated with a different MAC. Two methods can be employed to correct this:
If you have management access to the next-hop router from the Juniper firewall, clear the ARP cache on the router. Then attempt to ping the MIP address again to get the ARP table entry updated on the router.
Swap the MIP and Untrust interface IP address temporarily, and ping the Gateway address from the Juniper Untrust interface until the router answers back. This is simply a creative way to update the ARP table on the next-hop gateway router, without logging into the next-hop gateway router.
Save the current configuration and then do the follow steps to swap the MIP and Untrust IP temporarily:
Remove the Incoming MIP policy
Delete the MIP
Change the Untrust IP address to the MIP address
Ping the Untrust Interface's Default Gateway IP address from any device on the Trust Lan until the pings are answered. Again, steps a) - d) is a work-around to getting the next-hop gateway router's ARP table updated.
When the next-hop gateway router can ping the MIP address, switch the configuration back to the original configuration (before step a).
If you do not explicitly permit ping on the private host, you will not be able to ping the MIP. The Juniper firewall does not answer pings to the MIP address. They are passed on to the server, and the replies are passed back.
For additional information about MIPs, as well as some other examples, please refer to the Concepts and Examples ScreenOS Reference Guide - Volume 8 - Address Translation: