Knowledge Center Search


 

[ScreenOS] Configuring a virtual IP for port forwarding

  [KB4740] Show KB Properties

  [KB4740] Hide KB Properties

Categories:
Knowledge Base ID: KB4740
Last Updated: 12 Dec 2012
Version: 8.0

Summary:
This article provides information on how to configure a virtual IP for port forwarding.

Problem or Goal:
The configuration of a virtual IP for port forwarding enables an external host to access network services, which are behind the firewall, by mapping the NAT address of the internal host or service to an external address.

Cause:

Solution:

To configure a Virtual IP, perform the following steps:

Note:To configure a Virtual IP (VIP), you will need to have the Trust and Untrust Zones previously configured to an interface. For more information on how to bind an interface to a zone, go to Binding an Interface to a Zone.

For this example, we are configuring a VIP address for a web server, and we are using ethernet1 for the Trust zone and ethernet3 for the Untrust zone.

Step one: Open the WebUI. For more information on accessing the WebUI, go to Accessing Your NetScreen Device Using the WebUI.

Step two: From the ScreenOS options menu, click Network, and then click Interfaces.

Image of step two

Step three: From the ethernet3 interface, click Edit.

Image of step three

Step four: From the Edit screen, click to select VIP.

Image of step four

Step five: From Virtual IP Address, enter the IP address of the web server.

Note:For this example, we have entered 210.1.1.10.

Image of step five and six

Step six: Click Add.

Step seven: Click New VIP Service.

Image of step seven

Step eight: From the Virtual IP drop-down menu, select the Virtual IP address. In the Virtual Port text box, enter a port number. From the Map to Service drop-down menu, select a service. In the Map to IP text box, enter the internal IP address of the web server.

For this example, we used a Virtual IP of 210.1.1.10, a Virtual Port of 80, a Map to Service of HTTP (80), and a Map to IP of 192.168.1.10.

Image of step eight and nine

Step nine: Click OK.

The Virtual IP will listen to the Virtual Port. If you have a Virtual Port of 80, and a policy with the ANY service, all traffic going through port 80 will be passed.

Step ten: From the ScreenOS options menu, click Policies.

Image of step ten

Step eleven: From the From drop-down menu, click to select Untrust. From the To drop-down menu, click to select Trust.

Image of step eleven and twelve

Step twelve: Click New.

Step thirteen:Under Source Address, click to select Address Book. From the Address Book drop-down menu, click to select Any.

Image of step thirteen and fourteen

Step fourteen: Under Destination Address, click to select Address Book. From the Address Book drop-down menu, click to select VIP (210.1.1.10).

Step fifteen:From the Service drop-down menu, click to select HTTP. From the Action drop-down menu, click to select Permit.

Image of step fifteen and sixteen

Step sixteen:Click OK.



Via the CLI:

You can configure the same via the CLI:
>set interface ethernet1/4 vip 210.1.1.10
>set interface ethernet1/4 vip 210.1.1.10 + 80 "HTTP" 192.168.1.10
>set policy from "Untrust" to "Trust" "Any" "VIP(210.1.1.10)" "HTTP" permit

Purpose:
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.