Can a Virtual IP (VIP) use the same IP address as the untrusted interface?
| Knowledge Base ID: | KB5571 |
| Version: | 6.0 |
| Published: | 19 May 2009 |
| Updated: | 19 May 2009 |
| Categories: |
 Firewall/IPSec_VPN ScreenOS |
Can a Virtual IP (VIP) use the same IP address as the untrusted interface? Which Firewalls support "VIP same as Untrust"?
Problem or Goal:- Virtual IP Only have 1 Publicly available IP address
- Allow access to internal servers using the same IP address as the untrust
- Cannot set VIP as the same IP address as Untrust interface
- Which firewalls support 'VIP same as untrust'?
ScreenOS 6.0 and below:
VIPs can only be defined in the Untrust zone.
VIP Same as Untrust IP feature is supported on the lower end platforms. These include the following:
- NetScreen-5
- NetScreen-5XP
- NetScreen-5XT
- NetScreen-5GT (including ADSL and WLAN versions)
- NetScreen-HSC
- NetScreen-25
- NetScreen-50
- SSG-5 (all variants)
- SSG-20
- SSG-140
- SSG-320M
- SSG-520 (and SSG-520M)
ScreenOS 6.1 and higher (applies to all models):
- You can configure the virtual IP (VIP) address as the same as the interface IP address on any device in any zone.
- You can configure the VIP and mapped IP (MIP) address on the same interface using the same IP address. This allows you to selectively redirect traffic for specific applications to designated servers.
- You can configure VIP, MIP, and dynamic IP (DIP) addresses in any combination on any interface.
set interface <interface-num> vip interface-ip <port-number> <service name> <IP address>Refer to the following KB for the models that support the 'MIP same as untrust' feature:
KB11167 - MIP can use the same address as an interface in some models
Additional information:
KB14223 - Limitations to Services that Can Be Used for VIP Same as Untrust or VIP Same as Interface IP
Troubleshooting
