Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] MIP - Definition, configuration of MIP to an IP or a subnet, and troubleshooting tips



Article ID: KB10923 KB Last Updated: 17 Apr 2020Version: 10.0

This article discusses the definition of a MIP, configuration and troubleshooting tips.



  • What is a MIP?
  • How do I configure a MIP to access an internal host from the Internet?
  • How do I set up a Mapped IP to a subnet or multiple internal hosts?
  • Unable to pass traffic to a Mapped IP (MIP).
  • After creating a MIP, I can't access some other hosts on my Untrust network.
  • How do I change a MIP?

MIP Definition:

MIP (Mapped IP) is a 1 to 1 mapping of a public IP address to an IP address on the Internal side of the Juniper firewall.

Configuring a MIP to access a single device on the private network:

Consider the following setup:

  • Internal host IP is
  • Suppose Public interface (e0/0) IP is
  • Another public IP - is available for use.

Here is how you can configure a MIP to a single IP, and how to configure a policy to permit ANY host from the Untrust zone to access the internal host:

set interface "ethernet0/0" zone "Untrust"
set interface "bgroup0" zone "Trust"
set interface ethernet0/0 ip
set interface bgroup0 ip
set interface "ethernet0/0" mip host netmask vr "trust-vr"
set policy from "Untrust" to "Trust"  "Any" "MIP(" "ANY" permit

  1. Click on Interfaces
  2. Select the e0/0 Interface
  3. Click on MIP
    You will be at the Network > Interfaces > Edit > MIP > Configuration for interface e0/0
    Enter the following:
    Mapped IP:
    Host IP:
    Host Virtual Router Name: trust-vr 
  4. Create an incoming policy by going to
    Policy > Policies (From Untrust To Trust)
    Source: Any
    Destination: MIP(
    Service: ANY 
    Action: Permit

You can limit access to networks and services of your choosing.  It is a good idea to start with permitting any service at first to confirm that the MIP is working.

Configuring a MIP to a subnet or multiple internal hosts:

The netmask determines how the mapping is done.   If you use a netmask of, the mapping is done on a one-to-one basis. If you use a different netmask, then it maps a range of addresses.

To map the addresses public addresses to the internal addresses

set interface "ethernet0/1" mip host netmask vr "trust-vr"
set policy from "Untrust" to "Trust"  "Any" "MIP(" "ANY" permit

This will result in: maps to maps to
       ... maps to

Change a MIP

If you have a MIP created and want to change the addresses used in the MIP, it may report that the MIP is 'in use'.  Therefore, perform the following steps to free up the MIP from being 'in use', and make the changes:

  1. Either remove the policy that has the MIP or remove the MIP from the policy (by temporarily changing the MIP address book entry in the policy to another address).
  2. Configure the MIP and make the changes.
  3. Re-add the policy or change the policy back to the MIP.

Also, refer to KB6659 - Can I modify MIP on the fly without deleting the associated policy?.

Key Points:  

Important configuration pointers regarding creating a MIP.  If a MIP overlaps with other IP addresses on your network, it could cause the inability to access those other hosts.

  •  If only one address is needed for a MIP, use Netmask of   Example:  Defining as a MIP will map one address to a host address. Do not set the Netmask equal to the subnet mask for Untrust Interface IP address.  The Juniper firewall will answer ARP requests for all addresses in the subnet defined in the MIP.  If the Untrust IP address is and the Gateway is in the above example, these addresses are included in the netmask, and the MIP will break normal traffic.
  • Make sure the combination of the MIP address and Netmask does not include the Untrust Interface IP address or the Default Gateway address or any other device's address that are on that subnet. Example: If the Untrust IP address is and the Gateway is, then the MIP configured as NETMASK is an acceptable configuration because it does not include/overlap with the untrust IP or the gateway IP address.

  • In ScreenOS 6.0 and below, a MIP supports a public address in a different network than that of the ingress interface only if the ingress interface is in the Untrust zone.  On all other zones, MIPs must must be in the same network with the IP address of the interface on which they live.   However, in ScreenOS 6.1 and above, a MIP supports a public address in a different network than that of the ingress interface in any zone.

Troubleshooting TIPS - Unable to pass traffic to a MIP:

When configuring a MIP, the Virtual Router that the MIP host resides in plays an important role. If the wrong Virtual Router (VR) is specified, traffic may not pass correctly. For example, if the MIP private host resides in the DMZ zone which is in the untrust-vr, be sure to specify the untrust-VR in the configuration of the MIP.
  • If a MIP is unreachable from the Internet, the next-hop Gateway router from the Juniper firewall may not have an ARP entry for the MIP address OR the MIP IP address may be associated with a different MAC. Two methods can be employed to correct this:

    1. If you have management access to the next-hop router from the Juniper firewall, clear the ARP cache on the router. Then attempt to ping the MIP address again to get the ARP table entry updated on the router.


    2. Swap the MIP and Untrust interface IP address temporarily, and ping the Gateway address from the Juniper Untrust interface until the router answers back.  This is simply a creative way to update the ARP table on the next-hop gateway router, without logging into the next-hop gateway router.

      Save the current configuration and then do the following steps to swap the MIP and Untrust IP temporarily:

      • Remove the Incoming MIP policy
      • Delete the MIP
      • Change the Untrust IP address to the MIP address
      • Ping the Untrust Interface's Default Gateway IP address from any device on the Trust Lan until the pings are answered.  Again, steps a) - d) is a work-around to getting the next-hop gateway router's ARP table updated.
      • When the next-hop gateway router can ping the MIP address, switch the configuration back to the original configuration (before step a).
  • If you do not explicitly permit ping on the private host, you will not be able to ping the MIP. The Juniper firewall does not answer pings to the MIP address.  They are passed on to the server, and the replies are passed back.

book For additional information about MIPs, as well as some other examples, please refer to the Concepts and Examples ScreenOS Reference Guide - Volume 8 - Address Translation:
ScreenOS 5.4  Chapter 4, Page 63
ScreenOS 6.0  Chapter 4, Page 63
ScreenOS 6.1  Chapter 4, Page 63
ScreenOS 6.2  Chapter 4, Page 63
ScreenOS 6.3 Chapter 4, Page 63
Modification History:
2020-04-14: Added link for ScreenOS version 6.3.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search