Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

MIP can use the same address as an interface in some models

0

0

Article ID: KB11167 KB Last Updated: 22 Jan 2009Version: 5.0
Summary:
What models support MIP same as interface IP?
Symptoms:
Symptoms:
  • Upgrading a ScreenOS device from a small model to a larger model, the MIP mapped for an interface IP address becomes invalid. 
  • What models support MIP same as interface IP?
  • What models support MIP same as untrust?
  • Untrust interface obtains IP address from ISP via DHCP or PPPoE; however, MIP Same-as-Untrust option doesn't show up under the MIP settings for the Untrust interface
Solution:

ScreenOS 6.0 and below:


MIP can use the same address as an interface in the following models.
  • HSC
  • NS5XT
  • NS5GT
  • SSG-5
  • SSG-20

ScreenOS 6.1 and higher:

The platform restriction was removed in ScreenOS 6.1 and higher.  The following applies to all models:
  • You can configure the VIP and mapped IP (MIP) address on the same interface using the same IP address. This allows you to selectively redirect traffic for specific applications to designated servers.
  • You can configure the virtual IP (VIP) address as the same as the interface IP address on any device in any zone.
  • You can configure VIP, MIP, and dynamic IP (DIP) addresses in any combination on any interface.

”note:  If your Untrust IP address is assigned dynamically via DHCP, then the MIP Same-as-Untrust (or MIP same as interface IP) configuration will not work if the ISP dynamically assigns a 'variable' IP address.   It will work if the ISP dynamically assigns a 'static' IP address.  If a 'static' IP address cannot be assigned by the ISP, then another option is to use the VIP same-as-untrust feature (which does support a 'variable' dynamically assigned IP address via DHCP).  Refer to the following KB for the models that support the 'VIP same as untrust' feature: KB5571 - Can a Virtual IP (VIP) use the same IP address as the untrusted interface.

The MIP Same-as-Untrust (or MIP same as interface IP) is configured by simply specifying the IP address of the Untrust interface for the Mapped IP address field.  For a step-by-step configuration example, refer to the section titled 'MIP-Same-as-Untrust' in the following technical documentation: Concepts & Examples ScreenOS Reference Guide - Volume 8 - Address Translation.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search