Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Cannot access server on DMZ from Trust zone when there is a MIP for these servers on the Untrust interface



Article ID: KB12061 KB Last Updated: 23 Jun 2010Version: 2.0
Cannot access server on DMZ from Trust zone using the server's MIP address, when the MIP for these servers is defined on the Untrust interface

Inside user ( FW (eth2/1-Untrust)---- (MIP)----Outside users
                                   Server (   

  • Both inside users and outside users need access ato server behind DMZ
  • There is a MIP for this server configured on the Untrust interface with Public IP
  • Outside users can access the server fine, but internal users cannot access the server. Debug shows denied by policy.
A policy needs to be added from the Global to Global zone (see step 6 below). 

The packet flow is as follows:
  1. Packet from ->  comes in from eth1/1 (Trust zone) and is routed to eth2/1 (Untrust zone)
  2. There is a route lookup for and the packet is forwarded to eth2/1 (Untrust)
  3. A policy lookup from Trust to Untrust occurs and is permitted by policy
  4. At eth2/1 (Untrust zone), there is a MIP translation from to
  5. There is a route lookup for and the packet is forwarded to eth2/1 (DMZ zone)
  6. There is a policy lookup from -> from Global to Global
This policy needs to be added in Global zone.  The reason why this policy is needed in the Global zone is because the MIP is not configured on any particular zone; it is a global entry.

Again, please note step 6. This policy may be missing and needs to be added. In the flow. it looks like the FW is searching for a policy from Untrust to DMZ -> but that is not the case.  It is looking for is a policy in the Global zone to dst-ip
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search