Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

ScreenOS Cookbook Recipe 8.8 - Configure Bidirectional NAT for Internal Server (Configure MIP for a server)

0

0

Article ID: KB12835 KB Last Updated: 24 May 2019Version: 3.0
Summary:
ScreenOS Cookbook Recipe 8.8, copied from the ScreenOS Cookbook, documents how to configure a MIP for an internal server. It has been modified slightly for the NAT Resolution Guide.
Symptoms:
  • I want to allow a DMZ server inside the firewall full access to the Internet, and any outside host access to a web server inside the firewall on the Trust zone
  • Users on Internet will use the Server Public IP address 1.1.1.50 to access the internal server 192.168.1.50
     
Solution:
Configure a MIP on the Untrust interface:
set interface ethernet0/0 zone Untrust
set interface ethernet0/0 ip 1.1.1.100/24
set interface ethernet0/0 mip 1.1.1.50 host 192.168.1.50
Configure inbound and outbound policies:
set address trust host-a-prv 192.168.1.50/32
set policy id 1 from Untrust to Trust any MIP(1.1.1.50) http permit
set policy id 2 from Trust to Untrust host-a-prv any any permit

Discussion

MIP is the most used NAT element in ScreenOS, more so than any other method.  That’s because a MIP is straight forward to configure and easy to understand. A MIP is a one-to-one, bidirectional, static network address translation. It does not matter if the external host or the local host initiated the connection. The external host’s public IP address is mapped to a private IP address (or the other way around) and the ports remain the same (see Table 8-9).

Table 8-9. Bidirectional NAT translation
Private or local portion Public or global portion
src-ip dst-ip src-port dst-port x-src-ip x-dst-ip x-src-port x-dst-port
Any 1.1.1.50 Any Any Original 192.168.1.50 Original Original
192.168.1.50 Any Any Any 1.1.1.50 Original Original Original


First, configure the MIP:
set interface ethernet0/0 zone Untrust
set interface ethernet0/0 ip 1.1.1.100/24
set interface ethernet0/0 mip 1.1.1.50 host 192.168.1.50
The first policy performs an inbound destination translation, while the second policy performs an outbound source translation.
set policy id 1 from Untrust to Trust any MIP(1.1.1.50) http permit

set address trust host-a-prv 192.168.1.50/32
set policy id 2 from Trust to Untrust host-a-prv any any permit
MIPs are usually used for destination address translation. A MIP is always configured on the ingress interface. Here, for instance, e0/0 is an Untrust interface and 1.1.1.50 is a public IP address. 1.1.1.50 is translated to 192.168.1.50. The MIP itself is referenced in the policy, with Untrust being the source zone because the MIP was installed on an interface in the Untrust zone. The destination zone specified in the policy does not matter because a MIP always lives in the Global zone. The best practice is to use the zone behind which the private IP of the server lives, if possible. 

As of ScreenOS 5.3, you can use MIPs in a multicell policy, and on those zones, multicell is not supported in the Global zone. 

Note:  A MIP is bidirectional and always takes precedence over a DIP. 

Before ScreenOS 6.1, MIPs could be in a different network from the interface’s IP only on an interface in the Untrust zone. (This is an important caveat, but it is the only caveat regarding MIPs.) You can configure a MIP that is in the same network with its interface on any interface in any zone. MIPs are most often used on the Untrust zone. If you need to perform destination translation to an IP that is not in the same network as the ingress interface, use a policy NAT-DST translation KB11910 - [Inbound direction] How to configure Destination Network Address Translation (NAT-Dst) in combination with a DIP if the reverse connection is desired as well: KB11901 - [Outbound direction] How to configure Source Network Address Translation (NAT-src) and source Port Address Translation (PAT).



Note:   "This recipe/excerpt is used by permission of the publisher, O'Reilly Media, ©2008. All rights reserved. Excerpted from ScreenOS Cookbook, by Stefan Brunner, Ken Draper, David Delcourt, Joe Kelley, Vik Drakar, & Sunil Wadhwa.   ISBN: 0596510039."
Modification History:
2019-05-22: Content reviewed for accuracy. 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search