Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to implement the DIP group

0

0

Article ID: KB25569 KB Last Updated: 11 Sep 2019Version: 2.0
Summary:

This article provides information on how to implement the DIP group.

Symptoms:
  • On the firewall, there are two ISP connections - Ethernet1/1 and Ethernet1/3; both are in the Untrust zone.

  • The requirement is to access a server on the Internet, which restricts access form a limited set of IP addresses.

  • In this case, the server will allow connections from 5.5.5.55 and 9.9.9.99 IP addresses:

  • Traditionally, you would create a DIP with one of the IPs and bind it to the security policy fro source-NAT

  • However, in the case of ISP failover, this will create an issue due to the firewall limitation of being unable to bind two DIPs in the same policy.

Solution:

To work around this limitation, you can use a DIP group, in which the DIP IDs that are created on the Ethernet1/1 and Ethernet1/3 interfaces can be bound. After binding the DIPs to a DIP group, it can be then bound to the policy.

The following configurations are on the device:

Interface configuration on the device:

set interface ethernet1/2 ip 192.168.1.1/24
set interface ethernet1/1 ip 5.5.5.5/24
set interface ethernet1/3 ip 9.9.9.9/24
Configured a DIP on the Ethernet1/1 and Ethernet1/3 interfaces:
set interface ethernet1/1 dip 5 5.5.5.55 5.5.5.55
set interface ethernet1/3 dip 6 9.9.9.99 9.9.9.99


.192-> get dip

DipId   Dip Low    Dip High   Interface    Attribute      Usage
5      5.5.5.55    5.5.5.55  ethernet1/1   port-xlate     n/a
6      9.9.9.99    9.9.9.99  ethernet1/3   port-xlate     n/a
Bind these DIPs to a DIP group by using the following commands:
set dip group 7
set dip group 7 member 6
set dip group 7 member 5
Use the DIP group in the policy for translation:
set policy id 1 from "Trust" to "Untrust" "Any-IPv4" "Any-IPv4" "ANY" nat src dip-id 7 permit log 

With this configuration, Firewall will source NAT traffic by selecting a DIP bound to the egress interface.

Modification History:

2019-09-10: Minor edits. Non-technical.

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search