Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to bi-directionally translate two public IP addresses via one Private IP address

0

0

Article ID: KB26363 KB Last Updated: 07 Dec 2012Version: 2.0
Summary:
This article provides information on how to bi-directionally translate two public IP addresses via one private IP address.
Symptoms:
A customer wants to bi-directionally translate the a.a.a.a and b.b.b.b public IP addresses on the untrust interface to the x.x.x.x private IP address, as the requirement is two different users -User A and User B want to access  the x.x.x.x/32 server via a different public IP address.
User A------4.4.4.4/32-------4.4.4.5/30(untrust ) firewall (trust)172.27.201.136/24 ------172.27.201.37/32 (server)
User B------5.5.5.5/32


Cause:

Solution:

The procedure is as follows:

  1. Configure two DIP pools - 4.4.4.4/32 and 5.5.5.5/32 on the Untrust interface with a single IP address. Use In the same subnet as the extended IP option for the 5.5.5.5/32 DIP Pool, as the 5.5.5.5/32 IP address is not in same the subnet as the Untrust interface:


  2. Configure two routes for the 4.4.4.4/32 and 5.5.5.5/32 IP addresses (outgoing) as the trust interface. The gateway field can be left blank:


  3. Create two address objects - 4.4.4.4 and 5.5.5.5 in the trust zone:






  4. The inbound untrust to trust policies can be configured as follows:

    • User A Address  > 4.4.4.4, dst-NAT to the private IP (172.27.201.37/32)

    • User B Address > 5.5.5.5, dst-NAT to the same private IP(172.27.201.37/32)

    • Any > 4.4.4.4 & 5.5.5.5, deny



  5. The outbound trust to untrust policies can be configured as follows:

    • 172.27.201.37 > User A Address , src-NAT to the first DIP (4.4.4.4/32)

    • 172.27.201.37 > User B address, src-NAT to the second DIP (5.5.5.5/32)

    • Server > Any, src-NAT to Untrust interface IP. (If required)


Configuration via CLI:

set interface "ethernet0/2" zone "Trust"
set interface "ethernet0/3" zone "Untrust"
set interface ethernet0/2 ip 172.27.201.136/24
set interface ethernet0/3 ip 4.4.4.5/29
set interface ethernet0/3 dip 5 4.4.4.4 4.4.4.4 incoming
set interface ethernet0/3 ext ip 5.5.5.5 255.255.255.255 dip 6 5.5.5.5 5.5.5.5
set address "Trust" "4.4.4.4" 4.4.4.4 255.255.255.255
set address "Trust" "5.5.5.5" 5.5.5.5 255.255.255.255
set policy id 1 from "Untrust" to "Trust"  "128.2.2.2/32" "4.4.4.4" "ANY" nat dst ip 172.27.201.37 permit
set policy id 2 from "Untrust" to "Trust"  "128.2.2.3/32" "5.5.5.5" "ANY" nat dst ip 172.27.201.37 permit
set policy id 3 from "Untrust" to "Trust"  "Any-IPv4" "4.4.4.4" "ANY" nat dst ip 172.27.201.37 permit
set policy id 4 from "Trust" to "Untrust"  "172.27.201.37/32" "128.2.2.2/32" "ANY" nat src dip-id 5 permit
set policy id 5 from "Trust" to "Untrust"  "172.27.201.37/32" "128.2.2.3/32" "ANY" nat src dip-id 6 permit
set route 172.27.199.0/24 interface ethernet0/2 gateway 172.27.201.3
set route 4.4.4.4/32 interface ethernet0/2
set route 5.5.5.5/32 interface ethernet0/2

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search