Knowledge Search


[ScreenOS] How to configure a MIP in a policy-based VPN when outgoing interface is in zone other than Untrust

  [KB27122] Show Article Properties

A Mapped Internet Protocol (MIP) address is typically created on a tunnel interface in a route-based VPN. This article describes a work-around for a situation in which a customer requirement does not allow for a route-based VPN and the outgoing interface is not in the Untrust zone.
Requirements for this customer scenario:
  • Site-to-site policy-based VPN tunnel

  • Internal hosts subnets need to be NATed; clients on remote networks communicate using NATed IP addresses

  • MIP needs to be configured for a server behind the ScreenOS firewall
On the ScreenOS firewall, a MIP must be configured for the servers on the private network, which must be accessed via a VPN from the remote site. However, MIPs are not directly supported in policy-based VPN.

If the outgoing interface of the VPN is in the Untrust zone, follow KB9924 - [ISG/NS/SSG Series] How to configure a MIP in a policy-based VPN.

If the outgoing interface is in a zone other than Untrust (for example, zone is ISP), here is an example configuration:

set zone "ISP"
set internet ethernet0/2 zone "ISP"  <
--- ISP is the zone for outgoing interface ethernet0/2:
set internet ethernet0/2 ip
set zone "ISP-Tun" tunnel ISP   <--- ISP-Tun zone is the carrier zone for the tunnel for NAT-ing

Follow these commands to meet the customer's requirements on the ScreenOS firewall:
  • Untrust-Tun is the Tunnel type zone, carrier zone that helps encryption-decryption:
    set interface tunnel.1 zone ISP-Tun

  • Fixed IP on the tunnel interface
    set interface tunnel.1 ip

  • MIP will be used by the remote network to connect to server behind the ScreenOS firewall's local network:
    set interface tunnel.1 mip host netmask

  • A route needs to be added to send the traffic to the tunnel interface; for the translation to take place:
    set route interface tunnel.1

  • Phase 1 configuration:
    set ike gateway Netscreen-IKE address main outgoing-interface ethernet0/2 preshare test sec-level standard

  • Phase 2 configuration:
    set vpn Netscreen-VPN gateway Netscreen-IKE sec-level standard

  • Bind Tunnel Zone (ScreenOS firewall will identify the MIP configured on the tunnel interface):
    set vpn Netscreen-VPN bind zone Untrust-Tun

  • Then an appropriate access-list must be configured on the remote end to support Proxy-IDs generated by the polices in the ScreenOS firewall.
    set policy from ISP to trust MIP ( any tunnel vpn Netscreen-VPN log
    set policy from trust to ISP any tunnel vpn Netscreen-VPN log
Related Links: