A loopback interface is a resource holder that contains the MIP address mapping. To allow other interfaces to use the MIP on the loopback interface, add the interfaces as members of the loopback group. The loopback interface and its member interfaces must be in different IP subnets in the same zone. Any type of interface can be a member of a loopback group, as long as the interface has an IP address. If you configure a MIP on both a loopback interface and one of its member interfaces, the loopback interface configuration takes precedence. A loopback interface cannot be a member of another loopback group.
In this example, a loopback interface(loopback.3) is configured in the Trust zone, with the 3.3.3.3 IP address. Members of the loopback interface group are tunnel.1 and tunnel.2. The loopback interface holds the 3.3.3.5 MIP, which maps to the 5.5.5.5 host.
When a packet that is destined for 3.3.3.5 arrives at tunnel.1, ScreenOS first searches for the MIP at tunnel.1 and then at the loopback.3 loopback interface. When it finds a match in loopback.3, it translates the original destination IP address (3.3.3.5) to the host IP address (5.5.5.5) and the packet is routed to the MIP host.
The traffic that is destined for 3.3.3.5 can also arrive at tunnel.2. ScreenOS searches for the MIP at tunnel.2 and then at the loopback.3 loopback interface. Again, ScreenOS finds a match in loopback.3 and translates the original destination IP (3.3.3.5) to the host IP address (5.5.5.5) and the packet is routed to the MIP host.

To configure a loopback group, perform the following steps:
Open the WebUI. For more information on accessing the WebUI, refer to KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI.

From the NetScreen options menu, click
Network, and then click to select
Interfaces.


From the Interfaces drop-down menu, click to select
Loopback IF.


Click
New.

From
Interface Name, enter a
loopback number.

For this example, we have entered
3 to create an
Interface Name of
loopback.3.


From the
Zone drop-down menu, click to select
Trust (trust-vr).

From
IP Address/Netmask, enter an
IP Address/Netmask.

For this example, we have entered
3.3.3.3/24.


Click
Apply.

Click
MIP.


Click
New.


From
Mapped IP, enter a
Mapped IP. From
Netmask, enter a
Netmask.

For this example, we have entered
3.3.3.5 and
255.255.255.255.


From
Host IP Address, enter a Host IP Addre
ss, and then from the H
ost Virtual Router Name drop-down menu, click to select
trust-vr.

For this example, we have entered
5.5.5.5.

Click
OK.


From the NetScreen options menu, click
Network, and then click to select
Interfaces.


From the
Interfaces drop-down menu, click to select
Tunnel IF, and then click
New.


From
Interface Name, enter a
tunnel number.

For this example, we have entered
1.


From the
Zone drop-down menu, click to select
Trust (trust-vr).

In the
IP Address/Netmask textbox, enter an
IP Address/Netmask.

For this example, we have entered
1.1.1.1/24.


From the
Interface drop-down menu, click to select
loopback.3 (trust-vr).

Click
OK.


From the NetScreen options menu, click
Network, and then click to select
Interfaces.


From the
Interfaces drop-down menu, click to select
Tunnel IF. Click
New.


From
Interface Name, enter a
tunnel number.

For this example, we have entered
2.


From the
Zone drop-down menu, click to select
Trust (trust-vr).

In the
IP Address/Netmask textbox, enter an
IP Address/Netmask.

For this example, we have entered
2.2.2.2/24.


From the
Interface drop-down menu, click to select
loopback.3 (trust-vr).

Click
OK.

CLI:
set interface "loopback.3" zone "Trust"
set interface "loopback.3" ip 3.3.3.3/24
set interface loopback.3 mip 3.3.3.5 host 5.5.5.5 netmask 255.255.255.255 vrouter trust-vr
set interface "tunnel.1" zone "Trust"
set interface "tunnel.1" ip 1.1.1.1/24
set interface "tunnel.1" loopback-group "loopback.3"
set interface "tunnel.2" zone "Trust"
set interface "tunnel.2" ip 2.2.2.2/24
set interface "tunnel.2" loopback-group "loopback.3"