Knowledge Search


×
 

Hosting a web server behind a NetScreen or SSG device in NAT mode

  [KB4216] Show Article Properties


Summary:
This article provides information on how to hosting a web server behind a NetScreen or SSG device in the NAT mode. The example being used is performed with a VIP.
Symptoms:
How to hosting a web server behind a NetScreen or SSG device in the NAT mode.
Cause:

Solution:
When configuring the NetScreen device for a web server, if the server has an internal, private IP address, you can use a Virtual IP (VIP) or a Manage IP (MIP). For more information on VIPs and MIPs, go to When to Use a Virtual IP and When to Use a Mapped IP.

Also, you will need to have the Trust and Untrust Zones previously configured to an interface. For more information on how to bind an interface to a zone, go to Binding an Interface to a Zone.

Note: The VIP IP has to be in the same subnet as that of the interface IP address. If the VIP IP address is a different subnet, then this can be setup by using policy based NAT destination. For more information, refer to KB12652 - Configuration Example -- Configure Destination PAT (Port Address Translation) to Multiple Servers; includes Port Mapping/Port Forwarding.



Image of example

If the VIP is the same as the Untrust or Interface IP,  you will need to either disable HTTP on the Untrust interface (or Interface on Untrust zone) or re-define the port that NetScreen listens on for management. For information on changing the administration port of a NetScreen device, go to Changing the NetScreen Administration Port.


For this example, a VIP address is configured for a web server. This article is based on the NetScreen-5GT/5XT/5XP devices using Trust and Untrust as interfaces. NetScreen-25/50/204/208 and SSG-5/20/140/320/350/520/550 devices often use Ethernet interfaces.

To host a web server behind a Juniper firewall device in NAT mode using a VIP, perform the following procedure:

Step one: Open the WebUI. For more information on accessing the WebUI, go to Accessing Your NetScreen Using the WebUI.

Step two: From the ScreenOS options menu, click Network, and then click Interfaces.

Image of step two

Step three: From the untrust interface, under Configure, click Edit.

Image of step three

Step four: Click VIP.

Image of step four

Step five: From Virtual IP Address, enter the IP address of the web server. For this example, 210.1.1.10 is used. The VIP IP has to be in the same subnet as that of the interface ip address

Image of step five and six

Step six: Click Add.

Step seven: Click New VIP Service.

Image of step seven

Step eight: From the Virtual IP drop-down menu, select the Virtual IP address. From Virtual Port, enter the port number. From the Map to Service drop-down menu, select the service. From Map to IP, enter the internal IP address of the web server.

For this example, a Virtual IP of 210.1.1.10, Virtual Port of 80, Map to Service of HTTP (80), and a Map to IP of 192.168.1.10 have been used. Also, in this example, the web server will have the following IP settings:
  • IP address 192.168.1.10
  • Subnet mask 255.255.255.0
  • Default gateway 192.168.1.1

Image of step eight and nine

Step nine: Click OK.

  The Virtual IP will listen to the Virtual Port. If you have Virtual Port 80 and a policy with service ANY, all traffic going through port 80 will be passed.

Step ten: From the ScreenOS options menu, click Policies.

Image of step ten

Step eleven: In the From drop-down menu, click to select Untrust. From the To drop-down menu, click to select Trust.

Image of step eleven and twelve

Step twelve: Click New.

Step thirteen: In Source Address, click to select Address Book. From the Address Book drop-down menu, click to select Any.

Image of step thirteen and fourteen

Step fourteen: From Destination Address, click to select Address Book. From the Address Book drop-down menu, click to select Global:VIP(210.1.1.10).

Step fifteen: From the Service drop-down menu, click to select HTTP. From the Action drop-down menu, click to select Permit.

Image of step fifteen and sixteen

Step sixteen: Click OK. The HTTP service is now configured.

Image of note

Related Links: