Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to configure 1-to-1 mapping of a public address to a private address in the WebUI?

0

0

Article ID: KB4739 KB Last Updated: 22 Nov 2012Version: 7.0
Summary:
This article provides information on how to configure 1-to-1 mapping of a public IP address to a private IP address in the WebUI.
Symptoms:
A Mapped IP (MIP) is a 1-to-1mapping of a public IP address to a private IP address. How is it configured in the WebUI?
Cause:

Solution:

To configure a 1-to-1 mapping of a public address to a private address via the WebUI, perform the following  procedure:

Note: For additional information, refer to KB10923 -- MIP – Definition, configuration of MIP to an IP or a subnet, and troubleshooting tips


In this example, A MIP is configured for a web server.

Step one: Open the WebUI. For more information on accessing the WebUI, refer to KB4317 - [ScreenOS] Accessing your Juniper firewall device using the WebUI.

Step two: From the ScreenOS options menu, click Network, and then Interfaces:

Image of step two

Step three: From the ethernet3 interface, click Edit.

Image of step three

Step four: Click to select MIP.

Image of step four

Step five: Click New.

Image of step five

Step six: From Interface (MIP), from Mapped IP, enter the public IP address of the web server. From Netmask, enter the netmask.

For the Netmask, if you are specifying a single host, type 255.255.255.255. If you are specifying a network, type the appropriate network subnet mask.

The netmask determines how the mapping is done. If you use a netmask of 255.255.255.255, the mapping is done on a one-to-one basis. If you use a different netmask, then it maps a range of addresses.

For example:

To map the addresses public addresses (1.1.1.1--1.1.1.30) to the internal addresses (192.168.1.1--192.168.1.30):

CLI:
set interface "ethernet0/1" mip 1.1.1.0 host 192.168.1.0 netmask 255.255.255.224 vr "trust-vr"
set policy from "Untrust" to "Trust" "Any" "MIP(1.1.1.0/27)" "ANY" permit

This will result in:

1.1.1.1 maps to 192.168.1.1
1.1.1.2 maps to 192.168.1.2
...
...
1.1.1.30 maps to 192.168.1.30



Image of step six and seven

Step seven: From Host IP Address, enter the private IP address of the web server.

Step eight: From the Host Virtual Router Name drop-down menu, click to select trust-vr.

Image of step eight and nine

Step nine: Click OK.

Note: Additional MIP information:
  • Do not set the netmask equal to the subnet mask for the Untrust interface IP address. The NetScreen will answer for all addresses in the subnet. Example: If the Untrust IP address is 172.16.5.66/255.255.255.248 and gateway is 172.16.5.67 in the example above, these addresses are included in the netmask and the MIP will break normal traffic.
  • Make sure the combination of the MIP address and netmask does not include the Untrust interface IP address or the default gateway address or any other device's address that is on that subnet.  For example, if the Untrust IP address is 172.16.5.50/255.255.255.0, the gateway is 172.16.5.1, and the MIP is 172.16.5.65 netmask 255.255.255.248; then the configuration is acceptable.
  • In ScreenOS 6.0 or earlier, MIP supports a public address in a different network, than that of the ingress interface, only if the ingress interface is in the Untrust zone. On all other zones, MIPs must must be in the same network with the IP address of the interface on which they reside. However, in ScreenOS 6.1  or later, MIP supports a public address in a different network, than that of the ingress interface in any zone.
Step ten: From the ScreenOS options menu, click Policies.

Image of step ten

Step eleven: In the From drop-down menu, click to select Untrust. From the To drop-down menu, click to select Trust.

Image of step eleven and twelve.

Step twelve: Click New.

Step thirteen: In Source Address, click to select Address Book. From the Address Book drop-down menu, click to select Any.

Image of step thirteen and fourteen

Step fourteen: From Destination Address, click to select Address Book. From the Address Book drop-down menu, click to select Global:MIP (210.1.1.5).

Step fifteen: From the Service drop-down menu, click to select HTTP. From the Action drop-down menu, click to select Permit.

Image of step fifteen and sixteen

Step sixteen:Click OK.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search