Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to configure 1-to-1 mapping of a public address to a private address in the WebUI

0

0

Article ID: KB4739 KB Last Updated: 18 Jun 2020Version: 8.0
Summary:

This article explains how to configure 1-to-1 mapping of a public IP address to a private IP address in the WebUI.

Symptoms:

A Mapped IP (MIP) is a 1-to-1mapping of a public IP address to a private IP address. How is it configured in the WebUI?

Solution:

To configure a 1-to-1 mapping of a public address to a private address via the WebUI, perform the following  procedure:

Note: For additional information, refer to KB10923 -- MIP – Definition, configuration of MIP to an IP or a subnet, and troubleshooting tips

In this example, A MIP is configured for a web server.
  1. Open the WebUI. For more information on accessing the WebUI, refer to KB4317 - [ScreenOS] Accessing your Juniper firewall device using the WebUI.

  2. From the ScreenOS options menu, click Network, and then Interfaces:

  3. From the ethernet3 interface, click Edit.

  4. Click to select MIP.

  5. Click New.

  6. From Interface (MIP), from Mapped IP, enter the public IP address of the web server. From Netmask, enter the netmask.
    For the Netmask, if you are specifying a single host, type 255.255.255.255. If you are specifying a network, type the appropriate network subnet mask.
    The netmask determines how the mapping is done. If you use a netmask of 255.255.255.255, the mapping is done on a one-to-one basis. If you use a different netmask, then it maps a range of addresses.

    For example:

    To map the addresses public addresses (1.1.1.1--1.1.1.30) to the internal addresses (192.168.1.1--192.168.1.30):

    CLI:

    set interface "ethernet0/1" mip 1.1.1.0 host 192.168.1.0 netmask 255.255.255.224 vr "trust-vr"
    set policy from "Untrust" to "Trust" "Any" "MIP(1.1.1.0/27)" "HTTP" permit This will result in:


    1.1.1.1 maps to 192.168.1.1
    1.1.1.2 maps to 192.168.1.2
    ...
    1.1.1.30 maps to 192.168.1.30

  7. From Host IP Address, enter the private IP address of the web server.

  8. From the Host Virtual Router Name drop-down menu, click to select trust-vr.

  9. Click OK.

    Note: Additional MIP information:
    • Do not set the netmask equal to the subnet mask for the Untrust interface IP address. The NetScreen will answer for all addresses in the subnet. Example: If the Untrust IP address is 172.16.5.66/255.255.255.248 and gateway is 172.16.5.67 in the example above, these addresses are included in the netmask and the MIP will break normal traffic.
    • Make sure the combination of the MIP address and netmask does not include the Untrust interface IP address or the default gateway address or any other device's address that is on that subnet.  For example, if the Untrust IP address is 172.16.5.50/255.255.255.0, the gateway is 172.16.5.1, and the MIP is 172.16.5.65 netmask 255.255.255.248; then the configuration is acceptable.
    • In ScreenOS 6.0 or earlier, MIP supports a public address in a different network, than that of the ingress interface, only if the ingress interface is in the Untrust zone. On all other zones, MIPs must must be in the same network with the IP address of the interface on which they reside. However, in ScreenOS 6.1  or later, MIP supports a public address in a different network, than that of the ingress interface in any zone.
  10. From the ScreenOS options menu, click Policy > Policies.

  11. In the From drop-down menu, click to select Untrust. From the To drop-down menu, click to select Trust.


     
  12. Click New.

  13. In Source Address, click to select Address Book. From the Address Book drop-down menu, click to select Any.

  14. From Destination Address, click to select Address Book. From the Address Book drop-down menu, click to select Global:MIP (1.1.1.0/27).

  15. From the Service drop-down menu, click to select HTTP. From the Action drop-down menu, click to select Permit.

  16. Click OK.
Modification History:
2020-06-18: Replaced old WebUI snapshots with new WebUI snapshots.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search