Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] When to Use a Virtual IP Address and When to Use a Mapped IP Address



Article ID: KB4751 KB Last Updated: 28 Dec 2020Version: 6.0

This article provides more information about when to use a virtual IP address and when to use a mapped IP address.



Note: This article applies to ScreenOS 4.0 and later.

A Virtual IP (VIP) address maps one external IP address and one external port to multiple possible IP addresses and ports. It can also translate an external port to a different internal port. VIP addresses map traffic received at one IP address to another address based on the destination port number in the TCP or UDP segment header.

If you have only one public IP address available, and you want to host multiple servers, use a VIP. An MIP should be used when you have multiple public IP addresses, and you want to host a single server to a single public IP address.

A VIP is the equivalent of what many network engineers call port forwarding. For example:

  • An HTTP packet destined for (that is, IP address and port 80) might be mapped to a web server at

  • An FTP packet destined for might be mapped to an FTP server at

  • An SMTP packet destined for might be mapped to a mail server at

The destination IP addresses are the same. The destination port numbers determine the host to which the NetScreen device forwards traffic.

For more information about configuring a virtual IP address, go to Configuring a Virtual IP.

A Mapped IP (MIP) address is a direct one-to-one mapping of one IP address to another IP address. The NetScreen device forwards incoming traffic destined to an MIP to the host with the address to which the MIP points. MIP maps one external IP address to one internal IP address, and does not alter the port information. Essentially, an MIP is a static destination address translation.

MIPs allow inbound traffic to reach private addresses in a zone whose interface is in NAT mode. MIPs also provide part of the solution to the problem of overlapping address spaces at two sites connected by a VPN tunnel.

An overlapping address space is when the IP address range in two networks is partially or completely the same.

For more information about configuring a MIP, go to How Do I Configure a 1-to-1 Mapping of a Public Address to a Private Address?


Modification History:

2020-12-28: Modified article to remove any references to EOL devices


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search