Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Behavior of the Virtual IP on different ScreenOS versions

0

0

Article ID: KB5571 KB Last Updated: 01 Feb 2013Version: 7.0
Summary:
This article provides information about the behavior of the Virtual IP with various ScreenOS versions.
Symptoms:
  • The Virtual IP has only one publicly available IP address.

  • It allows access to internal servers by using the same IP address as the untrust.

  • The VIP cannot be set to the same IP address as the Untrust interface.

  • Which firewalls support the VIP being the same as untrust?

  • How to configure VIP on tunnel interfaces.
Cause:

Solution:

For Devices that run ScreenOS 5.4 or earlier:

  • VIPs can be defined only in the Untrust zone.

  • The option to configure the VIP with the same IP address as that of the interface is not available.

  • The Virtual IP should be in the the same subnet as that of the interface IP address.

  • The configuring of the VIP on tunnel interfaces is not possible.

For Devices that run ScreenOS 6.0, VIPs can be defined on any zone:

  • The Virtual IP address should be in the same subnet as that of the interface IP address.

  • The VIP being the same as the Untrusted IP address feature is supported on the lower end platforms; but not on the following high end platforms that run ScreenOS 6.0:

    • NetScreen-ISG 1000

    • NetScreen-ISG 2000

    • NetScreen-5200

    • NetScreen-5400


It is possible to configure the VIP on tunnel interfaces from ScreenOS 6.0 or later.

For unnumbered tunnel interfaces:

  • The Virtual IP can be configured in a different subnet (allowed only in ScreenOS 6.0).

  • The VIP being the same as the Untrusted IP address feature is supported on the lower end platforms; but not on the above mentioned high end platforms that run Screen OS 6.0.

For tunnel interfaces that have fixed IP addresses:

  • The Virtual IP should be in the same subnet as that of the the tunnel interface IP address.

  • The VIP being the same as the Untrusted IP address feature is supported on the lower end platforms; but not on the above mentioned high end platforms that run Screen OS 6.0.


For devices that run ScreenOS 6.1 or later (applies to all models):

  • You can configure the virtual IP (VIP) address the same as that of the the interface IP address on any device in any zone.

  • You can configure the VIP address on the same interface by using the same IP address. This allows you to selectively redirect traffic for specific applications to designated servers.

  • You can configure VIP, MIP, and dynamic IP (DIP) addresses in any combination on any interface.

  • The Virtual IP should be in the same subnet as that of the interface IP address.

VIP configuration for tunnel interfaces:

For unnumbered tunnel interfaces:

  • The Virtual IP should be in the same subnet as that of the the tunnel interface IP address.

  • The VIP being the same as the interface IP address is supported on all devices that run ScreenOS 6.1 or later.

For tunnel interfaces that have fixed IP addresses
:
  • The Virtual IP should be in the same subnet as that of the tunnel interface IP address.

  • The VIP being the same as the interface IP address feature is supported on all devices that run ScreenOS 6.1 or later.

For information about the models that support the MIP same as untrust feature refer to KB11167 - MIP can use the same address as an interface in some models

Additional information:

 KB14223 - Limitations to Services that Can Be Used for VIP Same as Untrust or VIP Same as Interface IP

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search