Knowledge Search


×
 

Behavior of the Virtual IP on different ScreenOS versions

  [KB5571] Show Article Properties


Summary:
This article provides information about the behavior of the Virtual IP with various ScreenOS versions.
Symptoms:
  • The Virtual IP has only one publicly available IP address.

  • It allows access to internal servers by using the same IP address as the untrust.

  • The VIP cannot be set to the same IP address as the Untrust interface.

  • Which firewalls support the VIP being the same as untrust?

  • How to configure VIP on tunnel interfaces.
Cause:

Solution:

For Devices that run ScreenOS 5.4 or earlier:

  • VIPs can be defined only in the Untrust zone.

  • The option to configure the VIP with the same IP address as that of the interface is not available.

  • The Virtual IP should be in the the same subnet as that of the interface IP address.

  • The configuring of the VIP on tunnel interfaces is not possible.

For Devices that run ScreenOS 6.0, VIPs can be defined on any zone:

  • The Virtual IP address should be in the same subnet as that of the interface IP address.

  • The VIP being the same as the Untrusted IP address feature is supported on the lower end platforms; but not on the following high end platforms that run ScreenOS 6.0:

    • NetScreen-ISG 1000

    • NetScreen-ISG 2000

    • NetScreen-5200

    • NetScreen-5400


It is possible to configure the VIP on tunnel interfaces from ScreenOS 6.0 or later.

For unnumbered tunnel interfaces:

  • The Virtual IP can be configured in a different subnet (allowed only in ScreenOS 6.0).

  • The VIP being the same as the Untrusted IP address feature is supported on the lower end platforms; but not on the above mentioned high end platforms that run Screen OS 6.0.

For tunnel interfaces that have fixed IP addresses:

  • The Virtual IP should be in the same subnet as that of the the tunnel interface IP address.

  • The VIP being the same as the Untrusted IP address feature is supported on the lower end platforms; but not on the above mentioned high end platforms that run Screen OS 6.0.


For devices that run ScreenOS 6.1 or later (applies to all models):

  • You can configure the virtual IP (VIP) address the same as that of the the interface IP address on any device in any zone.

  • You can configure the VIP address on the same interface by using the same IP address. This allows you to selectively redirect traffic for specific applications to designated servers.

  • You can configure VIP, MIP, and dynamic IP (DIP) addresses in any combination on any interface.

  • The Virtual IP should be in the same subnet as that of the interface IP address.

VIP configuration for tunnel interfaces:

For unnumbered tunnel interfaces:

  • The Virtual IP should be in the same subnet as that of the the tunnel interface IP address.

  • The VIP being the same as the interface IP address is supported on all devices that run ScreenOS 6.1 or later.

For tunnel interfaces that have fixed IP addresses
:
  • The Virtual IP should be in the same subnet as that of the tunnel interface IP address.

  • The VIP being the same as the interface IP address feature is supported on all devices that run ScreenOS 6.1 or later.

For information about the models that support the MIP same as untrust feature refer to KB11167 - MIP can use the same address as an interface in some models

Additional information:

 KB14223 - Limitations to Services that Can Be Used for VIP Same as Untrust or VIP Same as Interface IP

Related Links: