Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuring an MIP in a policy-based VPN



Article ID: KB9924 KB Last Updated: 27 Jun 2018Version: 9.0

This article provides a workaround for configuring a Mapped Internet Protocol (MIP) address in a policy-based VPN, when the MIPs are typically created on tunnel interfaces in a route-based VPN. The workaround applies when the customer requirement does not allow for a route-based VPN.



Customer requirements: 

  • A site-to-site VPN tunnel between a ScreenOS firewall and a Cisco site.
  • The Cisco Peer IP address and the remote subnet must use the same Public IP address.
  • MIPs need to be configured for the servers behind the ScreenOS firewall.

Example Setup for MIP

             ScreenOS                                           Cisco
Server ----- Firewall (Eth0/0 Untrust ---- Internet --- Firewall ---- User             tunnel.1-            


User at wants to access the internal server with IP, whose real IP is



The following points must be considered before implementing the customer’s requirements:

  • For these requirements, a route-based VPN on the ScreenOS firewall is not an option because a route is needed to the remote network pointing to the tunnel interface. If the peer IP and remote IP addresses are the same for both devices, the IKE negotiation cannot be established.
  • A policy-based VPN can be configured for this design because only a default route is needed, and then a policy can be used to determine the VPN.
  • On the ScreenOS firewall, an MIP needs to be configured for the servers on the private network, which need to be accessed via a VPN from the Cisco site. However, MIPs are not directly supported in policy-based VPN.
  • If the outgoing interface is in a zone other than Untrust (for example, zone is ISP), see KB27122- [ScreenOS] How to configure a MIP in a policy based VPN when outgoing interface is in zone other than Untrust for instructions.

Execute the following commands to accomplish the requirements, listed above, on the ScreenOS firewall and activate the VPN:

  1. Set Untrust-Tun, which is the Tunnel type zone, carrier zone that helps encryption-decryption:
    set interface tunnel.1 zone Untrust-Tun

  2. Set Fixed IP on the tunnel interface
    set interface tunnel.1 ip

  3. MIP is used by the cisco-remote network to connect to server behind the Juniper firewall's local network:
    set interface tunnel.1 mip host netmask

  4. Add a route to send the traffic to the tunnel interface:
    set route interface tunnel.1

  5. Configure Phase 1 as follows:
    set ike gateway Netscreen-Cisco-IKE address main outgoing-interface ethernet4 preshare test sec-level standard

  6. Configure Phase 2 as follows:
    set vpn Netscreen-Cisco-VPN gateway Netscreen-Cisco-IKE sec-level standard

  7. Bind the tunnel zone (Juniper firewall will recognize the MIP configured on the tunnel interface):
    set vpn Netscreen-Cisco-VPN bind zone Untrust-Tun

  8. Then configure an appropriate access-list on the Cisco end to support Proxy-IDs generated by the policies in the ScreenOS firewall.
    set policy from untrust to trust MIP ( any tunnel vpn Netscreen-Cisco-VPN log
    set policy from trust to untrust any tunnel vpn Netscreen-Cisco-VPN log


Modification History:

2018-06-27: Article reviewed for accuracy. Note removed in Solution section and the set route command modified. Other minor grammatical changes made.


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search