How to confgure complex portforwarding on a netscreen xt5?
I migrated from a linux box with shorewall to a netscreen xt5.
On the shorewall you can do the following port forward
Source port Destination port
HostA any localHostA 22
HostB any localHostB 22
On the netscreen:
VIP on the untrusted interface for port 22 assinged to localhostA:22
Policy:
Untrusted Trusted Service actions options
Any VIP::1 ssh allow log
How do I setup the second forward, from HostB on the Internet to HostB on my Lan?
On the shorewall you can do the following port forward
Source port Destination port
HostA any localHostA 22
HostB any localHostB 22
On the netscreen:
VIP on the untrusted interface for port 22 assinged to localhostA:22
Policy:
Untrusted Trusted Service actions options
Any VIP::1 ssh allow log
How do I setup the second forward, from HostB on the Internet to HostB on my Lan?
VIP and MIP are similar but different :P you want the VIP sorry if confusing.
Taken from junipers web page.
"What is a VIP? Virtual IPs (VIP) are one to many mappings of IP address that distinguish traffic based on port number to determine what IP address to send the traffic to. A common application of VIPs is to have one public IP address represent the Web server, email server and FTP server, each of which has a unique private IP address. This sharing of one external IP address provides a good way to conserve public IP addresses."
Taken from Juniper C&E
MIP: Mapped IP Address: A MIP is a direct one-to-one mapping of traffic destined for one IP address to another IP
address.
Taken from junipers web page.
"What is a VIP? Virtual IPs (VIP) are one to many mappings of IP address that distinguish traffic based on port number to determine what IP address to send the traffic to. A common application of VIPs is to have one public IP address represent the Web server, email server and FTP server, each of which has a unique private IP address. This sharing of one external IP address provides a good way to conserve public IP addresses."
Taken from Juniper C&E
MIP: Mapped IP Address: A MIP is a direct one-to-one mapping of traffic destined for one IP address to another IP
address.
ASKER
ok gonna read about a MIP in the documentation.
I do use a VIP now, but a Vip means many hosts in the untrusted zone connect to one in the trusted zone.
I want to create more then one 1:n conncetions over the same port but different hosts in the trustend zone.
I do use a VIP now, but a Vip means many hosts in the untrusted zone connect to one in the trusted zone.
I want to create more then one 1:n conncetions over the same port but different hosts in the trustend zone.
Check this out.
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1903773
This is for allowing any host connecting to the VIP address on port 80 forwarded to an internal host.
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1903773
This is for allowing any host connecting to the VIP address on port 80 forwarded to an internal host.
ASKER
thanx thats what I use see my intial question?
Any idea's how I can configure the nt5xt in a way that I also can reach a second webserver in my local network?
Over the same port http/tcp.
Shorewalls can!!!! So XT should do the same.
Any idea's how I can configure the nt5xt in a way that I also can reach a second webserver in my local network?
Over the same port http/tcp.
Shorewalls can!!!! So XT should do the same.
Is it from a specific destination or from any where for both servers?
From anywhere that doesn't make sense, why have 2 internal servers with the same external IP & port, for 2 different things?
If thats case, and your using the same port your going to need to use MIP's.
VIP is for use when you have multiple servers listening on different ports, and they all map to 1 external virtual IP.
MIPS are a used for basically 1/1
There might be a way to do it with VIP, but I don't know how. Using MIPs wil solve your problem
From anywhere that doesn't make sense, why have 2 internal servers with the same external IP & port, for 2 different things?
If thats case, and your using the same port your going to need to use MIP's.
VIP is for use when you have multiple servers listening on different ports, and they all map to 1 external virtual IP.
MIPS are a used for basically 1/1
There might be a way to do it with VIP, but I don't know how. Using MIPs wil solve your problem
ASKER
wanna make two 1/1 connections over port 22/tcp aka SSH.
See initial question.
Already got a VIP running for the most important one.
Filtering the traffic with a policy remote host --> VIP:22 allow and log.
Can you tell me how to make a MIP?
See initial question.
Already got a VIP running for the most important one.
Filtering the traffic with a policy remote host --> VIP:22 allow and log.
Can you tell me how to make a MIP?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Mapped IP Address: A MIP is a direct one-to-one mapping of traffic destined for one IP address to another IP address.
c&E http://www.juniper.net/techpubs/software/screenos/screenos5x/ce_v8_5_0.pdf
reference: http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1907421