[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to confgure complex portforwarding on a netscreen xt5?

Posted on 2006-04-12
10
Medium Priority
?
2,150 Views
Last Modified: 2008-03-20
I migrated from a linux box with shorewall to a netscreen xt5.
On the shorewall you can do the following port forward
Source      port                                            Destination port
HostA       any                                             localHostA   22
HostB       any                                             localHostB   22

On the netscreen:
VIP on the untrusted interface for port 22 assinged to localhostA:22
Policy:
Untrusted     Trusted    Service   actions   options
Any              VIP::1      ssh        allow       log

How do I setup the second forward, from HostB on the Internet to HostB on my Lan?
0
Comment
Question by:howart
  • 5
  • 3
8 Comments
 
LVL 9

Expert Comment

by:jabiii
ID: 16439489
You probably want a VIP. and should reference Junipers knowledge base or concepts and examples.

Mapped IP Address: A MIP is a direct one-to-one mapping of traffic destined for one IP address to another IP address.

c&E http://www.juniper.net/techpubs/software/screenos/screenos5x/ce_v8_5_0.pdf
reference: http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1907421
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16439676
VIP and MIP are similar but different :P you want the VIP sorry if confusing.

Taken from junipers web page.
"What is a VIP? Virtual IPs (VIP) are one to many mappings of IP address that distinguish traffic based on port number to determine what IP address to send the traffic to.  A common application of VIPs is to have one public IP address represent the Web server, email server and FTP server, each of which has a unique private IP address.  This sharing of one external IP address provides a good way to conserve public IP addresses."

Taken from Juniper C&E
MIP: Mapped IP Address: A MIP is a direct one-to-one mapping of traffic destined for one IP address to another IP
address.
0
 
LVL 1

Author Comment

by:howart
ID: 16443535
ok gonna read about a MIP in the documentation.
I do use a VIP now, but a Vip means many hosts in the untrusted zone connect to one in the trusted zone.

I want to create more then one 1:n conncetions over the same port but different hosts in the trustend zone.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 9

Expert Comment

by:jabiii
ID: 16445494
Check this out.
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1903773

This is for allowing any host connecting to the VIP address on port 80 forwarded to an internal host.
0
 
LVL 1

Author Comment

by:howart
ID: 16452169
thanx thats what I use see my intial question?

Any idea's how I can configure the nt5xt in a way that I also can reach a second webserver in my local network?
Over the same port http/tcp.

Shorewalls can!!!! So XT should do the same.

0
 
LVL 9

Expert Comment

by:jabiii
ID: 16453413
Is it from a specific destination or from any where for both servers?

From anywhere that doesn't make sense, why have 2 internal servers with the same external IP & port, for 2 different things?

If thats case, and your using the same port your going to need to use MIP's.

VIP is for use when you have multiple servers listening on different ports, and they all map to 1 external virtual IP.

MIPS are a used for basically 1/1

There might be a way to do it with VIP, but I don't know how. Using MIPs wil solve your problem
0
 
LVL 1

Author Comment

by:howart
ID: 16453978
wanna make two 1/1 connections over port 22/tcp aka SSH.
See initial question.

Already got a VIP running for the most important one.
Filtering the traffic with a policy remote host --> VIP:22 allow and log.


Can you tell me how to make a MIP?
0
 
LVL 9

Accepted Solution

by:
jabiii earned 2000 total points
ID: 16454130
GUI:
Network/interfaces/untrust -edit
at the top, properties: click MIP
Mapped IP x.x.x.1 (external IP people use to connect)
netmask. 255.255.255.255
host ip (trusted side server) x.x.x.1

policy from untrust to trust new
source address any
dest address MIP x.x.x.1
service ssh
action permit
log


GUI:
Network/interfaces/untrust -edit
at the top, properties: click MIP
Mapped IP x.x.x.2 (external IP people use to connect)
netmask. 255.255.255.255
host ip (trusted side server) x.x.x.2

policy from untrust to trust new
source address any
dest address MIP x.x.x.2
service ssh
action permit
log
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month17 days, 16 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question