How to confgure complex portforwarding on a netscreen xt5?

I migrated from a linux box with shorewall to a netscreen xt5.
On the shorewall you can do the following port forward
Source      port                                            Destination port
HostA       any                                             localHostA   22
HostB       any                                             localHostB   22

On the netscreen:
VIP on the untrusted interface for port 22 assinged to localhostA:22
Policy:
Untrusted     Trusted    Service   actions   options
Any              VIP::1      ssh        allow       log

How do I setup the second forward, from HostB on the Internet to HostB on my Lan?
LVL 1
howartAsked:
Who is Participating?
 
jabiiiCommented:
GUI:
Network/interfaces/untrust -edit
at the top, properties: click MIP
Mapped IP x.x.x.1 (external IP people use to connect)
netmask. 255.255.255.255
host ip (trusted side server) x.x.x.1

policy from untrust to trust new
source address any
dest address MIP x.x.x.1
service ssh
action permit
log


GUI:
Network/interfaces/untrust -edit
at the top, properties: click MIP
Mapped IP x.x.x.2 (external IP people use to connect)
netmask. 255.255.255.255
host ip (trusted side server) x.x.x.2

policy from untrust to trust new
source address any
dest address MIP x.x.x.2
service ssh
action permit
log
0
 
jabiiiCommented:
You probably want a VIP. and should reference Junipers knowledge base or concepts and examples.

Mapped IP Address: A MIP is a direct one-to-one mapping of traffic destined for one IP address to another IP address.

c&E http://www.juniper.net/techpubs/software/screenos/screenos5x/ce_v8_5_0.pdf
reference: http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1907421
0
 
jabiiiCommented:
VIP and MIP are similar but different :P you want the VIP sorry if confusing.

Taken from junipers web page.
"What is a VIP? Virtual IPs (VIP) are one to many mappings of IP address that distinguish traffic based on port number to determine what IP address to send the traffic to.  A common application of VIPs is to have one public IP address represent the Web server, email server and FTP server, each of which has a unique private IP address.  This sharing of one external IP address provides a good way to conserve public IP addresses."

Taken from Juniper C&E
MIP: Mapped IP Address: A MIP is a direct one-to-one mapping of traffic destined for one IP address to another IP
address.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
howartAuthor Commented:
ok gonna read about a MIP in the documentation.
I do use a VIP now, but a Vip means many hosts in the untrusted zone connect to one in the trusted zone.

I want to create more then one 1:n conncetions over the same port but different hosts in the trustend zone.
0
 
jabiiiCommented:
Check this out.
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1903773

This is for allowing any host connecting to the VIP address on port 80 forwarded to an internal host.
0
 
howartAuthor Commented:
thanx thats what I use see my intial question?

Any idea's how I can configure the nt5xt in a way that I also can reach a second webserver in my local network?
Over the same port http/tcp.

Shorewalls can!!!! So XT should do the same.

0
 
jabiiiCommented:
Is it from a specific destination or from any where for both servers?

From anywhere that doesn't make sense, why have 2 internal servers with the same external IP & port, for 2 different things?

If thats case, and your using the same port your going to need to use MIP's.

VIP is for use when you have multiple servers listening on different ports, and they all map to 1 external virtual IP.

MIPS are a used for basically 1/1

There might be a way to do it with VIP, but I don't know how. Using MIPs wil solve your problem
0
 
howartAuthor Commented:
wanna make two 1/1 connections over port 22/tcp aka SSH.
See initial question.

Already got a VIP running for the most important one.
Filtering the traffic with a policy remote host --> VIP:22 allow and log.


Can you tell me how to make a MIP?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.