How to confgure complex portforwarding on a netscreen xt5?

I migrated from a linux box with shorewall to a netscreen xt5.
On the shorewall you can do the following port forward
Source      port                                            Destination port
HostA       any                                             localHostA   22
HostB       any                                             localHostB   22

On the netscreen:
VIP on the untrusted interface for port 22 assinged to localhostA:22
Policy:
Untrusted     Trusted    Service   actions   options
Any              VIP::1      ssh        allow       log

How do I setup the second forward, from HostB on the Internet to HostB on my Lan?
LVL 1
howartAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jabiiiCommented:
You probably want a VIP. and should reference Junipers knowledge base or concepts and examples.

Mapped IP Address: A MIP is a direct one-to-one mapping of traffic destined for one IP address to another IP address.

c&E http://www.juniper.net/techpubs/software/screenos/screenos5x/ce_v8_5_0.pdf
reference: http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1907421
jabiiiCommented:
VIP and MIP are similar but different :P you want the VIP sorry if confusing.

Taken from junipers web page.
"What is a VIP? Virtual IPs (VIP) are one to many mappings of IP address that distinguish traffic based on port number to determine what IP address to send the traffic to.  A common application of VIPs is to have one public IP address represent the Web server, email server and FTP server, each of which has a unique private IP address.  This sharing of one external IP address provides a good way to conserve public IP addresses."

Taken from Juniper C&E
MIP: Mapped IP Address: A MIP is a direct one-to-one mapping of traffic destined for one IP address to another IP
address.
howartAuthor Commented:
ok gonna read about a MIP in the documentation.
I do use a VIP now, but a Vip means many hosts in the untrusted zone connect to one in the trusted zone.

I want to create more then one 1:n conncetions over the same port but different hosts in the trustend zone.
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

jabiiiCommented:
Check this out.
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1903773

This is for allowing any host connecting to the VIP address on port 80 forwarded to an internal host.
howartAuthor Commented:
thanx thats what I use see my intial question?

Any idea's how I can configure the nt5xt in a way that I also can reach a second webserver in my local network?
Over the same port http/tcp.

Shorewalls can!!!! So XT should do the same.

jabiiiCommented:
Is it from a specific destination or from any where for both servers?

From anywhere that doesn't make sense, why have 2 internal servers with the same external IP & port, for 2 different things?

If thats case, and your using the same port your going to need to use MIP's.

VIP is for use when you have multiple servers listening on different ports, and they all map to 1 external virtual IP.

MIPS are a used for basically 1/1

There might be a way to do it with VIP, but I don't know how. Using MIPs wil solve your problem
howartAuthor Commented:
wanna make two 1/1 connections over port 22/tcp aka SSH.
See initial question.

Already got a VIP running for the most important one.
Filtering the traffic with a policy remote host --> VIP:22 allow and log.


Can you tell me how to make a MIP?
jabiiiCommented:
GUI:
Network/interfaces/untrust -edit
at the top, properties: click MIP
Mapped IP x.x.x.1 (external IP people use to connect)
netmask. 255.255.255.255
host ip (trusted side server) x.x.x.1

policy from untrust to trust new
source address any
dest address MIP x.x.x.1
service ssh
action permit
log


GUI:
Network/interfaces/untrust -edit
at the top, properties: click MIP
Mapped IP x.x.x.2 (external IP people use to connect)
netmask. 255.255.255.255
host ip (trusted side server) x.x.x.2

policy from untrust to trust new
source address any
dest address MIP x.x.x.2
service ssh
action permit
log

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.