?
Solved

Netscreen 5gt - How to map IP's

Posted on 2006-05-12
2
Medium Priority
?
1,589 Views
Last Modified: 2011-10-03
I have a netscreen 5gt that I'm trying to set up to host 1 web server and one SQL server.
I was told the best way to do it was to put the web server in a DMZ and the SQL server in a protected zone

I went out and got a netscreen 5gt that doesn't have a 'DMZ' setting because its the cheaper model, but I was told that if I used the Untrusted/Work/Home zone setup the 'Home' Zone would work as the 'protected/firewalled' zone and the Work zone would act as the DMZ.

The problem is that the netscreen doesn't allow the 'Home' zone to talk to the 'Work' zone but the 'work' zone can talk to the 'home' zone.

So a netscreen salesperson said that I could work around this by mapping Ip's from the work zone to the home zone.

So I set up the netscreen with the home/work/untrusted setup and setup the following addresses.

Untrusted = 66.45.xx.xx
Work = 192.168.1.1
Home = 10.250.1.1

My servers are
#1 Webserver - 192.168.1.2 = Work Zone
#2 SQL Server - 10.250.1.2 = Home Zone

How do I map these IP's so the SQL server is protected in the home zone but the webserver can get data from the it?
Also does it have anything to do with what juniper calls 'Virtual IP"?
http://kb.juniper.net/CUSTOMERSERVICE/KB4740
0
Comment
Question by:Matrix1000
2 Comments
 
LVL 3

Assisted Solution

by:whermans
whermans earned 800 total points
ID: 16666027
I am pretty amazed by your statement that you cannot have the two zones talk to each other.  Did you set up routing correctly so that any 192.168.1.0/24 traffic from the home zone is routed to the specified interface of your work zone?  How do you have set up your current policies?

Virtual IP's are what other routers sometimes call Virtual Servers or Port Forwarding: you make your Netscreen respond to a certain IP number so that when traffic arrives at that IP for a certain port, it is forwarded to the port on the DMZ or LAN address of a certain machine.
0
 
LVL 9

Accepted Solution

by:
jabiii earned 1200 total points
ID: 16667769
Firstly you can create your own zones.

You have to have policies allowing traffic between zones, especially if you have intrazone blocking enabled.

VIP and MIP are similar but different :P you want the VIP sorry if confusing.

Taken from junipers web page.
"What is a VIP? Virtual IPs (VIP) are one to many mappings of IP address that distinguish traffic based on port number to determine what IP address to send the traffic to.  A common application of VIPs is to have one public IP address represent the Web server, email server and FTP server, each of which has a unique private IP address.  This sharing of one external IP address provides a good way to conserve public IP addresses."

Taken from Juniper C&E
"MIP: Mapped IP Address: A MIP is a direct one-to-one mapping of traffic destined for one IP address to another IP
address."

have you checked out the concepts and examples doc? you can get it from juniper.net/support it talks about how to set it up and gives you good examples.
you can get it here
https://www.juniper.net/techpubs/software/screenos/screenos5x/ce_all_5_0.pdf

other good references.
http://www.experts-exchange.com/Security/Firewalls/Q_21747258.html
http://www.experts-exchange.com/Security/Firewalls/Q_21810865.html


0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question