Netscreen 5gt - How to map IP's

I have a netscreen 5gt that I'm trying to set up to host 1 web server and one SQL server.
I was told the best way to do it was to put the web server in a DMZ and the SQL server in a protected zone

I went out and got a netscreen 5gt that doesn't have a 'DMZ' setting because its the cheaper model, but I was told that if I used the Untrusted/Work/Home zone setup the 'Home' Zone would work as the 'protected/firewalled' zone and the Work zone would act as the DMZ.

The problem is that the netscreen doesn't allow the 'Home' zone to talk to the 'Work' zone but the 'work' zone can talk to the 'home' zone.

So a netscreen salesperson said that I could work around this by mapping Ip's from the work zone to the home zone.

So I set up the netscreen with the home/work/untrusted setup and setup the following addresses.

Untrusted = 66.45.xx.xx
Work = 192.168.1.1
Home = 10.250.1.1

My servers are
#1 Webserver - 192.168.1.2 = Work Zone
#2 SQL Server - 10.250.1.2 = Home Zone

How do I map these IP's so the SQL server is protected in the home zone but the webserver can get data from the it?
Also does it have anything to do with what juniper calls 'Virtual IP"?
http://kb.juniper.net/CUSTOMERSERVICE/KB4740
LVL 1
Matrix1000Asked:
Who is Participating?
 
jabiiiCommented:
Firstly you can create your own zones.

You have to have policies allowing traffic between zones, especially if you have intrazone blocking enabled.

VIP and MIP are similar but different :P you want the VIP sorry if confusing.

Taken from junipers web page.
"What is a VIP? Virtual IPs (VIP) are one to many mappings of IP address that distinguish traffic based on port number to determine what IP address to send the traffic to.  A common application of VIPs is to have one public IP address represent the Web server, email server and FTP server, each of which has a unique private IP address.  This sharing of one external IP address provides a good way to conserve public IP addresses."

Taken from Juniper C&E
"MIP: Mapped IP Address: A MIP is a direct one-to-one mapping of traffic destined for one IP address to another IP
address."

have you checked out the concepts and examples doc? you can get it from juniper.net/support it talks about how to set it up and gives you good examples.
you can get it here
https://www.juniper.net/techpubs/software/screenos/screenos5x/ce_all_5_0.pdf

other good references.
http://www.experts-exchange.com/Security/Firewalls/Q_21747258.html
http://www.experts-exchange.com/Security/Firewalls/Q_21810865.html


0
 
whermansCommented:
I am pretty amazed by your statement that you cannot have the two zones talk to each other.  Did you set up routing correctly so that any 192.168.1.0/24 traffic from the home zone is routed to the specified interface of your work zone?  How do you have set up your current policies?

Virtual IP's are what other routers sometimes call Virtual Servers or Port Forwarding: you make your Netscreen respond to a certain IP number so that when traffic arrives at that IP for a certain port, it is forwarded to the port on the DMZ or LAN address of a certain machine.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.