?
Solved

Is it possible to use MIP in a Juniper Netscreen 5gt firewall to route an external IP address to a specific clustered (NLB) IP address?

Posted on 2009-04-21
7
Medium Priority
?
1,089 Views
Last Modified: 2012-05-06
We have a Juniper Netscreen 5gt firewall.  When we set up a MIP to route an outside IP address to an internal NON clustered IP address (along with its policy to open up HTTP service) everything works marvelously.  We can hit our web page with no problem on the web.  However, when we modify the internal IP address to a internal clustered (through Network Load Balancing) IP address, it stops working all together.  We can't hit the webpage anymore.  
1) Is this possible?
2) What am I doing wrong?
3) Should I go into advanced settings on the policy and use NAT?
0
Comment
Question by:sliknick1028
  • 4
  • 2
7 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24195489
not many answers from the juniper forums. i think because i didnt have much info on how your NLB is setup. if possible could you provide a quick description of how its setup?  i think NAT on the policy may help, but wont really know until more info is available
0
 

Author Comment

by:sliknick1028
ID: 24196089
We have 2 servers with 2 network connections each, 1 used as the dedicated IP address for the server(10.0.0.10, 10.0.0.12) and the other for the NLB cluster (10.0.0.11, 10.0.0.13).  The NLB shared cluster IP address is 10.0.0.14.
In the Juniper firewall, we have 1 of our external IP addresses bound to the untrust interface and then additional MIP's created within the untrust interface to map additional external IP address to internal IP addresses.  
Now when we have the MIP to map an additional external IP address to a single (not NLB) host IP address (10.0.0.10) and then create a policy to use the HTTP service to route from source "any" to destination MIP(external IP address) it works great.  
The problem comes in when we change the MIP's host IP to 10.0.0.14 (which is the internal IP address of the NLB cluster) it stops working completely.

I don't know how much more detailed I can get.  Please help.  Thanks!
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 2000 total points
ID: 24196483
from what i can tell this is a NAT problem, or Lack of NAT maybe a better description (similar to what happens with voice over ip phone systems).

internally traffic hits 10.0.0.14 and then is routed to one of the four NLB ips (lets say .12). when that traffic is returning is its source .12, or is its source  .14?

inside your network this will not matter because the the ip addresses are all in the same subnet. for someone coming from outside the network this will matter because the source ip address of the return traffic will not be the same as the MIP, it will be your default WAN ip.

let me know if this makes sense to you. im going to see if i can figure out what kind of NAT you need (srouce bassed or destination) and on which policy the NAT should be applied.


0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:sliknick1028
ID: 24218932
OK, so your comment "Lack of NAT maybe a better description" set something off in my head and I enabled source NAT using Egress Interface IP.  This fixed the problem and the website was functional through the NLB cluster IP address.  I really have no idea how it works but it did.  Could someone explain that one to me?  I know that enabling the NAT translates the source IP address in the packet to the firewalls internal interface IP address (10.0.0.1) but how does the packet know what address to return to after its done processing on the server?  I can understand when we don't use NAT that the packet contains the originating IP address but isn't that "overwritten" or sumthing when NAT is enabled?
0
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 2000 total points
ID: 24219400
some of the other experts may be able to provide more clarity for you, but from what i understand when you hit the public IP address that is assigned to the MIP, source based NAT adds information to each packet that show the MIP ip as the originating ip address. when the information is returning, the juniper will look at the session id information and recognize that the packets need to be directed to the original public ip address that they came from. so in very simplisitic terms a translation is done from incoming traffic, and a translation is done for outgoing (return) traffic. and the juniper uses session information to keep track of where all the packets should be going.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24219424
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 24227111
Your description is confirmed, sangamc. This is exactly how it works.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question