MIP on a netscreen for accessing dmz server from untrust or from trust

Posted on 2010-01-12
Medium Priority
Last Modified: 2013-11-09
I have a mip defined on the untrust interface of ssg5.
this mip (say permits internet users to reach the private ip that the MIP maps to in the dmz (say

How can I get devices in the trust zone (say to reach the same dmz server via the MIP address (

Thank you
Question by:mjpb
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 18

Expert Comment

ID: 26296277
Well you aren't going to want your internal network to go out to the internet then come back in to hit your DMZ.

Just make a policy from Trust to DMZ (or whatever you have that zone named) with the appropriate source, destination, protocol and port.

Are you doing this via CLI (Console/SSH) or the WebUI?
LVL 18

Expert Comment

by:Sanga Collins
ID: 26296446
Nothing is required if you want equipment in the trust zone to reach the MIP As long as the MIP is working, then there will no problem.

If you want to get to the DMZ from the LAN and do not need to use the MIP, follow the above suggestion and create the trust - DMZ allow policy.

As far as the internal network going to the internet, then coming back to the DMZ, this happens in cases where you have a domain name pointing to the MIP and want users to use the web address to access the server (assuming it is a web server or email server as an example) your performance hit will be minimal if you compare going to the outside or directly to the DMZ

Author Comment

ID: 26296486
The reason the trusted devices need to hit the MIP address (defined on the untrust) is that the client uses a dns server on the internet and the name resolution gives them the public IP for the dmz server ( ie which translates to the real dmz IP).

Currently I have the MIP defined on the untrust which works for traffic from the internet to the MIP to the real dmz address.  
For inside to dmz I configured destination nat and nat the destination (which would be the address to the real IP.  I heard that there is a way to have the trusted source IPs hit the MIP address and do a "hairpin" back to the real dmz IP but I haven't been able to find an example.

I was hoping this could be done because the destination nat from trust to dmz gets quite cumbersome as there are close to 300 servers on the dmz and a rule must be created for each one with dnat. I was hoping to use the MIP method so I could group the destination dmz MIPs into one rule say for http, etc.
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

LVL 18

Expert Comment

by:Sanga Collins
ID: 26296722
There is no special config to make this happen. Devices on the trusted side will hit the MIP (using the DNS name) as if they were at another physical location. Configuring internal NAT from trust to DMZ is not required at all.

I use this setup for my exchange server. All outlook clients whether inside the LAN use the Domain name that points to the MIP, and all remote users also use the same Domain name to get to the exchange server MIP

Author Comment

ID: 26297292
hmm... I've tested from trust to the MIP address (for the dmz server).  I have the first rule from trust to dmz to permit any any on any port.

I then tested from a trusted source (on the inside-trust interface) to the address but it does not get through. I see in a debug the following:
route ->, to ethernet0/0    (note 0/0 is the trust interface and is the source device trying to reach the dmz server)
Next line in the debug is:
 arp lookup failed for (again, this is the source IP in the trust zone).  
I have a router separating the trusted interface from the inside devices and another separating the dmz interface from the dmz devices.

Not sure where to go from here....

LVL 18

Accepted Solution

Sanga Collins earned 2000 total points
ID: 26297484
Well the traffic should actually be going from trust to the untrust zone. so the policy from trust to DMZ is not required because you are not targeting the private ip of the server in question.

if you login to the firewall using a telnet session or from the console. See if you can run the following command:

       ping Domain.com from trust

i have posted the results from my firewall with the same setup. 209.x.x.z is the MIP to private ip 192.168.x.93

COLO-Netscreen-> ping it-mgt.net from eth1
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to it-mgt.net [209.x.x.z], timeout is 1 secon
ds from ethernet1
Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/2/3 ms

COLO-Netscreen-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address         Zone        MAC            VLAN State VSD

eth1           192.168.x.1/24    Trust       0010.db2b.ccb0    -   U   -
eth2       Trust       0010.db2b.ccb5    -   U   -
eth3           209.x.x.z/28   Untrust     0010.db2b.ccb6    -   U   -

COLO-Netscreen-> get mip
Total MIPs under Root configured:r Max:6144.
Map IP           Host IP          NetMask          Interface   VRouter
209.x.x.x    192.168.x.11  ethernet3   trust-vr
209.x.x.y  ethernet3   trust-vr
209.x.x.z    192.168.x.93  ethernet3   trust-vr
LVL 18

Expert Comment

by:Sanga Collins
ID: 26297586
you should post your sanitized config if you get a chance, i can then take a look for errors.

Author Comment

ID: 26299047
I think I found the problem.  I had put a route in for the public 5.5.5.x dmz IPs to route to the dmz (this was for the dnat from trust to 5.5.5.x to the private IP of the dmz servers.
I removed that route and am now able to go from trust to untrust 5.5.5.x  IP which the fw sees the MIP for and redirects to the dmz server.

Thank you for your help.  Sometimes it takes another set of eyes to clear the view!

LVL 18

Expert Comment

by:Sanga Collins
ID: 26299251
I am glad it worked out ... with netscreen devices in my 4 or so years experience, its usually the simplest of solutions to solve a problem that appears to have no answer. I'm happy you stuck with it, and if you run into anything else dont hesitate to post.

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses
Course of the Month11 days, 20 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question