can't figure out NAT on Juniper NS50 firewall

KellyOfColorado
KellyOfColorado used Ask the Experts™
on
Hi,
  I have a Netscreen NS-50 firewall that I need to NAT one public address to one private host.  It is anything but intuitive (I'm much better with Watchguard format) and I can't for the life of me get a public address NATed to my host inside.
  Can anyone direct me to a simple explanation of what to do here?

Thanks!

- k-
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
The first thing you want to do is add a MIP to the interface where you have your public ip configured. You select and unused public ip and the private ip of the destination server. The next step is to create a policy from the untrust zone to the trust zone with the destination as the MIP you created earlier. You can also specify which services (ports) you wish yo allow. Leave this option as "any" at first. Once you test and confirm that the MIP is working, you can then thighten the security and restrict access to only the services (ports) that you need.
Top Expert 2007

Commented:
Do you want to use static NAT [in WG terminology], then use VIP; if you wish to have 1-1 NAT [in WG terminology] then we should configure WIP.

Please let know so we can provide more details.

Thank you.

Author

Commented:
I just need to connect the public address to the inside host and allow 4 ports unrestricted in and out.  
  Right now, the firewall appears to be configured to be just a bridge ( there is a Watchguard firewall in between this device and our hosts.)
  Originally, I believe that the Netscreen was intended to break out some of our public class C block for a colocation service.  That project has been canceled and now the firewall has no real purpose.  
  Soon, I will remove it from the design entirely, but need to acquire some hardware upgrades first. in the mean time,   I am trying to move one host closer to the edge by going from inside the Watchguard to a trusted interface on the Netscreen.
  sangamc, I beileve I have your requirements in place, but still can't get to my host from the outside.  I have screen snaps of the MIP and policies here:

http://www.kkoop.com/one.html

can you confirm that this is correct?

Thanks!
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Commented:
i noticed the mapped ip is on interface ethernet 1. this is normally the trust (LAN interface) the MIP should be setup on the interface that has the public ip configured on it. On most setups this defaults to ethernet 3.

2nd the host virtual router should be the trust-vr. Unless you have specifically configured the WAN interface or the LAN interface in the untrust virtual router you should change this.

Lastly the 2nd policy is the one that will allow traffic. you have it mostly correct except that the destination instead of being any, should be the MIP you created. It will be available in the drop down list if the MIP is on the correct inteface and virtual router

Author

Commented:
Thanks for the clarification.
  there are actually two 'public' addresses involved.  E1 is on public address - xxx.xxx.3.1 of a class C block that we use for outside access to our hosts. Our ISP is on E3. There is another firewall on E1 at xxx.xxx.3.225.  Our hosts are NATed to addresses between xxx.xxx.3.226-xxx.xxx.3.254 on that firewall
  I am trying to get my host on E2 NATed to xxx.xxx.3.17.    So, I understand i should configure the same MIP info, but on interface E3, then the policy should begin passing packets to my inside host.  Correct?

- k -

Author

Commented:
Actually, I just tried to put the MIP info on E3 and it won't accept it.  Says that the subnet mask is wrong.

I'm baffled again.

- k -

Author

Commented:
okay.  i think i understand this thing now...sort of.  In my earlier post, I said the Netscreen was configured to act like a bridge;  I misspoke (mis-wrote?) it is configured to be a router. It routes from the Internet to the Class C Block the ISP provided us.
  So, I can't do what I want to do.  The only thing I can accomplish is to put my host on the switch attached to the E1 interface (with the xxx.xxx.3.0/24 public network on it) and configure the public address i want to use - xxx.xxx.3.17 - on the (no loner) inside host NIC.

Commented:
ok there is a bit of confusion here. you can accomplish what you want to do with the setup you have. but first i want to get a few things clear.

ethernet1: 192.168.3.1/24 this is not an ip provided by your ISP. this is configured on the juniper as the LAN/private network

ethernet2: 172.25.128.1/24 also a private network in the same security zone as ethernet 1

ethernet3: x.x.176.218/30 single public ip address assigned by your ISP. the gateway can be deduced as x.x.176.217 . This means you only really have 1 static ip address from your ISP. (you will have to use a VIP now and not a MIP)

What it looks like you have here is two firewalls one stacked on the other. the Juniper is the primary (connected directly to the ISP) and the firewall 192.168.3.225 is connected to the juniper LAN 192.168.3.1/24.

If my assumptions above are indeed correct. and you want to open ports to the server on eth2 from the internet. You will need to have a VIP configured on eth3 mapped to its ip address, and a policy to allow the correct ports.

the public ip you will now use to connect to that server will be x.x.176.218

Author

Commented:
sangamc,
  Thank you very much.  Not to be disagreable, but i assure you that the address on E1 is public; it is not in the 192.168.x.x range, I blocked out the first two octets in order to retain a bit of privacy on where this is going on.
  The address on E3 is from our ISP as you stated.  

There are two firewalls stacked, however the one connected to E1on the Juniper FW is where the public addresses are NATed to the private addresses.  The Juniper is not a primary firewall, it's acting only as a router if I am understanding the policy configuration.  In the screen shot example, the two policies you see are *all* the policies that are on the firewall.  Therefore it appears to me that it allows all traffic from untrust to trust and all traffic from trust to untrust; which is why i say it's being simply a router.
I beileve that I can put my host on the switch attached to E1, assign it a public address in my xxx.xxx.3.0/24 block and it should be accessable.  *Totally* unprotected, but accessable.  I would prefer to have control of the traffic, but don't understand how one of my xxx.xxx.3.0 addresses can be assigned to it.

  would you be kind enough to explain how the VIP is configured and how it works?  Having the single address to the single server would be okay for now, as I plan to replace both these firewalls with a new model very soon.

Thanks again for all your help!

- k -
Commented:
The more information the better. because your setup is so unique i had to lay out what i thought was going on. A VIP is used when you have only a single ip address from your ISP. This i thought we would need on interface ethernet3 because that is what appears to be your ISP connection.

going back to your original attached images. The MIP is indeed created on ethernet1

mapped ip: x.x.3.18
subnet: 25.255.255.255 (you only want to map one ip hence 32bit mask)
host address: 172.25.128.20
host-vr: trust-vr (because eth2 is in the trust zone which is in trust-vr)

you do not need  policy to allow any traffic because eth1 is in trust zone and eth2 is in trust zone. By default that traffic is allowed.

Author

Commented:
You *are* the master!!

I setup the MIP as you instructed and the connection came right up!.

Thanks,000,000!!!  (thanks a million!)

- k -

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial