VIP in different subnet

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[mwdmeyer]

We've just got another subnet on our Netscreen 50.

What we want to do is setup a new VIP service using this ip address.

The error we're getting is:
"The Virtual IP must be in the same subnet as the interface IP".

Is is possible to add another IP address to the untrust interface and/or get around this problem? MIPs seem to work fine, but we'd like to use a VIP if possible.

Thanks!

[mike coplien]

Are you using the Global Zone?

[mwdmeyer]

No the interface is in the untrust zone.

[amouawad]

From memory the units can only have one VIP instance bound to the untrust interface; and from that you can route different ports to different IP addresses. Are you trying to add another VIP IP address to the untrust int, or just trying to add another port that will get VIP'd somewhere internally?

Probably best if you can throw a few IP address examples of what you're trying to accomplish.

[Screenie]

Vip is not pssible on extended addres. Use policybased NAT instead:

set arp nat-dst  (not documented....) This must be done in CLI

define a policy from untrust to untrust (GUI is ok here) (YES REALY untrust to untrust !)

src any
dst UNTRANSLATED adress
Service: your Service

Then in advanced
Check NAT dst box fill in the destination IP.

Not VIP indead, but same function, because you van define multiple policy with the same destination IP but different serice and destinations.

Succes.

Screenie

[jaycox]

I have a simular configuration issue to the original poster and I think that this might be the solution for my problem as well.

My problem
On my untrusted interface I have 2 ip addresses from subnet "A" and 2 ip addresses from subnet "B".  Each ip address needs to map to a different web server, as well as other services.

subnetA.ip1 port 80 --> trusted_webserver_1
subnetA.ip1 port 21 --> trusted_ftp_server_1
subnetA.ip2 port 80 --> trusted_webserver_2
subnetA.ip2 port 25 --> trusted_mailserver_1
subnetB.ip1 port 80 --> trusted_webserver_3
subnetB.ip1 port 25 --> trusted_mailserver_2
subnetB.ip2 port 80 --> trusted_webserver_4

Based on the previous post this is how I understand I would configure the firewall from scratch:

On the command line:

• "set arp nat-dst"

Using the web-gui:

• Set up subnetA.ip1 on the chosen interface.
• Create and setup subnetB.ip1 as a sub-if on the chosen interface.
• Setup routing for subnetA and subnetB.
• Configure all the policies to map from the external ip/ports to the proper internal ip/ports.
• Let stand 15 minutes and serve with a nice merlot.
  

It seems to me that I would also need to configure subnetA.ip2 and subnetB.ip2, but I'm not sure how I'm supposed to do that.  The system won't let you have sub-ifs with overlapping subnets.  Obviously VIPs wont work.  How is it done?

Is this the best way to solve my problem?

Thanks.

[Screenie]

Hi,

If You're very sure what your'doing you allways can configure "ignore subnetconflict" on VR level. You then can define as many overlapping subnets as you like (:-

But looking at what you wnat to achive: It's not nessesary to configure subnet B on the interface. As long as the traffic is routed to subnetA interface IP you can configure your dest NAT on adresses from subnet B. That's what "extended" adresses is all about.

Screenie.

[mwdmeyer]

Thanks for your help everyone.

I'll have a bit of a play today and see how it goes!

[mwdmeyer]

Hi Screenie,

I just tested your method and it works. I didn't need to use the "set arp nat-dst" command. What does this command do?

Thanks again!

[10us]

If you have a second subnet (say /29) routed to your /30 untrust interface you can also use a Loopback interface bound to the untrust interface. In that way you can also use MIP's.

Regards,

Martijn

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• Netscreen 5xp by timeshadowrider [Today at 11:51:22 AM]
• UAC, PXE and SMS with Ody... by Snok [Today at 10:38:28 AM]
• RDP, Web, etc Quit Workin... by darkonex [Today at 09:27:17 AM]
• Multicast routing enigma.... by Di4bLo [Today at 09:26:57 AM]
• integration of juniper fi... by everyourskishore [Today at 07:16:57 AM]
• Switching and forwarding ... by rafibd71 [Today at 01:46:52 AM]
• SRX LDAP server function ... by littlething [Yesterday at 11:43:13 PM]
• Branch office VPN to Lan ... by holdenga [Yesterday at 11:29:04 PM]
• Netscreen-10 and 5GT peer... by lil_tud [Yesterday at 08:19:51 PM]
• 2 ISP's and routing by DubBhoy [Yesterday at 10:13:39 AM]

Members

• Total Members: 20486
• Latest: Snok

Stats

• Total Posts: 38002
• Total Topics: 9817
• Online Today: 65
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 2
Guests: 46
Total: 48

timeshadowrider
wjens