Author Topic: VIP in different subnet  (Read 15816 times)

mwdmeyer

  • Full Member
  • ***
  • Posts: 245
  • Karma: +0/-0
    • View Profile
    • Bluetrait
VIP in different subnet
« on: November 11, 2007, 06:03:19 pm »
We've just got another subnet on our Netscreen 50.

What we want to do is setup a new VIP service using this ip address.

The error we're getting is:
"The Virtual IP must be in the same subnet as the interface IP".

Is is possible to add another IP address to the untrust interface and/or get around this problem? MIPs seem to work fine, but we'd like to use a VIP if possible.

Thanks!


mike coplien

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: VIP in different subnet
« Reply #1 on: November 11, 2007, 09:09:09 pm »
Are you using the Global Zone?

mwdmeyer

  • Full Member
  • ***
  • Posts: 245
  • Karma: +0/-0
    • View Profile
    • Bluetrait
Re: VIP in different subnet
« Reply #2 on: November 11, 2007, 09:09:55 pm »
No the interface is in the untrust zone.

amouawad

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: VIP in different subnet
« Reply #3 on: November 12, 2007, 07:14:28 pm »
From memory the units can only have one VIP instance bound to the untrust interface; and from that you can route different ports to different IP addresses. Are you trying to add another VIP IP address to the untrust int, or just trying to add another port that will get VIP'd somewhere internally?

Probably best if you can throw a few IP address examples of what you're trying to accomplish.

Michel-Andre

  • Guest
Re: VIP in different subnet
« Reply #4 on: November 13, 2007, 11:13:26 am »
Vip is not pssible on extended addres. Use policybased NAT instead:

set arp nat-dst  (not documented....) This must be done in CLI

define a policy from untrust to untrust (GUI is ok here) (YES REALY untrust to untrust !)

src any
dst UNTRANSLATED adress
Service: your Service

Then in advanced
Check NAT dst box fill in the destination IP.

Not VIP indead, but same function, because you van define multiple policy with the same destination IP but different serice and destinations.

Succes.

Screenie

jaycox

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: VIP in different subnet via "set arp nat-dst"
« Reply #5 on: November 13, 2007, 07:10:12 pm »
I have a simular configuration issue to the original poster and I think that this might be the solution for my problem as well.

My problem
On my untrusted interface I have 2 ip addresses from subnet "A" and 2 ip addresses from subnet "B".  Each ip address needs to map to a different web server, as well as other services.

subnetA.ip1 port 80 --> trusted_webserver_1
subnetA.ip1 port 21 --> trusted_ftp_server_1
subnetA.ip2 port 80 --> trusted_webserver_2
subnetA.ip2 port 25 --> trusted_mailserver_1
subnetB.ip1 port 80 --> trusted_webserver_3
subnetB.ip1 port 25 --> trusted_mailserver_2
subnetB.ip2 port 80 --> trusted_webserver_4

Based on the previous post this is how I understand I would configure the firewall from scratch:

On the command line:
  • "set arp nat-dst"

Using the web-gui:
  • Set up subnetA.ip1 on the chosen interface.
  • Create and setup subnetB.ip1 as a sub-if on the chosen interface.
  • Setup routing for subnetA and subnetB.
  • Configure all the policies to map from the external ip/ports to the proper internal ip/ports.
  • Let stand 15 minutes and serve with a nice merlot.

It seems to me that I would also need to configure subnetA.ip2 and subnetB.ip2, but I'm not sure how I'm supposed to do that.  The system won't let you have sub-ifs with overlapping subnets.  Obviously VIPs wont work.  How is it done?

Is this the best way to solve my problem?

Thanks.

Michel-Andre

  • Guest
Re: VIP in different subnet
« Reply #6 on: November 14, 2007, 04:36:03 am »
Hi,

If You're very sure what your'doing you allways can configure "ignore subnetconflict" on VR level. You then can define as many overlapping subnets as you like (:-

But looking at what you wnat to achive: It's not nessesary to configure subnet B on the interface. As long as the traffic is routed to subnetA interface IP you can configure your dest NAT on adresses from subnet B. That's what "extended" adresses is all about.

Screenie.

mwdmeyer

  • Full Member
  • ***
  • Posts: 245
  • Karma: +0/-0
    • View Profile
    • Bluetrait
Re: VIP in different subnet
« Reply #7 on: November 18, 2007, 04:01:32 pm »
Thanks for your help everyone.

I'll have a bit of a play today and see how it goes!

mwdmeyer

  • Full Member
  • ***
  • Posts: 245
  • Karma: +0/-0
    • View Profile
    • Bluetrait
Re: VIP in different subnet
« Reply #8 on: November 18, 2007, 04:20:15 pm »
Hi Screenie,

I just tested your method and it works. I didn't need to use the "set arp nat-dst" command. What does this command do?

Thanks again!

10us

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +0/-0
    • View Profile
Re: VIP in different subnet
« Reply #9 on: December 04, 2007, 07:05:09 am »
If you have a second subnet (say /29) routed to your /30 untrust interface you can also use a Loopback interface bound to the untrust interface. In that way you can also use MIP's.

Regards,

Martijn