[j-nsp] Multiple mapped IPs on SSG-550
Stefan Fouant
sfouant at gmail.com
Thu Feb 7 13:04:58 EST 2008
You can accomplish this using a MIP. VIPs are only used if you want to use
the same address on the public side and map unique ports to a unique
destination address and destination port combination on the private side.
The downside of the MIP however is that all traffic to a designated public
address will be mapped to a designated private address, regardless of port.
If you just want to constrain it to Port 80 traffic, you'll want to use
NAT-Dst in a policy. Policy based NAT-Dst is more flexible than using MIPs
or VIPs.
Cheers,
Stefan Fouant
On 2/7/08, Vincent De Keyzer <vincent at autempspourmoi.be> wrote:
>
> Hi,
>
> I'm quite new to Netscreens, so I hope this is a very easy question.
>
> Say A.B.C.0/24 is some public IP range.
>
> I'm trying to set up the following (SSG-550):
>
> * A.B.C.0/27 on the Untrust sub-interface
> * 10.0.0.0/24 on a DMZ sub-interface (where servers do support NAT)
> * A.B.C.32/27 on another DMZ sub-interface (where servers do not
> support NAT)
>
> I would like to map (incoming web traffic):
>
> * port 80 of A.B.C.1 => port 80 of 10.0.0.101.
>
> * port 80 of A.B.C.2 => port 80 of 10.0.0.102.
>
> Is this possible? For some reason I don't have the possibility to create
> a VIP on the Untrust interface at the moment (and I'm not even sure you
> can have VIPs with different IP addresses on the same interface...)
>
> Vincent
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list