[j-nsp] Netscreen SSG src-dest NAT with static mapping problem
Stefan Fouant
sfouant at gmail.com
Wed Dec 3 15:44:29 EST 2008
On Wed, Dec 3, 2008 at 6:11 AM, Mark Tech <techconfig at yahoo.com> wrote:
> Hi
> I am having a bit of trouble trying to do the following NAT with static mapping, i.e:
>
> src 2.2.2.2 dest 1.1.1.1 (tr) NETSCREEN (dmz) src 10.1.1.254 dest 10.1.1.1
> src 2.2.2.2 dest 1.1.1.2 (tr) NETSCREEN (dmz) src 10.1.1.254 dest 10.1.1.2
> src 2.2.2.2 dest 1.1.1.x (tr) NETSCREEN (dmz) src 10.1.1.254 dest 10.1.1.x
>
> 1 to 1 destination mapping:
>
> 1.1.1.1 - 10.1.1.1
> 1.1.1.2 - 10.1.1.2
> 1.1.1.3 - 10.1.1.3
> 1.1.1.4 - 10.1.1.x
>
>
> i.e. if I ping 1.1.1.1 within the trusted zone from 2.2.2..2 for example, 1.1.1.1 will be mapped to 10.1.1.1 and forwarded to the device with 10.1.1.1
> The device (10.1.1.1) will see the source IP address as 10.1.1.254
>
> Is this possible? If so is there a config example to show me as FW's aren't my speciality
>
> Regards
>
> Mark
I am assuming the static mapping you are referring to is actually a
MIP... if that is the case then you can't do what you are attempting
to do with a MIP. In order to translate both the source and the
destination address you will need to use Policy-Based NAT.
There is a section in the ScreenOS Concepts & Examples, Volume 8:
Address Translation entitled "NAT-Src and NAT-Dst in the Same Policy"
which should be able to assist you in configuring this in your
network.
HTHs.
--
Stefan
More information about the juniper-nsp
mailing list