[j-nsp] Can we use MIP for outgoing traffic on a different interface
Glenn Krutsinger
GKrutsinger at us.ci.org
Mon Jun 7 10:11:57 EDT 2010
Hello,
You will create a new MIP on the DMZ interface using an IP in the DMZ address space.
If traffic is destined for the Untrust zone, the server will use the Untrust MIP. If it routes to the DMZ, it will use the DMZ MIP.
Our old mail system used this design for OWA (Untrust) and SMTP relay (DMZ) with the same server in the Trust zone.
Cheers!
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Kamal Dissanayaka
Sent: Monday, June 07, 2010 7:51 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Can we use MIP for outgoing traffic on a different interface
Hi,
I have a MIP (z.z.z.z) configured on a interface X.X on zone Untrust for
server y.y.y.y on zone Trust.
config is as bellow
set interface "ethernet x.x" mip z.z.z.z host "y.y.y.y" netmask
255.255.255.255 vr "trust-vr"
set policy id 102 from "Untrust" to "Trust" "Any" "MIP(z.z.z.z)" "ICMP-ANY"
permit log
set policy id 103 from "Trust" to "Untrust" "y.y.y.y" "Any" "ICMP-ANY"
permit log
The outgoing traffic from zone trust to untrust works fine and source
address is translated to MIP (z.z.z.z).
Now I need to use same MIP (z.z.z.z) for outgoing traffic from zone Trust
server y.y.y.y to another zone (DMZ). Is this possible? if it is possible
could you please send me a sample config?
Thanks
Kamal
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list