[j-nsp] Can we use MIP for outgoing traffic on a different interface

Glenn Krutsinger GKrutsinger at us.ci.org
Mon Jun 7 10:11:57 EDT 2010


Hello,

You will create a new MIP on the DMZ interface using an IP in the DMZ address space.

If traffic is destined for the Untrust zone, the server will use the Untrust MIP. If it routes to the DMZ, it will use the DMZ MIP.

Our old mail system used this design for OWA (Untrust) and SMTP relay (DMZ) with the same server in the Trust zone.

Cheers!

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Kamal Dissanayaka
Sent: Monday, June 07, 2010 7:51 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Can we use MIP for outgoing traffic on a different interface

Hi,
I have a MIP (z.z.z.z) configured on a interface X.X on zone Untrust for
server y.y.y.y on zone Trust.

config is as bellow

set interface "ethernet x.x" mip z.z.z.z host "y.y.y.y" netmask
255.255.255.255 vr "trust-vr"
set policy id 102 from "Untrust" to "Trust"  "Any" "MIP(z.z.z.z)" "ICMP-ANY"
permit log
set policy id 103 from "Trust" to "Untrust"  "y.y.y.y" "Any" "ICMP-ANY"
permit log

The outgoing traffic from zone trust to untrust works fine and source
address is translated to MIP (z.z.z.z).

Now I need to use same MIP (z.z.z.z) for outgoing traffic from zone Trust
server y.y.y.y to  another zone (DMZ).   Is this possible? if it is possible
could you please send me a sample config?

Thanks

Kamal
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp





More information about the juniper-nsp mailing list