[j-nsp] Can we use MIP for outgoing traffic on a different interface

Kamal Dissanayaka kamalasiri at gmail.com
Mon Jun 7 10:36:39 EDT 2010


Hi Glenn,

Thanks for the help.

Yes it is working with different MIP on DMZ interface.

My question was can we use the same MIP used on untrust interface on DMZ
interface as well?

Thanks

Kamal

On Tue, Jun 8, 2010 at 12:11 AM, Glenn Krutsinger <GKrutsinger at us.ci.org>wrote:

> Hello,
>
> You will create a new MIP on the DMZ interface using an IP in the DMZ
> address space.
>
> If traffic is destined for the Untrust zone, the server will use the
> Untrust MIP. If it routes to the DMZ, it will use the DMZ MIP.
>
> Our old mail system used this design for OWA (Untrust) and SMTP relay (DMZ)
> with the same server in the Trust zone.
>
> Cheers!
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:
> juniper-nsp-bounces at puck.nether.net] On Behalf Of Kamal Dissanayaka
> Sent: Monday, June 07, 2010 7:51 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Can we use MIP for outgoing traffic on a different
> interface
>
> Hi,
> I have a MIP (z.z.z.z) configured on a interface X.X on zone Untrust for
> server y.y.y.y on zone Trust.
>
> config is as bellow
>
> set interface "ethernet x.x" mip z.z.z.z host "y.y.y.y" netmask
> 255.255.255.255 vr "trust-vr"
> set policy id 102 from "Untrust" to "Trust"  "Any" "MIP(z.z.z.z)"
> "ICMP-ANY"
> permit log
> set policy id 103 from "Trust" to "Untrust"  "y.y.y.y" "Any" "ICMP-ANY"
> permit log
>
> The outgoing traffic from zone trust to untrust works fine and source
> address is translated to MIP (z.z.z.z).
>
> Now I need to use same MIP (z.z.z.z) for outgoing traffic from zone Trust
> server y.y.y.y to  another zone (DMZ).   Is this possible? if it is
> possible
> could you please send me a sample config?
>
> Thanks
>
> Kamal
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>


More information about the juniper-nsp mailing list