[j-nsp] Can we use MIP for outgoing traffic on a different interface

Glenn Krutsinger GKrutsinger at us.ci.org
Mon Jun 7 11:37:24 EDT 2010


I would have to say no, since a MIP is a NAT built from Zone X to Zone Y. Not to mention, the MIP on Untrust is in a different address space than the network on the DMZ interface.

From: Kamal Dissanayaka [mailto:kamalasiri at gmail.com]
Sent: Monday, June 07, 2010 8:37 AM
To: Glenn Krutsinger (GMC-MSV-NETWORK ADMINISTRATOR, WAN)
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Can we use MIP for outgoing traffic on a different interface

Hi Glenn,

Thanks for the help.

Yes it is working with different MIP on DMZ interface.

My question was can we use the same MIP used on untrust interface on DMZ interface as well?

Thanks

Kamal
On Tue, Jun 8, 2010 at 12:11 AM, Glenn Krutsinger <GKrutsinger at us.ci.org<mailto:GKrutsinger at us.ci.org>> wrote:
Hello,

You will create a new MIP on the DMZ interface using an IP in the DMZ address space.

If traffic is destined for the Untrust zone, the server will use the Untrust MIP. If it routes to the DMZ, it will use the DMZ MIP.

Our old mail system used this design for OWA (Untrust) and SMTP relay (DMZ) with the same server in the Trust zone.

Cheers!

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net<mailto:juniper-nsp-bounces at puck.nether.net> [mailto:juniper-nsp-bounces at puck.nether.net<mailto:juniper-nsp-bounces at puck.nether.net>] On Behalf Of Kamal Dissanayaka
Sent: Monday, June 07, 2010 7:51 AM
To: juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
Subject: [j-nsp] Can we use MIP for outgoing traffic on a different interface

Hi,
I have a MIP (z.z.z.z) configured on a interface X.X on zone Untrust for
server y.y.y.y on zone Trust.

config is as bellow

set interface "ethernet x.x" mip z.z.z.z host "y.y.y.y" netmask
255.255.255.255 vr "trust-vr"
set policy id 102 from "Untrust" to "Trust"  "Any" "MIP(z.z.z.z)" "ICMP-ANY"
permit log
set policy id 103 from "Trust" to "Untrust"  "y.y.y.y" "Any" "ICMP-ANY"
permit log

The outgoing traffic from zone trust to untrust works fine and source
address is translated to MIP (z.z.z.z).

Now I need to use same MIP (z.z.z.z) for outgoing traffic from zone Trust
server y.y.y.y to  another zone (DMZ).   Is this possible? if it is possible
could you please send me a sample config?

Thanks

Kamal
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list