Juniper Netscreen: Port forwarding for several IP addresses
Juniper Netscreen: Port forwarding for several IP addresses
am 06.11.2006 10:52:38 von mail
Hi there,
I want to configure a Netscreen 5GT for a /28 IP subnet. The netscreen
should accept all IP adresse of the subnet and should forward different
ports to internal IP adresses. Here is my idea: I configure the untrust
interface with the subnet, e.g. 208.200.1.0/28, the untrust interface of
the Netscreen should use 208.200.1.1. Now the IP adresse 208.200.1.2
till 208.200.1.14 should also accepted by the Netscreen. Is it porssible
to use VIP for forwarding the same port to different internal IP
addresses? What I want to do is: Port 80 of IP 208.200.1.2 should be
forwarded to the internal 192.168.1.2, Port 80 of IP 208.200.1.3 should
be forwarded to the internal IP 192.168.1.3 and so on. address. Could
anyone tell me if my idea is right and should work the way I want?
Thank you!
Re: Juniper Netscreen: Port forwarding for several IP addresses
am 06.11.2006 11:55:58 von Ingmar Schmidt
Hi,
I believe since you want to create static internal/external
address pairs, and access the same ports on them, VIP won't work.
In this case you have to use MIP.
Greetings
Ingmar
J. Schroeder schrieb:
> Hi there,
>
> I want to configure a Netscreen 5GT for a /28 IP subnet. The netscreen
> should accept all IP adresse of the subnet and should forward different
> ports to internal IP adresses. Here is my idea: I configure the untrust
> interface with the subnet, e.g. 208.200.1.0/28, the untrust interface of
> the Netscreen should use 208.200.1.1. Now the IP adresse 208.200.1.2
> till 208.200.1.14 should also accepted by the Netscreen. Is it porssible
> to use VIP for forwarding the same port to different internal IP
> addresses? What I want to do is: Port 80 of IP 208.200.1.2 should be
> forwarded to the internal 192.168.1.2, Port 80 of IP 208.200.1.3 should
> be forwarded to the internal IP 192.168.1.3 and so on. address. Could
> anyone tell me if my idea is right and should work the way I want?
>
> Thank you!
Re: Juniper Netscreen: Port forwarding for several IP addresses
am 07.11.2006 14:34:42 von VeeDub
Yes but when using MIPs you cannot direct different ports to different
internal hosts, a MIP maps an external public IP to an internal IP and
does not inspect Layer 4 to direct different traffic types to internal
hosts. It is a one to one mapping.
Ingmar Schmidt wrote:
> Hi,
>
> I believe since you want to create static internal/external
> address pairs, and access the same ports on them, VIP won't work.
> In this case you have to use MIP.
>
> Greetings
>
> Ingmar
>
> J. Schroeder schrieb:
> > Hi there,
> >
> > I want to configure a Netscreen 5GT for a /28 IP subnet. The netscreen
> > should accept all IP adresse of the subnet and should forward different
> > ports to internal IP adresses. Here is my idea: I configure the untrust
> > interface with the subnet, e.g. 208.200.1.0/28, the untrust interface of
> > the Netscreen should use 208.200.1.1. Now the IP adresse 208.200.1.2
> > till 208.200.1.14 should also accepted by the Netscreen. Is it porssible
> > to use VIP for forwarding the same port to different internal IP
> > addresses? What I want to do is: Port 80 of IP 208.200.1.2 should be
> > forwarded to the internal 192.168.1.2, Port 80 of IP 208.200.1.3 should
> > be forwarded to the internal IP 192.168.1.3 and so on. address. Could
> > anyone tell me if my idea is right and should work the way I want?
> >
> > Thank you!
Re: Juniper Netscreen: Port forwarding for several IP addresses
am 07.11.2006 16:33:18 von mail
Hi,
thank you. But if MIP does not work for that purpose, how can I redirect
different ports of external IP addresses to internal IP addresses?
Regards, Johnny
VeeDub schrieb:
> Yes but when using MIPs you cannot direct different ports to different
> internal hosts, a MIP maps an external public IP to an internal IP and
> does not inspect Layer 4 to direct different traffic types to internal
> hosts. It is a one to one mapping.
>
>
> Ingmar Schmidt wrote:
>> Hi,
>>
>> I believe since you want to create static internal/external
>> address pairs, and access the same ports on them, VIP won't work.
>> In this case you have to use MIP.
>>
>> Greetings
>>
>> Ingmar
>>
>> J. Schroeder schrieb:
>>> Hi there,
>>>
>>> I want to configure a Netscreen 5GT for a /28 IP subnet. The netscreen
>>> should accept all IP adresse of the subnet and should forward different
>>> ports to internal IP adresses. Here is my idea: I configure the untrust
>>> interface with the subnet, e.g. 208.200.1.0/28, the untrust interface of
>>> the Netscreen should use 208.200.1.1. Now the IP adresse 208.200.1.2
>>> till 208.200.1.14 should also accepted by the Netscreen. Is it porssible
>>> to use VIP for forwarding the same port to different internal IP
>>> addresses? What I want to do is: Port 80 of IP 208.200.1.2 should be
>>> forwarded to the internal 192.168.1.2, Port 80 of IP 208.200.1.3 should
>>> be forwarded to the internal IP 192.168.1.3 and so on. address. Could
>>> anyone tell me if my idea is right and should work the way I want?
>>>
>>> Thank you!
>