So straight to the point, if you someone can help us with small problem we have. It seems we can’t figure it out.Few week ago we bought juniper ssg550m , we connected it works perfectly with trust/untrust etc policies and so on.
this is the diagram we have, that’s how it’s build from our ex system/network administrator “who haven’t actually explain anything and had to figure it out”
So we are under “NAT” piplink “dhcp” is disabled…Cisco cares of that.
We have five public ip’s connected to 580 and lan port which goes to the server rack, Now we are trying to somehow transfer five few of the public ip’s open to “outside” world but alas no success at all. We have tried the ‘VIP’ ‘MIP’ etc. but nothing.
Is there any way how to transfer public ips from piplink balancer to juniper ssg550m and open them to the pubic, does it have to be done from the Piplink or from the Juniper…
Probably the procedure have to be done through the Juniper ssg550m, previous firewall we had "untangle" wasn't blocking the public ip's or ports which were open on Piplink.
Actually from public ip , the only port that it's open by default it's "21" everything else just refuse to be opened.
I've never worked with a piplink loadbalancer and I assume you have that part understood so are asking about how to do port forwarding and destinination nat on the SSG firewall.
It does sound like you have identified the right options.
MIP is for one-to-one mapping of the external to the internal ip address. You use this if the public address is dedicated to a single server AND is also used by that server for ALL of it's outbound traffic. You then need to use this MIP in a security policy to permit the traffic.
VIP is for port forwarding an external ip address with the possibility of hitting multiple internal addresses using different ports on the same public ip address. This is inbound traffic only but the response traffic will use the same rule for the reverse. But not other traffic from the host. You then need to use this VIP object in a policy to permit the traffic.
Destination NAT is a second option for port forwarding that can be configured inside a security policy so with one pass you can do both the port forwarding and the security policy.