Screen OS

 View Only
last person joined: 6 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  How to get MIP and dst-nat working together?

    Posted 01-21-2015 12:40

    It appears that when a MIP is defined for an private IP address, ScreenOS will then ignore dst-nat parameters specified in the policy.


    Is there a work around for this, other than getting rid of the MIP?


  • 2.  RE: How to get MIP and dst-nat working together?
    Best Answer

    Posted 01-21-2015 13:54

    A bit more background on the problem.

    We have a storage monitoring server that requires a bunch of inbound traffic to it coming from public IP space. So there are lots of firewall rules that need to perform dst-nat to it (using a MIP). That server then reaches out to our storage nodes to pull stats. But the software sends along the IP you are trying to connect to, which interfers with NATing - the software complains that you are trying to connect to the public IP that it doesn't show locally defined (since those nodes are using MIPs on the far-end).

    I did find a work-around, by using two MIPs on the firewall local to the storage monitoring server.

    One MIP for the storage monitoring server itself. Defined on the Untrust interface.

    One MIP for each storage node it needs to monitor. Defined on the local interface to the storage monitoring server. This maps private to public.

    Then added a firewall rule from Internal > Untrust with no NATing specificed (since MIP overrides anyway) and it works. Both source and destination NATing working properly.