Tuesday, December 25, 2007

Creating a MIP in a Juniper Netscreen

When an ISP routes a block of IPs to a particular site, one ip will be utilized for the edge (outside) interface and the rest of the subnet will be available for routing towards hosts on at the site.

In this post we are going to be looking at a Mapped IP address (MIP) on a Juniper Netscreen. We will be mapping a outside internet routable ip (186.27.45.2) to a server on our trusted LAN segment (192.168.1.100).

The first thing we have to do is create the MIP mapping. To do this we log into the Netscreen GUI. Click on Network->Interfaces-> and then click "edit" on the row contains your outside (untrust) interface.

On the page you are directed to, you should see a row that says "Properties" click "MIP" and then click the "New" button.

There will then be four dialog boxes which you must fill out. The options are below.

Mapped IP: 186.27.45.2 - the outside address you are mapping to your internal host
Netmask: 255.255.255.255 - subnet mask reflecting a 1to1 mapping
Host IP Address: 192.168.1.100 - the inside address of your host.
Host Virtual Router Name: trust-vr - the virtual router where your inside host is attached to

After you have your MIP configured and set up, you must then create a policy to allow data to flow from the outside to your internal host.

In your Netscreen GUI, click Policies then select from the dropdown boxes at the top of the screen. "From: Untrust" and "To:Trust". Then click the "New" Button.

Configure the Policy as follows, if an option is left out below, leave it to the default setting.

Source Address: Any
Destination Address: MIP(186.27.45.2)
Service: HTTP - (you will need to select whatever services you require)
Action: Permit
Logging: Enabled

Click "OK" and everything is now setup.

I like to enable PING and TRACEROUTE as some of the services just for testing purposes. The policy can later be edited to remove the services.

I found the following links useful for testing my MIP setups:
http://www.fifi.org/services/ping
http://www.fifi.org/services/traceroute
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)