Problem with a secondary IP
gauthier last edited by
I have created an secondary IP in my sub-interface eth0/2.150 located in Trust zone (in trust-vr router). This secondary IP is a public IP link to a domain name.
For the untrust-vr in Untrust zone, I have a route for this public ip to the trust-vr.
I have a policy to allow trafic towards this public ip from Untrust to Trust, so it’s ok for a computer located on Internet to go on the public IP and to my webserver.
But, if I try to go to the domain name linked to my public IP with a computer located in eth0/2.150, it’s not possible and I get the message:
****** 2582245.0: <untrust ethernet0="" 2.150="">packet received ******
ipid = 13718(3596), @5e443114
packet passed sanity check.
ethernet0/2.150:10.0.128.11/48268->a.a.a.a/80,6 <root>no session found
flow_first_sanity_check: in <ethernet0 2.150="">, out <n a="">self check, not for us
chose interface ethernet0/2.150 as incoming nat if.
packet dropped: for self but not interested</n></ethernet0></root></untrust>
Which policy do I have to put to allow local users to go to this webserver?
I tried this policy but didn’t change anything:
set policy id 35 from “Trust” to “Trust” “10.0.128.0/24” “a.a.a.a” “ANY” nat dst ip 10.0.128.83 permit log
I know a solution could to put a local DNS server to tell to the local users this domain is linked to a local IP but not the way I want.
Informations to understand the situation:
a.a.a.a: the public IP
10.0.128.11: my local user
10.0.128.83: the IP of my webserver
eth0/2.150: sub-interface (VLAN) of the 10.0.128.0/24
Just to precise, before how was I doing to access to my server.
I created a static route in my untrust-vr router which was sending traffic for a.a.a.a to the interface 0/2.150.
I want to try with a secondary IP because I think it better and “cleaner”.
I didn’t know that! Thank for the info. Still only to same dest IP as MIP, while with NAT-DST or VIP you can move your session around to destinations as like.
Two remarks on that for who is interested:
1 I’ve heard (not tested yet) that in 6.0 you can define VIP on interfaces in other zones then just untrust as it was before 6.0.
2 Nat dst is some time hard to understand I experienced. Still it’s worth the effort, combined with Nat src it gives you allmost compleet freedom in address translation.
So: to Nat dst easy:
set arp nat-dst (sorry CLI only !!)
set a policy from zone to the same zone and use the NAT DST option, either in CLI or gui of course. (uh won’t work in zones with intra-zone-block disabled of course since no policy look-up will occur).
If you want porttranslation: select the port to listen to in policy object, set the port to translate to in the NAT DST option.
As you see: it’s not as hard as you might think.
I’m feeling I’m becoming sort of a nat dst preacher on this from (:-
greg1c last edited by
You can port forward using a policy if you want to,
NAT Destination translation
Translate to the same destination ip but change the port number.
Works like a charm.
“portforwarding” takes a VIP or dst nat. A MIP does bidirectional translation for all ports.
gauthier last edited by
Yes I could use a MIP, but if I need to forward a port to an other server, with the MIP, it’s not possible, is it?
MaxPipeline last edited by
Rather than using a secondary IP, You should be using a MIP instead. Basically if the traffic is showing as destined for the IP of the firewall, then the firewall thinks it is for self. However, if you have a MIP then the firewall will know to forward traffic for that IP to your internal server. Check out the Address Translation volume in Concepts & Examples Guide (see my sig for link to Juniper techpubs) and then look inthe chapter for mapped IP (MIP).