Problem with a secondary IP

  • Hi,

    I have created an secondary IP in my sub-interface eth0/2.150 located in Trust zone (in trust-vr router). This secondary IP is a public IP link to a domain name.
    For the untrust-vr in Untrust zone, I have a route for this public ip to the trust-vr.
    I have a policy to allow trafic towards this public ip from Untrust to Trust, so it’s ok for a computer located on Internet to go on the public IP and to my webserver.
    But, if I try to go to the domain name linked to my public IP with a computer located in eth0/2.150, it’s not possible and I get the message:

    ****** 2582245.0: <untrust ethernet0="" 2.150="">packet received [60]******
      ipid = 13718(3596), @5e443114
      packet passed sanity check.
      ethernet0/2.150:>a.a.a.a/80,6 <root>no session found
      flow_first_sanity_check: in <ethernet0 2.150="">, out <n a="">self check, not for us
      chose interface ethernet0/2.150 as incoming nat if.
      packet dropped: for self but not interested</n></ethernet0></root></untrust>

    Which policy do I have to put to allow local users to go to this webserver?
    I tried this policy but didn’t change anything:

    set policy id 35 from “Trust” to “Trust”  “” “a.a.a.a” “ANY” nat dst ip permit log

    I know a solution could to put a local DNS server to tell to the local users this domain is linked to a local IP but not the way I want.

    Informations to understand the situation:
    a.a.a.a: the public IP my local user the IP of my webserver
    eth0/2.150: sub-interface (VLAN) of the

    Just to precise, before how was I doing to access to my server.
    I created a static route in my untrust-vr router which was sending traffic for a.a.a.a to the interface 0/2.150.
    I want to try with a secondary IP because I think it better and “cleaner”.


  • Global Moderator

    I didn’t know that! Thank for the info. Still only to same dest IP as MIP, while with NAT-DST or VIP you can move your session around to destinations as like.

    Two remarks on that for who is interested:

    1 I’ve heard (not tested yet) that in 6.0 you can define VIP on interfaces in other zones then just untrust as it was before 6.0.

    2 Nat dst is some time hard to understand I experienced. Still it’s worth the effort, combined with Nat src it gives you allmost compleet freedom in address translation.

    So: to Nat dst easy:
    set arp nat-dst (sorry CLI only !!)
    set  a policy from zone to the same zone and use the NAT DST option, either in CLI or gui of course. (uh won’t work in zones with intra-zone-block disabled of course since no policy look-up will occur).
    If you want porttranslation: select the port to listen to in policy object, set the port to translate to in the NAT DST option.

    As you see: it’s not as hard as you might think.

    I’m feeling I’m becoming sort of a nat dst preacher on this from (:-

  • You can port forward using a policy if you want to,

    NAT Destination translation

    Translate to the same destination ip but change the port number.

    Works like a charm.


  • Global Moderator

    “portforwarding” takes a VIP or dst nat.  A MIP does bidirectional translation for all ports.

  • Hi,

    Yes I could use a MIP, but if I need to forward a port to an other server, with the MIP, it’s not possible, is it?


  • Rather than using a secondary IP, You should be using a MIP instead. Basically if the traffic is showing as destined for the IP of the firewall, then the firewall thinks it is for self. However, if you have a MIP then the firewall will know to forward traffic for that IP to your internal server. Check out the Address Translation volume in Concepts & Examples Guide (see my sig for link to Juniper techpubs) and then look inthe chapter for mapped IP (MIP).