Creating a VIP in a different subnet

Michael Dale

Recently the company I work for got another subnet to use, let's call it b.b.b.0/24 (and our current one is a.a.a.0/24).

We want to use this subnet to create more VIPs (Virtual IPs).

So we currently have:
a.a.a.2:80 -> 10.0.0.2:80

We wanted to add:
b.b.b.2:80 -> 10.0.0.3:80

Unfortunately trying to do this via the standard method fails with this error:

With the help of the juniperforum website a way was worked out.

Steps:

1) Make sure the new subnet is routed to your netscreen (in this case to our untrust int)

2) Create a new policy from UNTRUST to UNTRUST (yes this is not a mistake) with the following details:
Source Address: ANY
Destination Address: The external IP address you want to use i.e b.b.b.2
Service: The service you want
Under the advanced settings:
Enable Destination Translation
Translate to IP 10.0.0.3


3) To create more services to the IP address simply add another policy with the "Service" and "Translate to IP" details changed.

Note: This method mostly acts like a normal VIP. The only thing to look out for is that requests from the TRUST zone won't be translated.

More details can be found in the forum thread here.