Bluetrait (Program)
                IBM N2200 8363

Mon, 19 Nov 2007 10:15 AM

Creating a VIP in a different subnet

Michael Dale

Recently the company I work for got another subnet to use, let's call it b.b.b.0/24 (and our current one is a.a.a.0/24).

We want to use this subnet to create more VIPs (Virtual IPs).

So we currently have:
a.a.a.2:80 ->

We wanted to add:
b.b.b.2:80 ->

Unfortunately trying to do this via the standard method fails with this error:
VIP error
With the help of the juniperforum website a way was worked out.


1) Make sure the new subnet is routed to your netscreen (in this case to our untrust int)
untrust untrust policy
2) Create a new policy from UNTRUST to UNTRUST (yes this is not a mistake) with the following details:
Source Address: ANY
Destination Address: The external IP address you want to use i.e b.b.b.2
Service: The service you want
Under the advanced settings:
Enable Destination Translation
Translate to IP

untrust untrust policy
3) To create more services to the IP address simply add another policy with the "Service" and "Translate to IP" details changed.

Note: This method mostly acts like a normal VIP. The only thing to look out for is that requests from the TRUST zone won't be translated.

More details can be found in the forum thread here.



HTML allowed: <a href="" title="" rel=""></a> <b></b> <blockquote cite=""></blockquote> <em></em> <i></i> <strike></strike> <strong></strong> <li></li> <ol></ol> <ul></ul>
ie: <b>bold</b>

Your comment may need to be reviewed before it is published.



Email (not shown)

WWW (optional)

Allow contact form email

Remember details