// post · 632
Creating a VIP in a different subnet
Recently the company I work for got another subnet to use, let's call it b.b.b.0/24 (and our current one is a.a.a.0/24).
We want to use this subnet to create more VIPs (Virtual IPs).
So we currently have:
a.a.a.2:80 -> 10.0.0.2:80
We wanted to add:
b.b.b.2:80 -> 10.0.0.3:80
Unfortunately trying to do this via the standard method fails with this error:
With the help of the juniperforum website a way was worked out.
Steps:
1) Make sure the new subnet is routed to your netscreen (in this case to our untrust int)
2) Create a new policy from UNTRUST to UNTRUST (yes this is not a mistake) with the following details:
Source Address: ANY
Destination Address: The external IP address you want to use i.e b.b.b.2
Service: The service you want
Under the advanced settings:
Enable Destination Translation
Translate to IP 10.0.0.3
3) To create more services to the IP address simply add another policy with the "Service" and "Translate to IP" details changed.
Note: This method mostly acts like a normal VIP. The only thing to look out for is that requests from the TRUST zone won't be translated.
More details can be found in the forum thread here.
We want to use this subnet to create more VIPs (Virtual IPs).
So we currently have:
a.a.a.2:80 -> 10.0.0.2:80
We wanted to add:
b.b.b.2:80 -> 10.0.0.3:80
Unfortunately trying to do this via the standard method fails with this error:
With the help of the juniperforum website a way was worked out.
Steps:
1) Make sure the new subnet is routed to your netscreen (in this case to our untrust int)
2) Create a new policy from UNTRUST to UNTRUST (yes this is not a mistake) with the following details:
Source Address: ANY
Destination Address: The external IP address you want to use i.e b.b.b.2
Service: The service you want
Under the advanced settings:
Enable Destination Translation
Translate to IP 10.0.0.3
3) To create more services to the IP address simply add another policy with the "Service" and "Translate to IP" details changed.
Note: This method mostly acts like a normal VIP. The only thing to look out for is that requests from the TRUST zone won't be translated.
More details can be found in the forum thread here.
// leave a comment
HTML allowed: <a href="" title="" rel=""></a> <b></b> <blockquote cite=""></blockquote> <em></em> <i></i> <strike></strike> <strong></strong> <li></li> <ol></ol> <ul></ul>
ie: <b>bold</b>
Your comment may need to be reviewed before it is published.
// comments