Table of Contents
When configuring Network Address Translation (NAT) on Juniper SRX firewalls, you’ll come across terms like MIP, VIP, and DIP. These are essential NAT concepts, especially in legacy Juniper devices (like ScreenOS) and are crucial in managing IP address translation in a secure and scalable way.
Let’s discuss in detail the three terms and how they differ from each other.
Juniper ScreenOS platform supports Source NAT as well as Destination NAT and hence utilizes following terminologies: MIP, VIP and DIP.
What is MIP
MIP stands for Mapped IP. MIP maps one external IP address to one internal IP address and does not alter the port information. It is used when an internal host needs to be accessible from the outside using a fixed public IP.
How it Works
A single internal IP (e.g., 192.168.1.10) is mapped to a single public IP (e.g., 203.0.113.10). All traffic to/from the internal host uses the public IP.
Public IP: 203.0.113.10
Internal IP: 192.168.1.10Traffic from the internet to 203.0.113.10 is NAT-ed to 192.168.1.10.
What is VIP
VIP stands for Virtual IP. A VIP maps one external IP address and one external port to a multiple number of possible IP addresses and ports. It can also translate external port to same or different internal port. It is useful when multiple internal servers offer different services, and you only have one public IP.
How it Works
One public IP (e.g., 203.0.113.10) is mapped to different internal servers based on port numbers.
203.0.113.10:80 → 192.168.1.10:80 (Web Server)
203.0.113.10:22 → 192.168.1.20:22 (SSH Server)What is DIP
DIP stands for Dynamic IP. DIP can enable policy-based NAT, and NAT, before VPN encapsulation; in which overlapping private IP addresses exist in a VPN network.
How it Works
Internal IPs are translated to a pool of public IPs dynamically, often using different port numbers.
Internal IP: 192.168.1.50 → Public IP: 203.0.113.10:30456Notable is that VIP and DIP is unidirectional whereas MIP is bidirectional.
Comparison: MIP, VIP and DIP
Below comparison table will differentiate between MIP, VIP and DIP terms used in ScreenOS:
| PARAMETER | MIP | VIP | DIP |
|---|---|---|---|
| Philosophy | A one-to-one mapping of one address to another. | A virtual IP (VIP) address maps traffic received at one IP address to another address based on the destination port number in the TCP or UDP protocols | A dynamic IP (DIP) address pool is a range of IP addresses from which the device can dynamically take addresses to use when performing NAT on the source IP address of outgoing or incoming IP packets. |
| NAT Type | Destination NAT and Source NAT | Destination NAT | Source NAT |
| Usage | Static NAT to/from Servers | Outgoing NAT instead of using egress Interface IP | Port forwarding to Servers |
| Port usage | No | Yes | Yes |
| Mapping Type | One-to-One | One-to-Many | One-to-Many and Many-to-One |
| Flow Direction | Bidirectional Traffic can be initiated from inside source or Outside Source | Unidirectional Traffic can be initiated from inside source only for VIP to take effect | Unidirectional Traffic can be initiated from outside source only for DIP to take effect |
Download the comparison table: mip vip and dip
Final Words
Understanding the difference between MIP, VIP, and DIP is crucial for designing secure and efficient network architectures in Juniper environments. Whether you’re exposing internal services to the internet or managing outbound traffic, choosing the right NAT method can make all the difference.
Related Video:
References –
ABOUT THE AUTHOR
You can learn more about her on her linkedin profile – Rashmi Bhardwaj
