WHAT IS VIP IN JUNOS

What is VIP (Virtual IP Addresses) –

In JUNOS ScreenOS, VIP  maps one external IP address and port to multiple IP addresses and ports. And also It can translate an external port with different internal ports. Based on the destination port number in the TCP or UDP segment VIP addresses map traffic received at one IP address to another address. Suppose if you have only one public IP address available, and want to host multiple servers, then VIP comes to play. VIP addresses the requirement of multiple private IP addresses with one public IP address. VIP is also called port forwarding.

Advertisements

As opposed to VIP , an [p2p type=”slug” value=”what-is-mip-in-juniper-screenos”]MIP[/p2p] should be used when we have multiple public [p2p type=”slug” value=”ip-addressing-scheme-ipv4″]IP addresses[/p2p], and want to host a single server to a single public IP.

The below scenario will help understand the concept of VIP and its configuration –

EXAMPLE OF VIP AS PORT FORWARDING.

what-is-vip-in-junos

 

The customer has a secured set up in the HUB site and wants its mobile users over the Internet to access the Web Server, Mail Server, and FTP Server for Business-related work. Now, NetScreen Box at the HUB site will follow the following approach of NAT (VIP) such that requests for any of HTTP, FTP SMTP lands on the same Global IP, however, translates to Local IP address based on the destination port.

  • An HTTP packet destined for 11.11.11.1:80 (that is, IP address 11.11.11.1 and port 80) will get mapped to a webserver at 12.1.1.12.
  • An FTP packet destined for 11.11.11.1:21 will get mapped to an FTP server at 12.1.1.13.
  • An SMTP packet destined for 11.11.11.1:25 will get mapped to a mail server at 12.1.1.14.
  • The destination IP addresses are the same. The destination port numbers determine the host to which the security device forwards traffic

    VIRTUAL IP FORWARDING TABLE

    what-is-vip-in-junos

    what-is-vip-in-junos

Note – Below configuration will be performed only for Web Server IP 11.11.11.1:80 –> 12.1.1.12.Translation for FTP and SMTP can be created by taking Web Server VIP configuration as reference.

WebUI Configuration on ScreenOS –

1. INTERFACES

Network > Interfaces >Edit (for ethernet1): Enter the following, then click Apply:
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 12.1.1.1/24
Select the following, then click OK
Interface Mode: NAT
Network > Interfaces > Edit (for ethernet3): Enter the following, then click OK
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 11.11.11.11/24         

 

2. VIP

Network > Interfaces > Edit (for ethernet3) > VIP: Enter the following
address, then click Add:
Virtual IP Address: 11.11.11.1
Network > Interfaces > Edit (for ethernet3) > VIP > New VIP Service: Enter
the following, then click OK:
Virtual IP: 11.11.11.1
Virtual Port: 80
Map to Service: HTTP (80)
Map to IP: 12.1.1.12   

 

3. POLICY

Policies > (From: Untrust, To: Trust) New: Enter the following, then click OK
Source Address:
Address Book Entry: (select), ANY
Destination Address:
Address Book Entry: (select), VIP(11.11.11.1)
Service: HTTP
Action: Permit     

 

CLI CONFIGURATION ON SCREENOS –

1. INTERFACES

set interface ethernet1 zone trust
set interface ethernet1 IP12.1.1.1/24
set interface ethernet1 NAT
set interface ethernet3 zone untrust
set interface ethernet3 IP 11.11.11.11/24   

 

2. VIP

set interface ethernet3 VIP 11.11.11.1 80 http 12.1.1.12   

 

3. POLICY

set policy from UNTRUST to trust any vip(11.11.11.1) http permit
save   

Share this:
Advertisements

Related Posts

About The Author

Add Comment

Social Media Auto Publish Powered By : XYZScripts.com
Select your currency
USD United States (US) dollar