Thursday, June 17, 2010

Juniper Firewall MIP-Definition, configuration of MIP

MIP – Definition: MIP (Mapped IP) is a 1 to 1 mapping of a public IP address to an IP address on the Internal side of the Juniper firewall.

Configuring a MIP to access a single device on the private network:

Consider the following setup:
Internal host IP is 192.168.1.100.
Public interface (e0/0) IP is 1.1.1.250.
Another public IP - 1.1.1.100 is available for use.

Here is how you can configure a MIP to a single IP, and how to configure a policy to permit ANY host from the Untrust zone to access the internal host:
CLI:
set interface "ethernet0/0" zone "Untrust"
set interface "bgroup0" zone "Trust"
set interface ethernet0/0 ip 1.1.1.250/24
set interface bgroup0 ip 192.168.1.1/24
set interface "ethernet0/0" mip 1.1.1.100 host 192.168.1.100 netmask 255.255.255.255 vr "trust-vr"
set policy from "Untrust" to "Trust"  "Any" "MIP(1.1.1.100)" "ANY" permit

WebUI:
  1. Click on Interfaces
  2. Select the e0/0 Interface
  3. Click on MIP
    You will be at the Network > Interfaces > Edit > MIP > Configuration for interface e0/0
    Enter the following:
    Mapped IP: 1.1.1.100
    Host IP: 192.168.1.100
    Netmask: 255.255.255.255
    Host Virtual Router Name: trust-vr 
  4. Create an incoming policy by going to
    Policy > Policies (From Untrust To Trust)
    Source: Any
    Destination: MIP(1.1.1.100)
    Service: ANY 
    Action: Permit
You can limit access to networks and services of your choosing.  It is a good idea to start with permitting any service at first to confirm that the MIP is working.


Configuring a MIP to a subnet or multiple internal hosts:
The netmask determines how the mapping is done.   If you use a netmask of 255.255.255.255, the mapping is done on a one-to-one basis. If you use a different netmask, then it maps a range of addresses.
Example:
To map the addresses public addresses 1.1.1.1--1.1.1.30 to the internal addresses 192.168.1.1--192.168.1.30:
CLI:
set interface "ethernet0/1" mip 1.1.1.0 host 192.168.1.0 netmask 255.255.255.224 vr "trust-vr" 
set policy from "Untrust" to "Trust"  "Any" "MIP(1.1.1.0/27)" "ANY" permit

This will result in:
1.1.1.1 maps to 192.168.1.1
1.1.1.2 maps to 192.168.1.2
       ...
       ...
1.1.1.30 maps to 192.168.1.30

Change a MIP

If you have a MIP created and want to change the addresses used in the MIP, it may report that the MIP is 'in use'.  Therefore, perform the following steps to free up the MIP from being 'in use', and make the changes:
  1. Either remove the policy that has the MIP or remove the MIP from the policy (by temporarily changing the MIP address book entry in the policy to another address).
  2. Configure the MIP and make the changes.
  3. Re-add the policy or change the policy back to the MIP.

Key Points:  

Here are some important configuration pointers regarding creating a MIP.  If a MIP overlaps with other IP addresses on your network, it could cause the inability to access those other hosts.
  •  If only one address is needed for a MIP, use Netmask of 255.255.255.255   Example:  Defining 1.1.1.65/255.255.255.255 as a MIP will map one address to a host address. Do not set the Netmask equal to the subnet mask for Untrust Interface IP address.  The Juniper firewall will answer ARP requests for all addresses in the subnet defined in the MIP.  If the Untrust IP address is 1.1.1.66/255.255.255.248 and the Gateway is 1.1.1.67 in the above example, these addresses are included in the netmask, and the MIP will break normal traffic.
  • Make sure the combination of the MIP address and Netmask does not include the Untrust Interface IP address or the Default Gateway address or any other device's address that are on that subnet. Example: If the Untrust IP address is 1.1.1.250/255.255.255.0 and the Gateway is 1.1.1.251, then the MIP configured as 1.1.1.5 NETMASK 255.255.255.248 is an acceptable configuration because it does not include/overlap with the untrust IP or the gateway IP address.
  • In ScreenOS 6.0 and below, a MIP supports a public address in a different network than that of the ingress interface only if the ingress interface is in the Untrust zone.  On all other zones, MIPs must must be in the same network with the IP address of the interface on which they live.   However, in ScreenOS 6.1 and above, a MIP supports a public address in a different network than that of the ingress interface in any zone.

Troubleshooting TIPS - Unable to pass traffic to a MIP:

When configuring a MIP, the Virtual Router that the MIP host resides in plays an important role. If the wrong Virtual Router (VR) is specified, traffic may not pass correctly. For example, if the MIP private host resides in the DMZ zone which is in the untrust-vr, be sure to specify the untrust-VR in the configuration of the MIP.
  • If a MIP is unreachable from the Internet, the next-hop Gateway router from the Juniper firewall may not have an ARP entry for the MIP address OR the MIP IP address may be associated with a different MAC. Two methods can be employed to correct this:
    1. If you have management access to the next-hop router from the Juniper firewall, clear the ARP cache on the router. Then attempt to ping the MIP address again to get the ARP table entry updated on the router.

      OR
    2. Swap the MIP and Untrust interface IP address temporarily, and ping the Gateway address from the Juniper Untrust interface until the router answers back.  This is simply a creative way to update the ARP table on the next-hop gateway router, without logging into the next-hop gateway router.

      Save the current configuration and then do the follow steps to swap the MIP and Untrust IP temporarily:
      • Remove the Incoming MIP policy
      • Delete the MIP
      • Change the Untrust IP address to the MIP address
      • Ping the Untrust Interface's Default Gateway IP address from any device on the Trust Lan until the pings are answered.  Again, steps a) - d) is a work-around to getting the next-hop gateway router's ARP table updated.
      • When the next-hop gateway router can ping the MIP address, switch the configuration back to the original configuration (before step a).
  • If you do not explicitly permit ping on the private host, you will not be able to ping the MIP. The Juniper firewall does not answer pings to the MIP address.  They are passed on to the server, and the replies are passed back.

No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.