MIP DIP VIP. I am sometimes confused with the NAT names of the Juniper ScreenOS devices. Therefore, I drew a small figure with a few basic examples for these NAT types.
Note that this figure does not cover all possible scenarios, but only the most common ones. E.g., I have never used the destination NAT inside a security policy, thereby it is now shown here.
Or download it as PDF:
Links
- Fir3net: Juniper Netscreen – NAT Explained
- Juniper: [ScreenOS] Resolution Guide – ScreenOS – Configure NAT
Featured image “Monreal” by onnola is licensed under CC BY-SA 2.0.
Great article. I’m sometimes confused myself. I use mip and vip. Never used dip before. In what situation would dip be used?
DIP is used when you have multiple untrust IP address and want to use them all for outgoing connections. E.g., when your single interface IP address does not fit due to too many connections.
Thanks for the hint. I updated the figure slightly.
I want to know please what’s the equivalent of the MIP in the Fortigate technologies .
You need VIP (for incoming) & IP Pool (for outgoing) for this.
@Johannes , thank you for your replay, can you please convert this configuration from juniper netscreen to fortigate .
*/ set interface “ethernet2/2.300” tag 300 zone “X”
set interface ethernet2/2.300 ip 10.212.32.1/24
*/ set interface “ethernet2/1.150” tag 150 zone “INTERNET”
set interface ethernet2/1.150 ip 212.198.4.106/29
set interface “ethernet2/2.300” mip 10.212.32.140 host 193.164.150.171 netmask 255.255.255.255 vr “internet-vr”
set policy id 1 from “X” to “INTERNET” “G_X” “MIP(10.212.32.140)” “HTTP” nat src permit log
set policy id 1
set service “HTTP_8180”
set service “ICMP-ANY”
exit
MIP(10.212.32.140) to VIP fortigate .
External IP address/range : 193.164.150.171
Map to IPv4 address/range : 10.212.32.140
it’s right, it’s OK ?
Hey MIDO90. I challenge you to try it by yourself. ;) Please make a drawing of it and try to understand the old concept of ScreenOS and transition if from there to FortiGates.