Juniper ScreenOS NAT Overview: MIP DIP VIP

MIP DIP VIP. I am sometimes confused with the NAT names of the Juniper ScreenOS devices. Therefore, I drew a small figure with a few basic examples for these NAT types.

Note that this figure does not cover all possible scenarios, but only the most common ones. E.g., I have never used the destination NAT inside a security policy, thereby it is now shown here.

Juniper ScreenOS MIP DIP VIP

Or download it as PDF:



Featured image “Monreal” by onnola is licensed under CC BY-SA 2.0.

6 thoughts on “Juniper ScreenOS NAT Overview: MIP DIP VIP

  1. Great article. I’m sometimes confused myself. I use mip and vip. Never used dip before. In what situation would dip be used?

    1. DIP is used when you have multiple untrust IP address and want to use them all for outgoing connections. E.g., when your single interface IP address does not fit due to too many connections.
      Thanks for the hint. I updated the figure slightly.

  2. I want to know please what’s the equivalent of the MIP in the Fortigate technologies .

  3. @Johannes , thank you for your replay, can you please convert this configuration from juniper netscreen to fortigate .
    */ set interface “ethernet2/2.300” tag 300 zone “X”
    set interface ethernet2/2.300 ip

    */ set interface “ethernet2/1.150” tag 150 zone “INTERNET”
    set interface ethernet2/1.150 ip

    set interface “ethernet2/2.300” mip host netmask vr “internet-vr”

    set policy id 1 from “X” to “INTERNET” “G_X” “MIP(” “HTTP” nat src permit log
    set policy id 1
    set service “HTTP_8180”
    set service “ICMP-ANY”
    MIP( to VIP fortigate .
    External IP address/range :
    Map to IPv4 address/range :
    it’s right, it’s OK ?

Leave a Reply

Your email address will not be published. Required fields are marked *