Shulou(Shulou.com)06/01 Report--

1. Juniper Firewall MVP

MIP is an one-to-one two-way address translation (translation) process. The usual situation is: when you have several public network IP addresses, and there are a number of servers that provide network services (servers use private IP addresses), in order to achieve Internet users to access these servers, you can establish an one-to-one mapping (MIP) between public network IP addresses and server private IP addresses on the firewall at the Internet exit, and implement access control to the services provided by the server through policies.

Configure MIP under web:

1) Log in to the firewall and deploy the firewall in a three-tier mode (NAT or routing mode)

2) define MIP::Network= > Interface= > ethernet2= > MIP, and configure the address mapping to implement MIP. Mapped IP: public network IP address, Host IP: private network server IP address

3) define policies: in POLICY, configure access control policies from outside to inside to allow access to internal network server applications from external networks.

Configure MIP on the command line:

1) configure interface parameters

Set interface ethernet1 zone trust

Set interface ethernet1 ip 10.1.1.1/24

Set interface ethernet1 nat

Set interface ethernet2 zone untrust

Set interface ethernet2 ip 1.1.1.1/24

2) define MIP

Set interface ethernet2 mip 1.1.1.5 host 10.1.1.5 netmask 255.255.255.255 vrouter

Trust-vr

3) define policies

Set policy from untrust to trust any mip (1.1.1.5) http permit

Save

2. Juniper Firewall VIP configuration

MIP is a public network IP address corresponding to a private IP address, which is an one-to-one mapping relationship, while VIP is a mapping relationship between different ports of a public network IP address (protocol ports such as 21,25,110, etc.) and different service ports of multiple internal private IP addresses. It is usually used in servers with only a few public network IP addresses but multiple private IP addresses, and these servers need to provide a variety of services.

Configure VIP using a web browser:

1) Log in to the firewall and configure the firewall as a three-tier deployment mode

2) add VIP:Network= > Interface= > ethernet2= > VIP

If you have multiple public network addresses, click Virtual IP Address 192.168.1.1 Add to add the VIP public network address, and then click New VIP Service to configure the mapping relationship.

Virtual IP: specify the public network IP address

Virtual Port: specify a public network access port. If you specify a custom port such as 6899, you need to allow access to this port in the policy.

Map to Service: specify a private network port, which can be defined by yourself, and you also need to release it in the policy.

Map to IP: specify the private network address

Server Auto Detection: automatically check for the server. Generally, it does not need to be enabled.

3) add an access control policy related to the VIP public network address.

Action Select permit and click OK to complete the configuration.

Configure VIP using the command line:

1) configure interface parameters

Set interface ethernet1 zone trust

Set interface ethernet1 ip 10.1.1.1/24

Set interface ethernet1 nat

Set interface ethernet3 zone untrust

Set interface ethernet3 ip 1.1.1.1/24

2) define VIP

Set interface ethernet3 vip 1.1.1.10 80 http 10.1.1.10

3) define policies

Set policy from untrust to trust any vip (1.1.1.10) http permit

Save

3. As to why you write this blog

Today, a server in the private network needs to be mapped to the public network for testing. After mapping the ports 80 and 8080, it was found that the client in the internet network could access the page. Later, it was found that the mobile phone was in the 4G network and could not be accessed. After a period of investigation, it was found that the telecom operator had blocked ports 80 and 8080 in the 4G network, and the port could not be developed until the record was filed. Later, there was no way. Come to think of it, it's just a test, so change the port. It is planned to map port 80 to public network port 88 and private network port 8080 to public network port 8099. After configuring the policy, the telnet port will not work? After searching for a long time, we found that there was still a problem with the configuration. After much trouble, we finally found the cause of the problem: if you need to map port 80 of the internal network to port 88 of the external network, you first need to create a new port 88 under Policy > Policy Elements > Services > Custom, then change the port of the external network to 88 (Virtual Port:88) in the VIP configuration, and select http (80) for the internal network port. The last step is very important. Click Multiple in the policy policy to modify the service (Service). Add the 88 good port created by yourself, click OK, and you're done! The principle of adding port 8080 is the same, except that port 8080 juniper firewall does not have default configuration. You need to create the port number of 8080 internal network and the port number specified by external network, and then add both ports to the policy service. It is a small pit. I hope it will be helpful for comrades in the rear to encounter the same problem.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.