Juniper Firewall as a network of checkpoints, in addition to control the intranet user access outside the network can also control the access to the network, if the user intranet servers need to publish services to the external network needs to use the Juniper Firewall network mapping function, Here are two of the most commonly used methods of MIP and VIP.
The configuration of Juniper firewall MIP
MIP (mapped IP) is a "one-to-one" two-way address translation (conversion) process.
Typically, when you have several public-network IP addresses, and there are several servers that provide network services (the server provides an external IP address), to enable Internet users to access these servers, A one-to-one mapping (MIP) between the public network IP address and the server private IP address can be established on the firewall on the Internet exit, and the service provided by the server is controlled through policy implementation.
Select the Untrust interface under the Network=>interface interface, click Edit, enter the editing interface and click MIP
Select "New" in the upper-right corner
Mapped IP: Public network IP Address
Host IP: Intranet server IP Address
In policy, configure an Out-of-band access control policy to allow access from an external network to an internal network server application.
Untrust's source address selection any
Trust's destination address select the MIP just established
Action Selection Permit
Such a simple MIP is established, by accessing the MIP extranet IP firewall will automatically map to the MIP designated intranet IP server.
Juniper Firewall VIP Configuration
MIP is a public network IP address corresponding to a private IP address, is a one-to-one mapping relationship, and the VIP is a public network IP address of the different ports (protocol ports such as: 23, 80, 110, etc.) and internal multiple private IP address the different service port mapping relationship. Typically applied to servers with few public IP addresses, but with multiple private IP addresses, and these servers are required to provide a variety of services externally.
Select the Untrust interface under the Network=>interface interface, click Edit, enter the editing interface and click on the VIP
Same as the interface IP address if you only have one extranet IP addresses, you can only choose this. Note that the IP 80, 23, 443 port default is to the firewall, if you want to map these ports to the intranet server, you need to modify the firewall management port, these ports to give up.
In addition some old firewall such as, NetScreen ns-204 above model is not this option.
Virtual IP Address If your company has more money, there are many IP, then you can fill in an IP here.
Click "New VIP Services" to create a VIP map
Virtual Port is an external network access to the port, this can be casually filled, no conflict on the line
The Map to service is the port number for the intranet service and can be customized
The Server Auto detection recommends not to hook, otherwise it is easier to make mistakes.
Finally, a policy is established to allow the extranet to access the corresponding server of the VIP
The source address of the untrust end is any
The purpose of the trust address is the new VIP address
Action is allowed
Such a simple VIP is established, by accessing the VIP's extranet ip+ port number firewall will automatically map to the VIP designated intranet IP server.
This article from the "Operation and maintenance work Struggle" blog, please be sure to retain this source http://yanghuawu.blog.51cto.com/2638960/662452