headers
Hoss | 7 Sep 2007 15:57
Picon
Favicon

DIP vs MIP


Hello all,
I am new to Netscreen firewalls, I would like to know If I have a server
behind fw with 10.1.1.10 and would like to do NAT to a single Public IP
address, what do I need to do?
If I have a network of 10.1.1.0 and would like to NAT the whole network to a
single Public IP address what I need to do?
in Checkpoint we do static NAT for the servers and hid NAT for the whole
network, what is the case for Netscreen?
thanks,
Sam
--

-- 
View this message in context: http://www.nabble.com/DIP-vs-MIP-tf4401474.html#a12555800
Sent from the Netscreen at Compsoc.com mailing list archive at Nabble.com.
Permalink | Reply | 3 comments |
headers
pkc_mls | 7 Sep 2007 16:35
Picon
Favicon

Re: DIP vs MIP

Hoss a écrit :
> Hello all,
>   
hello
> I am new to Netscreen firewalls, I would like to know If I have a server
> behind fw with 10.1.1.10 and would like to do NAT to a single Public IP
> address, what do I need to do?
>   
it depends if the server needs only to receive connections from the 
internet or send/receive.
you can use VIP or nat-dst in the 1st case, and MIP in the second case.
> If I have a network of 10.1.1.0 and would like to NAT the whole network to a
> single Public IP address what I need to do?
>   
if the public interface is in untrust zone or untrust on a small device, 
you can set the internal
interface in NAT mode and every communication that goes out will be 
automatically nated.
this is the default mode for the trust interface on small device or eth1.
> in Checkpoint we do static NAT for the servers and hid NAT for the whole
> network, what is the case for Netscreen?
>   
the names aren't the same, but the functionnalities are also available 
on netscreen.
> thanks,
> Sam
>
Permalink | Reply | 0 comments |
headers
Groshong, Christopher | 7 Sep 2007 16:30

Re: DIP vs MIP

Use a MIP for 1 to 1 Mapping 

For outbound Translation you can go to advanced tab of policy and select
'source translation' and use default (None - use egress Interface IP)
to default out as Interface IP or you can put in a DIP address depending
on your specific needs (add DIPs and MIPs on Interfaces tab under
Network settings).  Make sure interfaces are in Route Mode

Documentation links,  very good with examples.
SreenOS 6.0
http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/index.ht
ml 

ScreenOS 5.4
http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/index.ht
ml

-----Original Message-----
From: nn-bounces <at> compsoc.com [mailto:nn-bounces <at> compsoc.com] On Behalf
Of Hoss
Sent: Friday, September 07, 2007 8:58 AM
To: nn <at> compsoc.com
Subject: [nn] DIP vs MIP

Hello all,
I am new to Netscreen firewalls, I would like to know If I have a server
behind fw with 10.1.1.10 and would like to do NAT to a single Public IP
address, what do I need to do?
If I have a network of 10.1.1.0 and would like to NAT the whole network
to a
(Continue reading)

Permalink | Reply | 0 comments |
headers
Pavel Lunin | 7 Sep 2007 16:37
Picon

Re: DIP vs MIP

Hi!

Hoss wrote:
> Hello all,
> I am new to Netscreen firewalls, I would like to know If I have a server
> behind fw with 10.1.1.10 and would like to do NAT to a single Public IP
> address, what do I need to do?
>   
First, you gotta read this :)))
http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/index.html
> If I have a network of 10.1.1.0 and would like to NAT the whole network to a
> single Public IP address what I need to do?
> in Checkpoint we do static NAT for the servers and hid NAT for the whole
> network, what is the case for Netscreen?
MIP for static NAT
VIP for static PAT

Policy based NAT for whatever NAT may be needed in the world :)
Permalink | Reply | 0 comments |
headers
Troy Coulombe | 7 Sep 2007 18:42

ISG & 6.x code

Just doing a little _extra_ bit of r&d:::

Anyone out there using 6.x code on an ISG 1000 [or 2000]?? Any issues? Any gotchyas in the upgrade, etc? [going from 5.3 à 6.0.r2]

Many Thanks,

--

TroyC

 

The information contained in this message may be privileged and/or confidential. If you are not the intended recipient, or responsible for delivering this message to the intended recipient, any review, forwarding, dissemination, distribution or copying of this communication or any attachment(s) is strictly prohibited. If you have received this message in error, please so notify the sender immediately, and delete it and all attachments from your computer and network.

 

<div>

<p dir="LTR"><span lang="en-us"></span><span lang="en-us">Just doing a little _</span><span lang="en-us"></span><span lang="en-us">extra</span><span lang="en-us"></span><span lang="en-us">_ bit of r&amp;d:::</span></p>

<p dir="LTR"><span lang="en-us">Anyone out there using 6.x code on an ISG 1000 [or 2000]?? Any issues? Any gotchyas in the upgrade, etc? [going from 5.3</span><span lang="en-us"></span><span lang="en-us"> &agrave;</span><span lang="en-us"></span><span lang="en-us"> 6.0.r2]</span></p>

<p dir="LTR"><span lang="en-us">Many Thanks,</span><span lang="en-us"></span><span lang="en-us"></span></p>

<p dir="LTR"><span lang="en-us"></span><span lang="en-us"></span><span lang="en-us"></span><a name=""><span lang="en-us">--</span></a></p>

<p dir="LTR"><span lang="en-us">TroyC</span></p>

<p dir="LTR"><span lang="en-us"></span></p>

<p><span>&nbsp;</span></p>
<p><span>The information contained in this message may be privileged and/or confidential. If you are not the intended recipient, or responsible for delivering this message to the intended recipient, any review, forwarding, dissemination, distribution or copying of this communication or any attachment(s) is strictly prohibited. If you have received this message in error, please so notify the sender immediately, and delete it and all attachments from your computer and network.</span></p>
<p><span>&nbsp;</span></p>
</div>
Permalink | Reply | 0 comments |
headers
Troy Coulombe | 10 Sep 2007 18:24

Re: [SPAM] - ISG & 6.x code - Email found in subject

Many thanks for the 411... luckily we don't use the "untrust" IF;  Every
interface gets their unique zone -- this has its own gotchyas [such as
how MIPs/VIPs work in general].

--
TroyC
!!NEW!!  c: 206.963.8108
d: 206.792.2356
-----Original Message-----
From: Jason Brown [mailto:jason <at> browns.id.au] 
Sent: Sunday, September 09, 2007 3:23 AM
To: Troy Coulombe
Subject: RE: [SPAM] - [nn] ISG & 6.x code - Email found in subject

Little gotcha in 6.0r2.

There is a bug in that if you try and fwd ports 80 and/or 443 using a
VIP on the untrust IF. It will not work. Even changing to management
ports will not fix. We have found this on many SSG/ISG so far. 6.0r1
does not have this issue. We have logged with JTAC, but as yet no fix.
Our local Juniper SE has also found the same issue. 

This is not applicable to MIPs etc, just a VIP using the untrust IF IP
address.

-----Original Message-----
From: nn-bounces <at> compsoc.com [mailto:nn-bounces <at> compsoc.com] On Behalf
Of Troy Coulombe
Sent: Saturday, 8 September 2007 2:42 AM
To: nn <at> Compsoc.com
Subject: [SPAM] - [nn] ISG & 6.x code - Email found in subject

Just doing a little _extra_ bit of r&d:::

Anyone out there using 6.x code on an ISG 1000 [or 2000]?? Any issues?
Any gotchyas in the upgrade, etc? [going from 5.3 --> 6.0.r2]

Many Thanks,

--

TroyC

The information contained in this message may be privileged and/or
confidential. If you are not the intended recipient, or responsible for
delivering this message to the intended recipient, any review,
forwarding, dissemination, distribution or copying of this communication
or any attachment(s) is strictly prohibited. If you have received this
message in error, please so notify the sender immediately, and delete it
and all attachments from your computer and network.
Permalink | Reply | 1 comment |
headers
Post | 8 Sep 2007 13:00

NDN: nn Digest, Vol 27, Issue 1

Sorry. Your message could not be delivered to:

Support . (Mailbox or Conference is full.)
Permalink | Reply | 0 comments |
headers
Dale Shaw | 11 Sep 2007 07:26
Picon

NetScreen 5000 Integrated IPS

Hi all,

I'm looking for "real" info on the functionality and performance of
the "Integrated IPS (Deep Inspection)" feature available as an option
on the NetScreen 5000 platform.

The data sheet says: "Prevents application level attacks from flooding
the network using a combination of stateful signatures and protocol
anomaly detection mechanisms. IPS is annually licensed."

To remove any doubt, I'm talking about the NS-DI-5400 and NS-DI-5400-R
parts (annual subscription).

I suppose I'm after the cold hard reality of this feature. What impact
does it have on forwarding performance? How "rich" is the feature set
enabled by this license over and above what the device can do without
it? How does it compare to, say, the IDP1100 device?

How are the signatures updated? (HTTP? is use of a proxy supported?
use of a proxy that requires authentication?)

I'm just trying to figure out if it's worth it. I need to deploy a
high throughput firewall solution and, ideally, line rate intrusion
prevention (I'm looking at feeding the NS-5400s with 10-gig interfaces
and Juniper don't currently have an IDP box that does 10-gig.

cheers,
Dale
Permalink | Reply | 6 comments |
headers
dan | 11 Sep 2007 07:29
Picon

Re: [SPAM] - ISG & 6.x code - Email found in subject

Hi,

Had same issue and logged case with Juniper. I was supplied ScreenOS 
patch 6.0.0h2.0 which has resolved the problem.

Troy Coulombe wrote:
> Many thanks for the 411... luckily we don't use the "untrust" IF;  Every
> interface gets their unique zone -- this has its own gotchyas [such as
> how MIPs/VIPs work in general].
> 
> 
> --
> TroyC
> !!NEW!!  c: 206.963.8108
> d: 206.792.2356
> -----Original Message-----
> From: Jason Brown [mailto:jason <at> browns.id.au] 
> Sent: Sunday, September 09, 2007 3:23 AM
> To: Troy Coulombe
> Subject: RE: [SPAM] - [nn] ISG & 6.x code - Email found in subject
> 
> Little gotcha in 6.0r2.
> 
> There is a bug in that if you try and fwd ports 80 and/or 443 using a
> VIP on the untrust IF. It will not work. Even changing to management
> ports will not fix. We have found this on many SSG/ISG so far. 6.0r1
> does not have this issue. We have logged with JTAC, but as yet no fix.
> Our local Juniper SE has also found the same issue. 
> 
> This is not applicable to MIPs etc, just a VIP using the untrust IF IP
> address.
> 
>  
> 
> -----Original Message-----
> From: nn-bounces <at> compsoc.com [mailto:nn-bounces <at> compsoc.com] On Behalf
> Of Troy Coulombe
> Sent: Saturday, 8 September 2007 2:42 AM
> To: nn <at> Compsoc.com
> Subject: [SPAM] - [nn] ISG & 6.x code - Email found in subject
> 
> Just doing a little _extra_ bit of r&d:::
> 
> Anyone out there using 6.x code on an ISG 1000 [or 2000]?? Any issues?
> Any gotchyas in the upgrade, etc? [going from 5.3 --> 6.0.r2]
> 
> Many Thanks,
> 
> --
> 
> TroyC
> 
>  
> 
> The information contained in this message may be privileged and/or
> confidential. If you are not the intended recipient, or responsible for
> delivering this message to the intended recipient, any review,
> forwarding, dissemination, distribution or copying of this communication
> or any attachment(s) is strictly prohibited. If you have received this
> message in error, please so notify the sender immediately, and delete it
> and all attachments from your computer and network.
> 
>  
> 
> _______________________________________________
> nn mailing list
> nn <at> compsoc.com
> http://www.compsoc.com/cgi-bin/mailman/listinfo/nn
>
Permalink | Reply | 0 comments |
headers
Dale Shaw | 11 Sep 2007 08:47
Picon

Re: NetScreen 5000 Integrated IPS

G'day Joris,

I've received conflicting information regarding the ISG 2000 and the
ability to stack up IDP cards.

One person from Juniper told me you can add three and get up to 6Gbps
throughput. Another person told me you get 2Gbps max irrespective of
the number of cards, and that multiple units is the only way to get
more throughput.

I was also told that the ISG2000 has a 4Gbps box/ASIC limit.

In the end, given all the conflicting advice and lack of good info
available online, I decided the NS5000 was a better firewall platform
for me now, and that I'd leave IDS/IPS as an option.

I acknowledge that the DI feature is software-based. I hoped there was
some good anecdotal information out there about its impact on
performance.

cheers,
Dale

On 9/11/07, Van Deuren, Joris <joris.van_deuren <at> nsn.com> wrote:
> Hi Dale,
>
> I think you better take an ISG 2000 with 3 security modules (IDP cards).
>
> Using the ISG 2000 Juniper states that you'll have 2Gig throughput.
> I think the DI feature in the 5400 is just a software feature.
> I believe it will degrade you firewall performance by 50% or more
> depending on what you activate.
>
>
> Greetings
> Joris
>
> -----Original Message-----
> From: nn-bounces <at> compsoc.com [mailto:nn-bounces <at> compsoc.com] On Behalf
> Of Dale Shaw
> Sent: dinsdag 11 september 2007 7:26
> To: nn <at> compsoc.com
> Subject: [nn] NetScreen 5000 Integrated IPS
>
> Hi all,
>
> I'm looking for "real" info on the functionality and performance of
> the "Integrated IPS (Deep Inspection)" feature available as an option
> on the NetScreen 5000 platform.
>
> The data sheet says: "Prevents application level attacks from flooding
> the network using a combination of stateful signatures and protocol
> anomaly detection mechanisms. IPS is annually licensed."
>
> To remove any doubt, I'm talking about the NS-DI-5400 and NS-DI-5400-R
> parts (annual subscription).
>
> I suppose I'm after the cold hard reality of this feature. What impact
> does it have on forwarding performance? How "rich" is the feature set
> enabled by this license over and above what the device can do without
> it? How does it compare to, say, the IDP1100 device?
>
> How are the signatures updated? (HTTP? is use of a proxy supported?
> use of a proxy that requires authentication?)
>
> I'm just trying to figure out if it's worth it. I need to deploy a
> high throughput firewall solution and, ideally, line rate intrusion
> prevention (I'm looking at feeding the NS-5400s with 10-gig interfaces
> and Juniper don't currently have an IDP box that does 10-gig.
>
> cheers,
> Dale
Permalink | Reply | 4 comments |

Gmane