1 of 1 people found this helpful
It has been a few years since I looked at a Juniper box. But, I think by VIP you mean that you would like to add an additional IP address to your Firewall (probably on the external/public side, I'm guessing) so that you can then allow inbound services to use this address.
On MFE, these are added to the interface. Go to Network -> Interfaces. Double-click on the interface you'd like to modify and in the resulting pop-up configuration screen look in the lower left-hand corner. Here you will see where the primary IP address has been configured. There is a small toolbar directly above. Click on the green "+" button and a blank "alias" address entry will appear below the primary address.
Replace the x.x.x.x with the alias IP address you'd like to add to the box along with the correct subnet mask.
Click OK and apply the changes. Your Firewall will now have this new IP address assigned to the selected interface.
So that you can use this IP address in an access rule, you will also need to create an "IP Address" network object. But once you have done that you will then be able to create access rules to use this new address.
Hope that helps.
It's mean from outside of firewall make cinnection to Firewall IP then firewall redirect the user to internal host. I try to make rule for it, but it won't work!
That is exactly what it is for.
The main difference between MIPs & VIPs on Juniper and they method used by MFE, is that Juniper uses the MIP or VIP definition to establish the relationship between the public/external IP address and the IP address of the internal host you want people to access. In MFE this is done in the access rule (using the Redirect Host value).
Step 1 - Create the alias IP address on the external interface (as explained in my previous post)
Step 2 - Go to the Network Objects screen and create IP address objects for the external alias address and the host on the internal side.
Step 3 - Create the access control rule.
For inbound rules, where the connection is going to cross a NAT boundary, the source and destination burb (or zone, if you are using v8) values must both be set to your "external", burb/zone. You then select the network object for the external alias as the destination endpoint value and select the network object for the internal host in the "Redirect Host" field just below it. Of course, the rule is configured to use the service or service group which represents the ports/protocols you wish to allow through.
The only other decision you need to make concerns the NAT value. If set the NAT value to 'localhost' whe the traffic reaches the destination host it will appear to have come directly from the Firewall. Change this value to 'none' and the original source IP address will be preserved.
That should work just fine.
If you are still having problems maybe you can send over some screenshots.