Example: Configuring DIP Groups (NSM Procedure)

Use a DIP group to combine two DIP pools for two security devices that are in an active/active NRSP configuration. When specifying the NAT settings in the rule options for a Security Policy rule, you can select a DIP group instead of a single DIP pool.

Selecting a DIP group in the policy enables NAT using the DIP pool that exists on either device in the HA configuration. Typically, two security devices in an active/active configuration share the same configuration, and both devices process traffic simultaneously. When you define a policy to perform NAT using a DIP pool located on one VSI, because that VSI is active only on the device acting as the primary device of the VSD group to which the VSI is bound, any traffic sent to the other device—the one acting as the backup of that VSD group—cannot use that DIP pool and is dropped. To solve this problem, you can create two DIP pools—one on the Untrust zone VSI for each VSD group—and combine the two DIP pools into one DIP group, which you reference in the policy. Each VSI uses its own VSD pool even though the policy specifies the DIP group.

If you do not use a DIP group, the security device that acts as the backup of a VSD group cannot use a DIP pool located on the VSI of the primary of the VSD group. For more details about DIP groups on security devices, see the “ Fundamentals” volume in the Concepts & Examples ScreenOS Reference Guide.

In this example, you configure a DIP group that includes the DIP pools of two security devices in an active/active NRSP configuration. By combining the DIP pools located on both Untrust zone VSIs (for VSD groups 0 and 1) into one DIP group, Devices A and B can both process traffic matching policy “out-nat,” which references not an interface-specific DIP pool but the shared DIP group.

To configure a DIP group:

  1. Create the Cluster.

    In the navigation tree, select Device Manager > Devices. Click the Add icon and select Cluster. Configure the cluster as follows:

    • Add the following two cluster members to the cluster: NS-208 A, NS-208 B. Choose Model when adding each device.
    • Configure the untrust interface for VSD group 0.
    • In the cluster navigation tree, select Network > Interface.
    • Double-click ethernet3 (untrust interface on the NS-208 A). The General Properties screen appears.
    • Configure the IP address as 1.1.1.1 and the Netmask as 24. Leave all other settings as default.
  2. Configure the trust interface for VSD group 0.
  3. Enter the DIP ID.
  4. Add multiple DIP ranges for a particular DIP ID:
    • Select the Multiple DIP Range check box.
    • Click the Add icon to display the New MultiRange of DIP dialog box.
    • Enter the identification range for Rang ID.
    • For Lower IP, enter the same IP address as the subnet interface IP address.
    • For Upper IP, enter the same IP address as the subnet interface IP address.
  5. For Start, enter 1.1.1.20.
  6. For End, enter 1.1.1.29.
  7. For Shift From, enter 1.1.1.30.
  8. Select the Fixed Port check box.

    Note: The Fixed Port is enabled by default while adding multiple DIP ranges for a DIP ID.

  9. For Extended IP, enter 211.10.1.10.
  10. For Netmask, enter 24.
  11. Select Incoming NAT.
  12. In the cluster navigation tree, select Network > Interface.
  13. Double-click ethernet1 (trust interface on the NS-208 A). The General Properties screen appears.
  14. Configure the IP address as 10.1.1.1, and the Netmask as 24. Leave all other settings as default.
  15. Click OK to save your changes.
  16. Configure the untrust interface for VSD group 1:
    • In the cluster navigation tree, select Network > Interface.
    • Right-click ethernet3 and select New > VSI.
  17. Configure the IP address as 1.1.1.2 and the Netmask as 24. Leave all the default values for all other settings.
  18. Select NAT > DIP to display the Dynamic IP dialog box. Configure the following options and click OK:
  19. Enter the DIP ID.
  20. Add multiple DIP ranges for a particular DIP ID:
    • Select the Multiple DIP Range check box.
    • Click the Add icon to display the New MultiRange of DIP dialog box.
    • Enter the identification range for Rang ID.
    • For Lower IP, enter the same IP address as the subnet interface IP address.
    • For Upper IP, enter the same IP address as the subnet interface IP address.
  21. For Start, enter 1.1.1.30.
  22. For End, enter 1.1.1.39.
  23. For Shift From, enter 1.1.1.20.
  24. Select the Fixed Port check box.

    Note: The Fixed Port is enabled by default while adding multiple DIP range for a DIP ID.

  25. For Extended IP, enter 211.10.1.10.
  26. For Netmask, enter 24.
  27. Select Incoming NAT.
  28. Click OK to save your changes.
  29. Configure the trust interface for VSD group 1.
  30. In the cluster navigation tree, select Network > Interface.
  31. Right-click ethernet1 and select New > VSI.
  32. Configure the IP address as 10.1.1.2, and the Netmask as 24. Leave all other settings as default.
  33. Click OK to save your changes.
  34. Create the DIP group:
    • In the cluster navigation tree, select Network > DIP Group.
    • Click the Add icon in the DIP Group configuration screen. The Dynamic IP dialog box appears.
    • Configure the DIP Group Name as 7, and select DIP members 5 and 6.
    • Click OK to close the Dynamic IP dialog box, and then click OK to close and save your changes.
    • Select DIP Translation Stickiness to ensure that the device assigns the same IP address from a DIP pool to a host for multiple concurrent sessions.
    • In the cluster navigation tree, select Network > Advanced > DIP.
    • Select DIP Translation Stickiness.
    • Click OK to save your changes.

      For details on DIP Translation Stickiness, see Example: Configuring DIP Groups (NSM Procedure).

  35. Create a Global DIP to reference the DIP group for the cluster. You use a Global DIP when configuring NAT in a firewall rule; the Global DIP references the DIP pool or DIP group for an individual device or cluster, enabling you to use one object (the Global DIP object) to represent multiple DIP pools or DIP groups in a single rule.
    • In the navigation tree, select Object Manager > NAT Objects > DIP.
    • Click the Add icon to display the new Global DIP dialog box.
    • Configure the Global DIP.
    • Click OK to save your changes.
  36. Configure a firewall rule to use the Global DIP object for NAT translation.

Related Documentation

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.