Example: Configuring VIPs (NSM Procedure)

In this example, you create a VIP to handle inbound traffic to your Web server. After configuring the VIP, you create a Global VIP to represent the VIP you created for the device, and then use the Global VIP object in a Security Policy rule that permits HTTP traffic on port 80 from any address in the Untrust zone to the MIP—and to the host with the address and port to which the MIP points—in the Trust zone. All security zones are in the trust-vr routing domain.

Because the VIP is in the same subnet as the Untrust zone interface, you do not need to define a route for traffic from the Untrust zone to reach it. (To route HTTP traffic from a security zone other than the Untrust zone to the VIP, you must set a route for 1.1.1.10 on the router in the other zone to point to an interface bound to that zone.)

  1. Add a NetScreen-204 security device. Choose Model when adding the device and configure the device as running ScreenOS 5.x.
  2. Configure the Trust interface for ethernet1.
  3. In the device navigation tree, select Network > Interface.
  4. Double-click ethernet1 (trust interface). The General Properties screen appears.
  5. Configure the IP address as 10.1.1.1 and the netmask as 24. Leave all other settings as default.
  6. Click OK to save your changes.
  7. Configure the Untrust interface for ethernet3.
  8. In the device navigation tree, select Network > Interface.
  9. Double-click ethernet3 (untrust interface). The General Properties screen appears.
  10. Configure the IP address as 1.1.1.1 and the netmask as 24. Leave all other settings as default.
  11. Click OK to save your changes.
  12. Configure the VIP for ethernet3:
    • Double-click ethernet3. The General Properties screen appears.
    • In the interface navigation tree, select NAT > VIP to display the VIP screen.
    • Click the Add icon to display the Virtual IP dialog box. Enter the Virtual IP as 1.1.1.10.
  13. Click the Add icon to display the VIP mapping dialog box. Configure the following options:
    • For Virtual Port, enter 80.
    • For Mapped IP, enter 10.1.1.10.
    • For Mapped Service, enter HTTP.
    • Click OK to save the VIP mapping, and then click OK to save the VIP.
    • Click OK to save your changes to the interface, and then click OK to save your changes to the device.
  14. In the navigation tree, select Object Manager > NAT Objects > VIP.
  15. Click the Add icon to display the new Global VIP dialog box.
  16. Configure the Global VIP.
  17. Configure a firewall rule to route inbound HTTP traffic on port 80 to the VIP address.

Related Documentation