Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Interface Network Address Translation Using MIPs


A mapped IP (MIP) is a direct one-to-one mapping of one IP address to another. The security device forwards incoming traffic destined for a MIP to the host with the address to which the MIP points. A MIP is a static destination address translation that maps the destination IP address in an IP packet header to another static IP address, enabling inbound traffic to reach private addresses in a zone whose interface is in NAT mode. When a MIP host initiates outbound traffic, the security device translates the source IP address of the host to that of the MIP address. You can map an address-to-address or subnet-to-subnet relationship (the netmask applies to both the mapped IP subnet and the original IP subnet).

You can also use a MIP to handle overlapping address spaces at two sites connected by a VPN tunnel (an overlapping address space is when the IP address range in two networks are partially or completely the same).

However, devices running ScreenOS 6.1 or later remove the overlap restriction between the MIP and the VIP.

The zone you configure the MIP in determines the subnet of IP address that you can assign the MIP:

  • When defining a MIP in a tunnel zone or security zone other than untrust, you must use the same subnet as a tunnel interface with an IP address and netmask, or in the same subnet as the IP address and netmask of an interface bound to a Layer 3 (L3) security zone.

  • When defining a MIP in an interface in the Untrust zone, you can use a different subnet than the Untrust zone interface IP address. However, you must add a route on the external router pointing to an Untrust zone interface so that incoming traffic can reach the MIP. You must also define a static route that associates the MIP with the interface that hosts it.

  • With devices running ScreenOS 6.1 or later, you can assign a MIP the same address as an interface on any platform. However, you cannot use that MIP address in a DIP pool.

You can use a MIP as the destination addresses in rules between any two zones or in a Global rule. For the destination zone, use either the Global zone or the zone with the address to which the MIP points.