Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Interface Network Address Translation Using VIPs

 

A virtual IP (VIP) address maps traffic received at one IP address to another address based on the destination port number in the TCP or UDP segment header. The destination IP addresses are the same, and the destination port numbers determine the host that receives the traffic. The security device forwards incoming traffic destined for a VIP to the host with the address to which the VIP points. When a VIP host initiates outbound traffic, the security device translates the source IP address of the host to that of the VIP address.

You can set a VIP only on an interface in the Untrust zone, and you must assign the VIP an IP address that is in the same subnet as an interface in the Untrust zone. However, in devices running ScreenOS 6.1 or later, you can set an interface in a Layer 3 security zone, removing the restriction of setting an Untrust zone interface. Some security devices also support:

  • Assigning the VIP the exact same address as the interface. However, in devices running ScreenOS 6.1 or later, you can set a VIP as you would an interface IP in any platform, removing the restriction of some devices.

  • Assigning the VIP to a dynamic IP address. When using a VIP with an interface in the Untrust zone that receives its IP address dynamically through DHCP or PPPoE, select Same as the untrusted interface IP address when setting up the VIP.

Additionally, the host to which the security device maps VIP traffic must be reachable from the trust-vr. If the host is in a routing domain other than that of the trust-vr, you must define a route to reach it.

You can use a VIP as the destination address in rules between any two zones or in a Global rule. For the destination zone, use either the Global zone or the zone with the address to which the VIP points.