Hi

I have never used Netscreen before and have to migrate a netscreen firewall to a Cisco ASA. Can someone explain what VIP::1 is? In the policy rules there are a lot of entries statically mapped to VIP::1, and under advanced is the option to look in the address book for the destination. Where would that be then? I am looking everywhere and can see no address book, not any group, user or destination linked to VIP::1

Hi,

I would recommend taking a look at the config in a text editor.  You can download this from the WebUI or connect via the console/ssh.  Once you see the config, everything should fall into place.  The ScreenOS is not much different from Cisco IOS.

Regarding the VIP, it means "Virtual IP".  In ScreenOS it's used for many to one NAT.

Rgds,

John

Hi Packet7. The config file is all set commands. It's made more difficult as i've never 'seen' the network it is going in to and it was installed by a third party who are not around to assist.

From what you wrote I guess it is an alias for a group of addresses. If that's the case i'm happy with that. Thanks for the explanation.

Hi,

Actually, it's a Virtual IP used to map a single IP to several other machines using specific ports.  If you like, you can post some of the config and I will take a look.  Please xxx out anything that is sensitive.  I hope this helps.

Rgds,

John

I don't have it with me and i'm going to site Tuesday. What you've explained already is enough I reckon. A VIP is used for static nat translations as I understand it.

The bit that i'm stuck on is where under the menu the mapping is configured. I have taken the time to go through every menu, submenu item and can't find anywhere where the VIP is tied to an address or port. That is where i'm concerned I am misunderstanding it.

Hi,

I'm hoping this helps (see below).  Let me know.

ScreenOS WebUI:

1.  Select Network, Interfaces
2.  Click on the interface you want to apply to VIP to (e.g. Untrust or E3) and click Edit
3.  The default view is "Basic".  At the top of the page click "VIP".
4.  From this screen, you can setup the VIP, port and service.  
5.  Upon completion, you need to create a Policy (e.g. Untrust to Trust).  Click Policies, Untrust to Trust and click New.
6.  Select your source, destination (VIP), service, and action (permit).  Make sure the service used in the policy matches the service specified in the VIP.

Once this is done, you should be all set.  One thing to note is that a VIP is unidirectional and a MIP is bidirectional.  The inbound VIP traffic will translate accordingly.  However, the outbound traffic from the VIP server will use the NAT associated with the interface (e.g. Interface NAT).

I hope this helps.

Rgds,

John