You can accomplish this using a MIP. VIPs are only used if you want to use the same address on the public side and map unique ports to a unique destination address and destination port combination on the private side. The downside of the MIP however is that all traffic to a designated public address will be mapped to a designated private address, regardless of port. If you just want to constrain it to Port 80 traffic, you'll want to use NAT-Dst in a policy. Policy based NAT-Dst is more flexible than using MIPs or VIPs.
Cheers, Stefan Fouant On 2/7/08, Vincent De Keyzer <[EMAIL PROTECTED]> wrote: > > Hi, > > I'm quite new to Netscreens, so I hope this is a very easy question. > > Say A.B.C.0/24 is some public IP range. > > I'm trying to set up the following (SSG-550): > > * A.B.C.0/27 on the Untrust sub-interface > * 10.0.0.0/24 on a DMZ sub-interface (where servers do support NAT) > * A.B.C.32/27 on another DMZ sub-interface (where servers do not > support NAT) > > I would like to map (incoming web traffic): > > * port 80 of A.B.C.1 => port 80 of 10.0.0.101. > > * port 80 of A.B.C.2 => port 80 of 10.0.0.102. > > Is this possible? For some reason I don't have the possibility to create > a VIP on the Untrust interface at the moment (and I'm not even sure you > can have VIPs with different IP addresses on the same interface...) > > Vincent > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp