No responses, so I guessing it's not feasible or no screenos ninjas around?
>From this I see you can configure a one to one MIP that isn't in the interface IP subnet, but I want to NAT "any" source address on a particluar flow to a single IP that isn't in the egress interface subnet "Before ScreenOS 6.1, MIPs could be in a different network from the interface’s IP only on an interface in the Untrust zone. (This is an important caveat, but it is the only caveat regarding MIPs.) You can configure a MIP that is in the same network with its interface on any interface in any zone. MIPs are most often used on the Untrust zone. If you need to perform destination translation to an IP that is not in the same network as the ingress interface, use a policy NAT-DST translation KB11910 - [Inbound direction] How to configure Destination Network Address Translation (NAT-Dst) in combination with a DIP if the reverse connection is desired as well: KB11901 - [Outbound direction] How to configure Source Network Address Translation (NAT-src) and source Port Address Translation (PAT)." http://kb.juniper.net/KB12835 On Fri, Nov 13, 2009 at 4:38 PM, Ivan c <ivann...@gmail.com> wrote: > Hey, > > I have a query on NAT interaction for VoIP protocols. I'll attempt > some ascii art.... > > 10.0.0.0/8 > 192.168.1.0/30 > Internal subnet > Internal > LAN<------------------------------->Netscreen<----------------------------------->Cisco<------------------------->Partner > LAN > | > > | > | > > | > SIP & Phones > > SIP & Phones > > No the inter-agency subnet of 192.168.1.0.30 is used for link > addressing and there is agreement to use other private addressing for > services, such as VoIP... For example the subnet 192.168.100.0/24 is > used by the Netscreen and 192.168.200.0/24 for the Cisco. So on the > Cisco side they hide the SIP and RTP VoIP traffic behind a single > address of 192.168.200.100 and I need to do the same on the Netscreen > and hide the traffic behind a single IP 192.168.100.100. > > I can do a MIP for the SIP proxy, as it is a one to one correlation, > but how do I hide multiple IPs behind a single IP that isnt in the > Netscreen interface subnet? > > Is there a way to do a ANY to a single IP that is not in the egress > interface range? > > > thanks > Ivan > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp