This article provides information on how to configure a virtual IP for port forwarding.
The configuration of a virtual IP for port forwarding enables an
external host to access network services, which are behind the firewall,
by mapping the NAT address of the internal host or service to an
external address.
To configure a Virtual IP, perform the following steps:
![Note:](http://kb.juniper.net/kb/images/public/shared/note.gif)
To
configure a Virtual IP (VIP), you will need to have the Trust and
Untrust Zones previously configured to an interface. For more
information on how to bind an interface to a zone, go to
Binding an Interface to a Zone.
For
this example, we are configuring a VIP address for a web server, and we
are using ethernet1 for the Trust zone and ethernet3 for the Untrust
zone.
![Step one:](http://kb.juniper.net/kb/images/public/shared/small01.gif)
Open the WebUI. For more information on accessing the WebUI, go to
Accessing Your NetScreen Device Using the WebUI.
![Step two:](http://kb.juniper.net/kb/images/public/shared/small02.gif)
From the ScreenOS options menu, click
Network, and then click
Interfaces.
![Image of step two](http://kb.juniper.net/kb/images/public/ns2029/ns2029_02.gif)
![Step three:](http://kb.juniper.net/kb/images/public/shared/small03.gif)
From the
ethernet3 interface, click
Edit.
![Image of step three](http://kb.juniper.net/kb/images/public/ns2029/ns2029_03.gif)
![Step four:](http://kb.juniper.net/kb/images/public/shared/small04.gif)
From the
Edit screen, click to select
VIP.
![Image of step four](http://kb.juniper.net/kb/images/public/ns2029/ns2029_04.gif)
![Step five:](http://kb.juniper.net/kb/images/public/shared/small05.gif)
From
Virtual IP Address, enter the IP address of the web server.
![Note:](http://kb.juniper.net/kb/images/public/shared/note.gif)
For this example, we have entered
210.1.1.10.
![Image of step five and six](http://kb.juniper.net/kb/images/public/ns2029/ns2029_056.gif)
![Step six:](http://kb.juniper.net/kb/images/public/shared/small06.gif)
Click
Add.
![Step seven:](http://kb.juniper.net/kb/images/public/shared/small07.gif)
Click
New VIP Service.
![Image of step seven](http://kb.juniper.net/kb/images/public/ns2029/ns2029_07.gif)
![Step eight:](http://kb.juniper.net/kb/images/public/shared/small08.gif)
From the
Virtual IP drop-down menu, select the Virtual IP address. In the
Virtual Port text box, enter a port number. From the
Map to Service drop-down menu, select a service. In the
Map to IP text box, enter the internal IP address of the web server.
![](http://kb.juniper.net/kb/images/public/shared/note.gif)
For this example, we used a
Virtual IP of
210.1.1.10, a
Virtual Port of
80, a
Map to Service of
HTTP (80), and a
Map to IP of
192.168.1.10.
![Image of step eight and nine](http://kb.juniper.net/kb/images/public/ns2029/ns2029_089.gif)
![Step nine:](http://kb.juniper.net/kb/images/public/shared/small09.gif)
Click
OK.
![](http://kb.juniper.net/kb/images/public/shared/note.gif)
The Virtual IP will listen to the Virtual Port. If you have a Virtual
Port of 80, and a policy with the ANY service, all traffic going through
port 80 will be passed.
![Step ten:](http://kb.juniper.net/kb/images/public/shared/small10.gif)
From the ScreenOS options menu, click
Policies.
![Image of step ten](http://kb.juniper.net/kb/images/public/ns2029/ns2029_10.gif)
![Step eleven:](http://kb.juniper.net/kb/images/public/shared/small11.gif)
From the
From drop-down menu, click to select
Untrust. From the
To drop-down menu, click to select
Trust.
![Image of step eleven and twelve](http://kb.juniper.net/kb/images/public/ns2029/ns2029_1112.gif)
![Step twelve:](http://kb.juniper.net/kb/images/public/shared/small12.gif)
Click
New.
![Step thirteen:](http://kb.juniper.net/kb/images/public/shared/small13.gif)
Under
Source Address, click to select
Address Book. From the
Address Book drop-down menu, click to select
Any.
![Image of step thirteen and fourteen](http://kb.juniper.net/kb/images/public/ns2029/ns2029_1314.gif)
![Step fourteen:](http://kb.juniper.net/kb/images/public/shared/small14.gif)
Under
Destination Address, click to select
Address Book. From the
Address Book drop-down menu, click to select
VIP (210.1.1.10).
![Step fifteen:](http://kb.juniper.net/kb/images/public/shared/small15.gif)
From the
Service drop-down menu, click to select
HTTP. From the
Action drop-down menu, click to select
Permit.
![Image of step fifteen and sixteen](http://kb.juniper.net/kb/images/public/ns2029/ns2029_1516.gif)
![Step sixteen:](http://kb.juniper.net/kb/images/public/shared/small16.gif)
Click
OK.
Via the CLI:
You can configure the same via the CLI:
>set interface ethernet1/4 vip 210.1.1.10
>set interface ethernet1/4 vip 210.1.1.10 + 80 "HTTP" 192.168.1.10
>set policy from "Untrust" to "Trust" "Any" "VIP(210.1.1.10)" "HTTP" permit