« DES | Main | RSA Encryption and Digital Signature »

March 03, 2005

A trick for using DIP at NetScreen firewall

When a host initiates several sessions that match a policy with network address translation (NAT) enabled and is assigned an address from a dynamic IP (DIP) pool, the NetScreen device assigns a different source IP address for each session. Such random address assignment can be problematic for services that create multiple sessions that require the same source IP address for each session.
I analyzed it with ethereal and i known it use round roubin algorithm for assigment source ip address for example when You ping a host,source address for request ICMP are dffrent and it use round roubin algorithm.
This behaviur cause problem for some service (some web base email,AOL instance messenger and so on)
for using same ip address from DIP pool to a host for multiple concurrent session you should set the following command
set dip sticky
P.S : you can't set this feature from web base

Posted by Mehrdad at March 3, 2005 01:10 AM