Creating a VIP in ScreenOS

Port-forwarding in the Juniper world is done by creating MIPs, VIPs and DIPs. A virtual IP (VIP) address maps traffic received at one IP address to another address based on the destination port number in the TCP or UDP segment header. Mapped IP (MIP) is a direct one-to-one mapping of one IP address to another(public ip to private ip ) that means hiding some resources (server) from the public. A dynamic IP (DIP) address pool is a range of IP addresses from which the device can dynamically take addresses to use when performing NAT on the source IP address of outgoing or incoming IP packets.

You can link three types of interfaces to Dynamic IP (DIP) pools: physical interfaces and sub-interfaces for network and VPN traffic, and tunnel interfaces for VPN tunnels only

The most common use for a VIP is to map several DMZ intranet servers to a single public ip address on very small firewalls.

Setup

NOTE: a VIP must be created in the same network as the interface. If you want to forward from another subnet, you need to use NAT-DST

You can create a VIP under two conditions:
1. Your client's Public IP address is on the same network as the Firewall's Untrust interface IP address
2. Your client's Public IP address is the same IP address as the Firewall's Untrust interface IP address

You can assign the IP for the VIP in three ways.
1. Interface IP
2. Zone IP (Untrust)
3. Statically assign it

The address you assign your VIP must be on the same subnet as your Untrust (or the same address entirely), this only comes in to play when using option 3

interface-ip is your best bet for a dynamic address but will only work on ver 6.1 and up
untrust-ip is your next best alternative for use with a dynamic address, but if you have multiple interfaces in the untrust zone, it will choose the default (usually e0/0)
static is if you have the privledge of having a static IP adddress on the interface

For every port you wish you forward, you have to create a unqiue VIP
For example, if you want IMAP and SMTP traffic forwarded to your server at 192.168.1.101 you'll need to set up two VIPs on your outside interface:

set int e0/0 vip interface-ip 143 "IMAP" 192.168.1.101
set int e0/0 vip interface-ip 25 "SMTP" 192.168.1.101

Switcharoo

Sometimes you will need to forward unconventional ports; usually it's either to hide which ports you have open, or simply to accommodate software.
To do this you will need to explicitly define the service.

Say I want to use port 15011 for my BitTorrent traffic because the standard 69xx ports are being blocked; well Juniper doesn't know what operates on port 15011 because it's a non-standard port, therefore I'll have to define it. Because I know BitTorrent operates on 6881-6999, I can narrow down what traffic is forwarded.

set service "BitTorrent_15011" protocol tcp src-port 6881-6999 dst-port 15011-15011

Execution

Now we'll be able to apply this service to a policy (ACL on Cisco appliances)

set policy id 100 from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "HTTP" permit log
set policy id 100
set service "BitTorrent_15011"

This will allow all traffic inbound to port 6881-6999 to be forwarded to my 192.168.1.101 client on port 15011.

Mind you, whatever your destination client is, has to be configured to be listening on the port the traffic is being forwarded to. In this case 15011.