I will try the debug dump, I had changed it to any since i had in there only http and https and it was not allowing those threw so said fine just open it up and get it working then i can lock it down.
Main Topics
Browse All Topics
Loading Advertisement...
Question
juniper SSG140 - Inbound Static Nat to Web Servers
I am having an issue with a new build of the juniper OS and it has dumped some of my standard configs and it is not allowing me to access 2 web servers behind the unit.
I have 2 web servers running behind the juniper one is using the egress Ip the other is using a VIP address. I am not able to access these machines threw the firewall. Nothing is even showing up in the logs for policies.
Please see attached code.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Subscribe now for full access to Experts Exchange and get
Instant Access to this Solution
- Plus...
- 30 Day FREE access, no risk, no obligation
- Collaborate with the world's top tech experts
- Unlimited access to our exclusive solution database
- Never be left without tech help again
Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.
- "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
- "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
- "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.
See what Experts Exchange can do for you.
Got a question?
We've got the answer.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
Need individual assistance?
Our experts are ready to help.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Want to learn from the best?
Read articles from industry experts.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Working on a long term project?
Store your work and research.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
What Makes Experts Exchange Unique?
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Trusted by the world's most respected brands.
Faithfully serving IT professionals since 1996.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Free Tech Articles
-
WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
-
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
-
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
-
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
-
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
-
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...
Cloud Class Webinars
- Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
- Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
- IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
- Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
- Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
- How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...
Join the Community
Give a Little. Get a Lot.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Answers
I see no traffic being collected for .119 at all
I see some traffic for .118 however, this is being dropped:
****** 166587.0: <Untrust/ethernet0/2> packet received [48]******
ipid = 63244(f70c), @1d5ce114
packet passed sanity check.
ethernet0/2:209.***.***.14
no session found
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
self check, not for us
chose interface ethernet0/2 as incoming nat if.
packet dropped: for self but not interested
first pak no session
POLL_DROP_PAK: vlist 0x191a664, 0x191a664
All 3 packets that came in were dropped with the error of:
packet dropped: for self but not interested
This is the NAT configured as DST-NAT.
Can I ask why you are using 2 different types of NAT to achieve the same thing? You use DST-NAT for 1 and VIP for the other. Did you know that you can create 2 VIPs on the untrust interface and then have their own port bindings as per the one for 119?
It might be better to try both webservers as the same and then work on it as at the moment we are trying to debug 2 different technologies and even then, we only see traffic going to the 1 web server.
Can you confirm that the 119 address was being connected?
yes I can arp from my cisco router which is infront of the juniper the 119 which is showing the correct mac address as in the VIP mac address.
The setup for this juniper is as such.
the ingress is 118 which it is using to nat the computer behind it. It should then allow port 80 and 443 traffic to be forwarded on 118 inbound to 10.10.1.14
Setup VIP as 119 with allowed inbound traffic of port 80 and 443 to be directed to 10.10.1.9
These should be the only traffic other then statefull packets allowed in.
After the unit is working just fine then I am adding VPN connections to it. But base config of 2 Public IP addresses forwarding in with standard NAT behind the unit.
Sorry bud, but I still don't understand why you use nat dst for 118 and VIP for 119. Especially when you test only for 118.
Can you create another VIP for 118(which will then create the upstream arp) and then add the policies as per the 119 VIP.
Re run the trace and test both VIPs please. Show us the trace and we will be able to help more.
Try the CLI of
set interface ethernet0/0 vip interface-ip 80 "HTTP" 10.10.1.14
set interface ethernet0/0 vip interface-ip + 443 "HTTPS" 10.10.1.14
I don't have web access to my firewall, but I do have SSH.
And using the "set interface ethernet0/0 vip interface-ip" allowed me to use the actual interface IP
I have cleared out the VIP settings and the policys that go to them See below commands and error
FW2-> set interface ethernet0/2 vip **.**.***.118 80 "HTTP" 10.10.1.14
Service (port=80) not supported for this vip 209.60.224.118.
Failed command - set interface ethernet0/2 vip **.**.***.118 80 "HTTP" 10.10.1.14
FW2-> set interface ethernet0/2 vip **.**.***.119 80 "HTTP" 10.10.1.9
###VIP on untrusted interface already defined.
Failed command - set interface ethernet0/2 vip **.**.***119 80 "HTTP" 10.10.1.9
You will need to change the default parameters for the web management access on the box.
Change the default web port to be something other than port 80, ie 8080 and change the defaullt SSL port for the webui to be something like 4433
Once this is done, you will then be able to add the VIP to the external interface
I have changed over the ports and its not letting me in via web interface.
Also the info on the unit is below. I have asked for a refresh on the OS so that it can be up-to date.
FW2-> get system
Product Name: SSG-140
Serial Number: **************, Control Number: ffffffff
Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.4.0r1a.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Thu Aug 31 17:35:57 PDT 2006
Base Mac: 0017.cb48.6d80
File Name: ssg140.5.4.0r1a.0, Checksum: b0590f86
, Total Memory: 512MB
Date 08/27/2002 03:22:25, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 116 hours 29 minutes 20 seconds Since 22Aug2002:06:53:05
Total Device Resets: 0
System in NAT/route mode.
Use interface IP, Config Port: 8080
User Name: admin
I have the http and https management moved over to 8080 and 4433
It will not let me set the VIP of the main interface at the same time as adding another public IP to the unit.
FW2-> set interface ethernet0/2 vip ***.***.***.119 + 80 "HTTP" 10.10.1.9
###VIP on untrusted interface already defined.
Failed command - set interface ethernet0/2 vip ***.***.***.119 + 80 "HTTP" 10.10.1.9
I have tired accessing the site from the outside that 118 goes to and it does not forward threw so i dumped another debug log.
OK, lets take this back to basics here.
1. Delete the address object you have for the external address (used on the nat dst)
ie unset address "Trust" "***.***.***.118/32" ***.***.***.118 255.255.255.255
2. Use the webUI to access the firewall. Make sure that you use the following syntax:
http://<ip address of firewall>:8080
or
https://<ip address of firewall>:4433
3. Go to the untrust interface, e0/2 and click on VIP.
4. At the top you will have the option of adding a new VIP entry (you should already see one for the main interface IP of 118)
5. Click on "add new VIP using a Virtual IP" enter the 119 address
6. Ensure you have all the VIP services configured as they should be and bind to the correct VIP.
7. Delete the current policies you have for teh VIPs.
8. Re add the policies ensuring you are selecting both HTTP and HTTPS for each VIP as the destination.
9. Re test.
From the trace you sent, all the traffic for the 118 server appeared to be allowed through as it pertained to a previous known session, however, your rules were a bit odd. Policy 8 allows HTTPS, not HTTP to the VIP you created and the trace was for HTTP.
Policy 7 simply allowed HTTP through the firewall, no NAT was taking place.
We are almost there bud, keep at it and make sure that you are testing something that you have actually set up, otherwise the test itself will be meaningless.
That seems fine bud.
You can combine the policies of 11 and 12, and 9 and 10 to use both HTTP and HTTPS in the services filed, but given that yuo don't have that many policies there in the first place, it should be all good.
If you notice anything else that's not quite right with the workings of the config, let us know and we can review again but this seems fine to me
thanks for the help I am going to stress it out for the remainder of 24 hours if no issues i will close it out. Thank you for all of the help.
FYI the upgrade in the OS helped alot since part of the problem was that I was used to the JOS of version 6 so the old one was giving me issues and just causing layered problems
3 Ways to Join
Business Accounts
- Perfect for organizations
- Multiple users
- Save over 36%
- Create a Business Account
Answer for Membership
- Earn free access
- Showcase your knowledge
- No credit card required
- Sign Up to Answer
Loading Advertisement...
by: deimarkPosted on 2009-08-06 at 01:35:35ID: 25031120
Lets go through yer code here bud.
set interface ethernet0/2 vip ***.***.***.119 80 "HTTP" 10.10.1.9
set interface ethernet0/2 vip ***.***.***.119 + 443 "HTTPS" 10.10.1.9
this says that traffic coming into the external address of ***.***.***.119 on port 80 or 443, should be going to the web server at 10.10.1.9
set address "Trust" "Office" 10.10.1.9 255.255.255.0
This defines the web server as "Office".
The only reference for this object in a rule is :
set policy id 3 name "Office" from "Untrust" to "Trust" "Any" "VIP(***.***.***.119)" "ANY" permit log count
Which says that the inbound traffic to the Office object should be allowed through using the VIP on any service (altho the VIP will only forward the 80 and 443 traffic)
The other web server, is using the NAT DST method
set policy id 6 from "Untrust" to "Trust" "Any" "***.***.***.118/32" "HTTP" nat src dst ip 10.10.1.14 port 80 permit log count
SO this should work also.
One caveat I have at the mo, is that the rules you have for the above andf the VIP have "any" service listed, I would keep this down to the minimum needed here bud, ie for VIP, keep it at HTTP and HTTPS and for the NAT DST, keep it at HTTP. This may also be confusing the system as in its trying to take in all traffic and forward to the destination on port 80.
Best to run a debug flow basic to see what is going on with the traffic.
Run the folllowing:
Set flow filters
set ff dst-port 80
set ff dst-port 443
Start the debug
debug flow basic
Clear the buffer
cl db
< run test, ie try to connect to web servers from outside >
Stop trace
undebug all
Copy contents of debug buffer to a TFTP server for easier reading and retrieval
get db stream > tftp <ip address of tftp host> trace.txt
Send us this debug stream with details of the server you tried to connect to and from where, we can then review the trace to see where the packet was dropped/lost.