	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

8.0

juniper SSG140 - Inbound Static Nat to Web Servers

Asked by cyexx in Enterprise Firewalls, Network Routers, Networking Hardware

Tags: Juniper, firewall, web servers, hosting

I am having an issue with a new build of the juniper OS and it has dumped some of my standard configs and it is not allowing me to access 2 web servers behind the unit.

I have 2 web servers running behind the juniper one is using the egress Ip the other is using a VIP address. I am not able to access these machines threw the firewall. Nothing is even showing up in the logs for policies.

Please see attached code.

Get your answer NOW

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:

           
           
             set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Null"
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/0 ip 10.10.1.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/2 ip ***.***.***.118/26
set interface ethernet0/2 route
set interface ethernet0/2 gateway ***.***.***.65
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
unset interface ethernet0/2 ip manageable
set interface ethernet0/0 manage mtrace
set interface vlan1 manage mtrace
set interface ethernet0/2 vip ***.***.***.119 80 "HTTP" 10.10.1.9
set interface ethernet0/2 vip ***.***.***.119 + 443 "HTTPS" 10.10.1.9
unset flow no-tcp-seq-check
set flow tcp-syn-check
set domain ****.com
set hostname FW2
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 208.67.222.222 src-interface ethernet0/2
set dns host dns2 208.67.220.220 src-interface ethernet0/2
set dns host dns3 0.0.0.0
set address "Trust" "10.10.1.14/32" 10.10.1.14 255.255.255.255
set address "Trust" "***.***.***.118/32" ***.***.***.118 255.255.255.255
set address "Trust" "Office" 10.10.1.9 255.255.255.0
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 6 from "Untrust" to "Trust"  "Any" "***.***.***.118/32" "HTTP" nat src dst ip 10.10.1.14 port 80 permit log count 
set policy id 6
exit
set policy id 5 from "Untrust" to "Trust"  "Any" "VIP(***.***.***.119)" "HTTPS" permit log count 
set policy id 5
exit
set policy id 4 from "Untrust" to "Trust"  "Any" "VIP(***.***.***.119)" "HTTP" permit log count 
set policy id 4
exit
set policy id 3 name "Office" from "Untrust" to "Trust"  "Any" "VIP(***.***.***.119)" "ANY" permit log count 
set policy id 3
exit
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit log count 
set policy id 2
exit
set monitor cpu 100
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

           
         

20091111-EE-VQP-89 - Hierarchy / EE_QW_3_20080625

Hall of Fame

1. keith_ala...82,100
2. deimark54,265
3. JFrederic...43,500
4. dpk_wal41,050
5. lrmoore34,450
6. ccomley33,960
7. grimkin22,976
8. MikeKane22,400
9. PeteLong19,164
10. 3nerds15,000
11. sangamc12,800
12. rsivanandan12,650
13. ikalmar11,249
14. bignewf11,164
15. nodisco11,100
16. uetian170710,134
17. kenboonejr9,425
18. VisionVoice9,000
19. decoleur8,550
20. stsonline7,500
21. pwindell6,900
22. jodylemoine6,500
23. Bembi6,000
24. harbor2355,500
24. asavener5,500
24. Jay_Gridley5,500

1. lrmoore1,600,373
2. keith_ala...605,928
3. calvinetter244,408
4. rsivanandan242,988
5. tim_holman196,866
6. nodisco185,714
7. batry_boy159,024
8. grblades127,009
9. Voltz-dk111,609
10. PeteLong102,309
11. dpk_wal97,550
12. JFrederic...83,100
13. carribeant...80,185
14. Cyclops3...78,576
15. stressedo...71,924
16. harbor23568,605
17. srikrishnak60,096
18. MikeKane56,928
19. deimark55,615
20. pruecons...55,203
21. ccomley54,304
22. jjoseph_x48,002
23. billwharton44,427
24. td_miles43,372
25. RobWill42,673

juniper SSG140 - Inbound Static Nat to Web Servers

Asked by cyexx in Enterprise Firewalls, Network Routers, Networking Hardware

Tags: Juniper, firewall, web servers, hosting

About this solution