Solved

Netscreen WebUI remote admin access fails

Posted on 2007-03-20
6
1,426 Views
Last Modified: 2012-08-13
Netscreen won't allow WebUI read-write admin to make changes yet same user can do them using telnet
0
Comment
Question by:murphymail
6 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18763986
1. What model of the firewall?

2. Can you post the configuration here ? (After removing passwords and first octect of your public ip)

Cheers,
Rajesh
0
 
LVL 3

Expert Comment

by:dpmcmull
ID: 18804425
My Netscreen has one "read-only" IP address and one "admin" address.  My admin address is one higher than the read-only address (ie - read-only is 192.168.1.1 and admin is 192.168.1.2).  Try adding one to the current way of accessing this.  I believe this is the way it is set up out of the box, but I also believe that these can be changed.  Did you set it up or did someone else?
0
 

Author Comment

by:murphymail
ID: 18804510
The problem is via www the SSG 140 for some reason doesn't show all the links (ie, where there should be a link to change "edit" interface it come sup with dashes). I also get doesn't have the privilege message yet i'm using admin signon
Config below---
set clock timezone -4
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
unset alg h323 enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin user "mike" password "nEZRCmrUEQmMcLrDAstG77Nt5OFHKn" privilege "all"
set admin auth timeout 10
set admin auth server "Local"
set admin auth remote primary
set admin auth remote root
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "Untrust"
set interface "ethernet0/7" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
set interface ethernet0/0 ip x.x.26.81/24
set interface ethernet0/0 nat unset interface vlan1 ip
set interface ethernet0/7 ip x.x.198.150/27
set interface ethernet0/7 route
set interface tunnel.1 ip unnumbered interface ethernet0/7
set interface ethernet0/7 gateway x.x.198.129
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/7 manage-ip x.x.198.151
set interface ethernet0/0 ip manageable
unset interface ethernet0/7 ip manageable
set interface ethernet0/7 manage ping
set interface ethernet0/7 manage telnet
set interface ethernet0/7 manage web unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "0.0.0.0/0" 0.0.0.0 0.0.0.0
set vpn "VPN for Any" monitor
set url protocol websense
exit
set policy id 1 from "Untrust" to "Trust"  "Any" "0.0.0.0/0" "ANY" permit set policy id 1 disable set policy id 1 exit set policy id 2 name "VPNphones" from "Untrust" to "Trust"  "Dial-Up VPN" "Any"
"ANY" tunnel vpn "VPN for Any" id 2 pair-policy 3 log set policy id 2 exit set policy id 3 name "VPNphones" from "Trust" to "Untrust"  "Any" "Dial-Up VPN"
"ANY" tunnel vpn "VPN for Any" id 2 pair-policy 2 log set policy id 3 exit set monitor cpu 100 set firewall log-self set nsmgmt bulkcli reboot-timeout 60 set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 gateway x.x.198.129 set route x.x.198.0/24 gateway x.x.198.129 set route 10.0.0.0/8 gateway x.x.26.1 set route 172.90.90.0/24 vrouter "untrust-vr" preference 20 metric 1 exit set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 18805603
I'll look into it later today, by the way can you also post what version of SOS is running on this one?

Cheers,
Rajesh
0
 
LVL 3

Expert Comment

by:dpmcmull
ID: 18805634
Yes, you're using the admin signon, but not the admin IP.  See http://kb.juniper.net/KB3907.
Or the IP management is turned off (http://kb.juniper.net/KB6422).  
Or the management is restricted to a specific IP on your subnet.  
You can use this page (http://kb.juniper.net/KB3918) to determine what IP is allowed to manage the device.  
Set management IP address - http://kb.juniper.net/KB4035.

You can find more of these by searching the Netscreen KB (http://kb.juniper.net/) for "management IP" (no quotes).
0
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 500 total points
ID: 20276731
Change the following

set admin privilege read-write
to

set admin privilege "all"
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question