Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Netscreen WebUI remote admin access fails

Posted on 2007-03-20
6
Medium Priority
?
1,435 Views
Last Modified: 2012-08-13
Netscreen won't allow WebUI read-write admin to make changes yet same user can do them using telnet
0
Comment
Question by:murphymail
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18763986
1. What model of the firewall?

2. Can you post the configuration here ? (After removing passwords and first octect of your public ip)

Cheers,
Rajesh
0
 
LVL 3

Expert Comment

by:dpmcmull
ID: 18804425
My Netscreen has one "read-only" IP address and one "admin" address.  My admin address is one higher than the read-only address (ie - read-only is 192.168.1.1 and admin is 192.168.1.2).  Try adding one to the current way of accessing this.  I believe this is the way it is set up out of the box, but I also believe that these can be changed.  Did you set it up or did someone else?
0
 

Author Comment

by:murphymail
ID: 18804510
The problem is via www the SSG 140 for some reason doesn't show all the links (ie, where there should be a link to change "edit" interface it come sup with dashes). I also get doesn't have the privilege message yet i'm using admin signon
Config below---
set clock timezone -4
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
unset alg h323 enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin user "mike" password "nEZRCmrUEQmMcLrDAstG77Nt5OFHKn" privilege "all"
set admin auth timeout 10
set admin auth server "Local"
set admin auth remote primary
set admin auth remote root
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "Untrust"
set interface "ethernet0/7" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
set interface ethernet0/0 ip x.x.26.81/24
set interface ethernet0/0 nat unset interface vlan1 ip
set interface ethernet0/7 ip x.x.198.150/27
set interface ethernet0/7 route
set interface tunnel.1 ip unnumbered interface ethernet0/7
set interface ethernet0/7 gateway x.x.198.129
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/7 manage-ip x.x.198.151
set interface ethernet0/0 ip manageable
unset interface ethernet0/7 ip manageable
set interface ethernet0/7 manage ping
set interface ethernet0/7 manage telnet
set interface ethernet0/7 manage web unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "0.0.0.0/0" 0.0.0.0 0.0.0.0
set vpn "VPN for Any" monitor
set url protocol websense
exit
set policy id 1 from "Untrust" to "Trust"  "Any" "0.0.0.0/0" "ANY" permit set policy id 1 disable set policy id 1 exit set policy id 2 name "VPNphones" from "Untrust" to "Trust"  "Dial-Up VPN" "Any"
"ANY" tunnel vpn "VPN for Any" id 2 pair-policy 3 log set policy id 2 exit set policy id 3 name "VPNphones" from "Trust" to "Untrust"  "Any" "Dial-Up VPN"
"ANY" tunnel vpn "VPN for Any" id 2 pair-policy 2 log set policy id 3 exit set monitor cpu 100 set firewall log-self set nsmgmt bulkcli reboot-timeout 60 set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 gateway x.x.198.129 set route x.x.198.0/24 gateway x.x.198.129 set route 10.0.0.0/8 gateway x.x.26.1 set route 172.90.90.0/24 vrouter "untrust-vr" preference 20 metric 1 exit set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 18805603
I'll look into it later today, by the way can you also post what version of SOS is running on this one?

Cheers,
Rajesh
0
 
LVL 3

Expert Comment

by:dpmcmull
ID: 18805634
Yes, you're using the admin signon, but not the admin IP.  See http://kb.juniper.net/KB3907.
Or the IP management is turned off (http://kb.juniper.net/KB6422).  
Or the management is restricted to a specific IP on your subnet.  
You can use this page (http://kb.juniper.net/KB3918) to determine what IP is allowed to manage the device.  
Set management IP address - http://kb.juniper.net/KB4035.

You can find more of these by searching the Netscreen KB (http://kb.juniper.net/) for "management IP" (no quotes).
0
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 1500 total points
ID: 20276731
Change the following

set admin privilege read-write
to

set admin privilege "all"
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question