Port forwarding on Juniper Netscreen 5GT

We have a Netscreen 5GT (ADSL) model.

We are trialling an Asterisk IP PBX and I was told to forward the ports UDP 5060-5061 and 10,000 to 20,000 to the PBX.

We have one static external IP, lets call it A.B.C.D.

Our PBX is at 192.168.1.175

Following instructions in this fourum and elsewhere, I've gone to the admin GUI and created a new service.

Next I went to network > interfaces > and then edit adsl1
then VIP > press "new VIP service"

This was where I hit trouble: I understand that the virtual ip field has my outside ip that is assigned automatically by my ISP, and this should be filled in automatically. it wasn't, instead 0.0.0.0 was thwere

when I typed my external IP in, and tried to Add, I got a msg saying :
"The virtual IP is the same as the address of the interface. Please set a different IP or select the <Same as the untrusted interface IP address> instead"

so I selected the <Same as the untrusted interface IP address> button, and tried to Add, but I got:
"Error: cannot add Untrust-IP VIP (A.B.C.D)"
..where a.b.c.d is our external IP

..so we can't proceed to create the new VIP service

what am i doing wrong here, or is there some way round this

ps I am not particularly techhie, and would prefer to do this via the GUI, if given the choice between gui and scripting config files...

many thanks
zorba111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

HalindarCommented:
Hello Zorba,

First off I would like to clarify some point in your question.
You have a PBX device on the internal side of your Juniper on IP 192.168.1.175 which you want to access from the outside interface. Am I correct in assuming that traffic will always be initiated from outside your firewall directed inside? or is the PBX also going to initiate traffic on it's own?

If I read your problem correctly I would not use a VIP adress in this case. A VIP adress is used when you have different servers on the inside, each providing a service you want to access from the outside but you want to have it appear to be a single server (IP adres) on the outside serving all the different services.

In your case I would use a policy based NAT-destination to make the PBX accessible from the outside.
To define such a policy based NAT-destination rule you need to perform three steps:
1. Create an adress book entry in the private/internal zone for your public A.B.C.D adress
2. Add the public A.B.C.D adress as a secondary adress in the private/internal zone
3. Create a policy rule to allow traffic to flow from the outside interface to the PBX

Using CLI commands you can accomplish this using the following commands:
set address trust PBX a.b.c.d/32
set service PBXsvc1 protocol UDP src-port 0-65535 dst-port 5060-5061
set service PBXsvc2 protocol UDP src-port 0-65535 dst-port 10000-20000
set policy from untrust to trust any PBX PBXsvc1 nat dst ip 192.168.1.175 permit
set policy from untrust to trust any PBX PBXsvc2 nat dst ip 192.168.1.175 permit

I hope the above helps you with your problem.
zorba111Author Commented:
Halindar,

Hello Zorba,

First off I would like to clarify some point in your question.
You have a PBX device on the internal side of your Juniper on IP 192.168.1.175 which you want to access from the outside interface.
>> YES
 Am I correct in assuming that traffic will always be initiated from outside your firewall directed inside? or is the PBX also going to initiate traffic on it's own?
>> NO, THE PBX WILL BE MAKING SIP CALLS OUT, SO I GUESS IT WILL BE INITIATING OUTGOING TRAFFIC TOO (?)
HalindarCommented:
Hello Zorba,

In that case you need to also create a policy rule that will allow outbound trafic from the PBX:

set policy from trust to untrust 192.168.1.175 any any permit

If you want to specify a specific port or port-range to allow outbound traffic (more secure) then you need to replace the second 'any' with the port or port-range to allow.

With the above CLI (command line interface) command and the commands from the previous post you should be able to make the PBX work over the Netscreen 5GT.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

zorba111Author Commented:
Halindar,

Following your instuctions from the gui, we created the following:
the address "PBX"
the custom service "Asterisk PBX VoIP" (which included BOTH address ranges)

the I went thru the "Policy Wizard" and this is the CLI equivalent it created:
set policy top from "Untrust" to "Trust" "Any" "PBX" "Asterisk PBX VoIP" nat src dip-id 2 dst ip 192.168.1.175 Permit

is this correct (as it has a few more components than your CLI version) ?
zorba111Author Commented:
similarly, for your last comment,

set policy from trust to untrust 192.168.1.175 any any permit

we created using the Wizard:

set policy top from "Trust" to "Untrust" "PBX" "Any" "Asterisk PBX VoIP" Permit

does this look ok ?
HalindarCommented:
Hello Zorba,

I see you created a rule which combines NAT-src and NAT-dst.
Thus not only is the destination adres (a.b.c.d) translated to the internal adres (192.168.1.175) but it also translates the source adres.

It might work, but the source adres translation part should not be needed.
I don't know which steps you went through in the "Policy Wizard" and which choices you made.
Maybe one of these choices had to do with source adres translation and you can skip that.

I don't have a box with the GUI tools so I can't 'walk you through' the wizard.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HalindarCommented:
Zorba,

set policy from trust to untrust 192.168.1.175 any any permit

and

set policy top from "Trust" to "Untrust" "PBX" "Any" "Asterisk PBX VoIP" Permit

Are for all intents and purposes the same, you specify that the PBX can connect to the outside only on the service ports you also defined for the inbound traffic. Probably this is enough for the PBX to function so I'd give it a test run.

zorba111Author Commented:
Halindar wrote:

I see you created a rule which combines NAT-src and NAT-dst.
Thus not only is the destination adres (a.b.c.d) translated to the internal adres (192.168.1.175) but it also translates the source adres.

It might work, but the source adres translation part should not be needed.
I don't know which steps you went through in the "Policy Wizard" and which choices you made.
Maybe one of these choices had to do with source adres translation and you can skip that.

I WAS ABLE TO GO INTO "POLICIES" IN THE GUI AND REMOVE THE NAT-SRC ENTRY

I don't have a box with the GUI tools so I can't 'walk you through' the wizard.

WE GET GUI BY TYPING 192.168.1.2 (I.E. ROUTER LAN ADDRESS) INTO A BROWSER - ARE YOU SURE YOU CAN'T ACCESS IT LIKE THIS ?
zorba111Author Commented:
how do I access the router's CLI ?

and is there a way to list out the current configuration in the CLI ?

(that way we can compare like with like)
zorba111Author Commented:
aha, I can get into the router with CMD> telnet 192.168.1.2

and then logging in

> get policy all

shows the policy table, but I can't work out how to pipe this to a file as

> get policy all > c:\temp\policy.txt

gives a syntax error!
any ideas?
then I can get the router config spat out and we can compare notes...

zorba111Author Commented:
also, is there any way to test that port forwarding has been set up correctly ?
HalindarCommented:
Zorba,

You could use a telnet tool with logging capability or you could possibly cut and paste the text from the window to a textfile.

Did you check with the new policy setting if the PBX can be accessed from the outside of your Netscreen 5GT.

I can't access any juniper device at the moment, I have a SSG520 box but I can't access it at the moment. So I'm working from memory here :)
HalindarCommented:
Zorba,

To test the port forwarding you would need to initiate traffic on the outside interface directed at the PBX.
Once you can send traffic you could use the CLI debug commands to check if the packets flow correctly.

To do debugging through the CLI is however advanced stuff so the best test would be to simply see if the intended traffic is flowing to the PBX. In other words if you can reach the PBX the way you wanted to.
zorba111Author Commented:
On tues pm we tested port forwarding by setting a service for ssh and linking it to the linux box via a policy - in theory easy to establish if working (by getting a remote ssh session into the linux box) - it didn't work.

Looks like ANY attempt at port forwarding is doomed.

Today (Friday) I got a quick 10mins with the Juniper guy at the company who installed our router. He says the problem is that we have only one static IP address, which has been exclusively associated with our SBS server (another box, at 192.168.1.253). My Asterisk consultant sez this is bulls*t, as he has set up many networks with only one static IP address, but multiple boxes inside the firewall that are all acessible from the outside world.

I'm thinking that maybe this (lets call it) "one server, one static IP" philosophy is a Juniper concept, sort of a simplicity via redundancy idea, and maybe something they teach their engineers?

Or is it ageneral good practice in enterprise networks, quite apart from the juniper domain?

What are the pros and cons of it?

Also, how is it implemented in juniper GUI, and is it easy to de-implement it, so we can use our static IP for other boxes, not just the SBS server?
zorba111Author Commented:
Halindar,

As my question is basically a new one, I've decided to create a new one (see ID: 23205403), and will award u the points for thsi one as you helped me  in beginning to understand juniper !

pls have a look at my new q. and c if u can help

thank you
z
HalindarCommented:
Thanks for the points, I have posted on your new question.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.