[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1143
  • Last Modified:

Opening a port in Juniper SSG

I'm trying to open a port on my firewall so that users from outside the network can use the service of one particular server (say 50.0.0.103, port 60000)

How would I go about doing this?

I've setup a custom services in policy elements and also added a VIP entry on the interface page. My entry on the services looks like this:
TCP Source 0-65535 Destination 60000-60000
UDP Source 0-65535 Destination 60000-60000
Which doesnt work, and anyhow doesn't make any sense. Shy do I need to set Source as 0-65535  (This was recommended by my network guy) instead of just 60000-60000?

Additionally, I've also tried:
TCP Source 60000-60000 Destination 60000-60000
Which I think is more secure because I dont understand why we need to open all ports when we only need 1port. But this also didnt work

I dont understand why I need to open both TCP and UDP? (On that noe, how do I know which one to open?, the software only ask to open port 60000, didnt say TCP or UDP).

And how would I go about opening this port?
0
SW111
Asked:
SW111
  • 2
2 Solutions
 
hugetoonCommented:
1) You need to authorize source  0-65535 because in general case, when a TCP connexion is established the source port is random. Actually you may try to use  1024-65535 as source ports under 1023 are considered privileged on Unix systems

2) If you only need TCP, there is no reason to authorize UDP. These two protocols are independent unless the application really uses both.

3) On juniper you should pay attention to 2 things
  a) select correct source and destination interfaces when you create the rule
  b) use "route" instead of default "nat" setting in interface properties unless you really need nat.

4) Of course you should make sure that the routing configuration is correct
 - try pinging both hosts from the firewall

0
 
SW111Author Commented:
Hugetoon, Thanks for the reply. I've tried using source 0-65335 for BOTH TCP and UDP, and destination 60000 for bot. It still doesnt work.

Is it possible that this is the problem: I also have opened port 50000 on the same computer (50.0.0.103), which works without a problem.

I guess I dont understand how it would work if we specify source port "0-65335" to destination port 60000 AND 50000 on the same computer. How would Juniper know whether to pass traffic to port 60000 or 50000?
0
 
Sanga CollinsSystems AdminCommented:
from the command line in the juniper (this can not be done from the webui)

# set vip multi-port
# save

this will allow you to specify addtional ports for your vip
0
 
SW111Author Commented:
Ah, turns out that the problem is I have to also set policy in addition to the route as described by hugetoon. It worked once I set the route
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now