Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3193
  • Last Modified:

NetScreen 25 UDP Ports Not Forwarding

I've recently installed a Netscreen 25 and have created a VIP to forward ports to an internal IP on our LAN.  Because I run an OS X Server, I have enabled port forwarding on TCP ports 8800 and 8443 for iCal and Address Book Sharing along with some other TCP ports.  These work correctly.  

What doesn't work correctly are the UDP ports I am trying to forward.  I would like to use the server as a VPN as well, so I forwarded UDP ports 1701, 500, and 4500 -- but they don't work.  I've also tried to use the Netscreen's predefined services for those ports, but still no luck.  The ports are still closed.  Is there a difference between how the Netscreen treats UDP vs. TCP ports, or does the Netscreen make it difficult to enable those ports because they're VPN ports?

Thanks,
Morgan
0
Runging
Asked:
Runging
  • 5
  • 2
  • 2
  • +1
3 Solutions
 
deimarkCommented:
Not tried to forward VPN ports before so there may be some form of issue with doing that.

I would try to create the VPN on the NS25 itself and then forward the decrypted packets to the OS X server if you can.

However to make sure that the packets do make sense to the netscreen, run a debug flow basic on it.

Here are a couple of links to show some info on this but the basics are as follows:

    1)   get ffilter
    2)   set ffilter
    3)   debug flow basic
    4)   clear db
    5)   tested using ping, telnet etc
    6)   undebug all
    7)   get db str

Debug and flow filter info
http://etherealmind.com/debug-screenos-netscreen-flow-filter-show-packet-flow/

More troubleshooting tips
http://forums.juniper.net/t5/Firewalls/Troubleshooting-Tips-Debug-commands/td-p/6203

Basically, set the flow filter to match the required traffic, run the debug flow basic and test.  When you have the traffic captured, stop the debug ans review the info in the debug buffer.

I often find it useful to set up a TFTP server on my network and then TFTP the info to the server which will allow me to download and then review in a decent text editor.

To move the debug info off the netscreen, run the follwing command:

get db stream > tftp <ip address of server> <filename>
0
 
bsohn417Commented:
Can you please post config.
0
 
RungingAuthor Commented:
Well this is probably the ugliest config you've ever seen, since I've been fiddling with every possible thing to get it to work, including the above comment to start the VPN and shoot it through to the OS X Server.  I've also replaced my IP with "External IP".  I hope this is OK.  Here it is:

set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "Address Book" protocol tcp src-port 0-65535 dst-port 8800-8800
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "TCP_10000" protocol tcp src-port 0-65535 dst-port 8080-8080
set service "TCP_139" protocol tcp src-port 0-65535 dst-port 139-139
set service "TCP_445" protocol tcp src-port 0-65535 dst-port 445-445
set service "TCP_548" protocol tcp src-port 0-65535 dst-port 548-548
set service "TCP_8008" protocol tcp src-port 0-65535 dst-port 8008-8008
set service "TCP_8443" protocol tcp src-port 0-65535 dst-port 8443-8443
set service "UDP_1701" protocol udp src-port 0-65535 dst-port 1701-1701
set service "UDP_4500" protocol udp src-port 0-65535 dst-port 4500-4500
set service "UDP_500" protocol udp src-port 0-65535 dst-port 500-500
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "Administrator"
set admin password "password"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 10.10.10.1/24
set interface ethernet1 nat
set interface ethernet3 ip External IP/29
set interface ethernet3 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
unset interface ethernet3 ip manageable
set interface ethernet3 manage ping
set interface ethernet3 vip untrust 8008 "TCP_8008" 10.10.10.6
set interface ethernet3 vip untrust 8800 "Address Book" 10.10.10.6
set interface ethernet3 vip untrust 8080 "TCP_10000" 10.10.10.5
set interface ethernet3 vip untrust 3389 "RDP" 10.10.10.2
set interface ethernet3 vip untrust 4500 "UDP_4500" 10.10.10.6
set interface ethernet3 vip untrust 548 "TCP_548" 10.10.10.6
set interface ethernet3 vip untrust 139 "TCP_139" 10.10.10.6
set interface ethernet3 vip untrust 445 "TCP_445" 10.10.10.6
set interface ethernet3 vip untrust 8443 "TCP_8443" 10.10.10.6
set domain iwm.local
set hostname firewall
set dns host dns1 10.10.10.2
set dns host dns2 10.10.10.2
set address "Trust" "10.10.10.0/24" 10.10.10.0 255.255.255.0
set address "Trust" "10.10.10.1/255.255.255.0" 10.10.10.1 255.255.255.0
set address "Trust" "10.10.10.6/255.255.255.0" 10.10.10.6 255.255.255.0
set address "Trust" "10.10.10.6/32" 10.10.10.6 255.255.255.255
set address "Untrust" "10.10.10.0/255.255.255.0" 10.10.10.0 255.255.255.0
set address "Untrust" "10.10.10.1/255.255.255.0" 10.10.10.1 255.255.255.0
set address "Untrust" "10.10.10.6/255.255.255.0" 10.10.10.6 255.255.255.0
set address "Global" "*.*.*.*" *.*.*.*
set address "Global" "10.10.10.*" 10.10.10.*
set ippool "Apple VPN" External IP Range
set user "vpnuser" uid 1
set user "vpnuser" type  l2tp
set user "vpnuser" password "12345678"
unset user "vpnuser" type auth
set user "vpnuser" "enable"
set ike gateway "Apple VPN" address ExternalIP Main outgoing-interface "ethernet3" preshare "6QF16mXZN1Mv0qswnAC2xs1F4OnK00ueBQ==" sec-level standard
set ike gateway "Apple VPN" cert peer-ca all
set ike respond-bad-spi 1
set xauth default ippool "Apple VPN"
set xauth default dns1 4.2.2.2
set vpn "Apple VPN IKE" gateway "Apple VPN" no-replay tunnel idletime 0 sec-level standard
set l2tp default dns1 4.2.2.2
set l2tp default ippool "Apple VPN"
set l2tp "PSS VPN" id 1 outgoing-interface ethernet3 keepalive 60
set l2tp "PSS VPN" remote-setting ippool "Apple VPN"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log count
set policy id 4 name "VPN Tunnel" from "Trust" to "Untrust"  "Any" "10.10.10.6/255.255.255.0" "ANY" tunnel vpn "Apple VPN IKE" id 2 log
set policy id 6 name "Apple VPN" from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "ANY" permit log
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route  0.0.0.0/0 interface ethernet3 gateway external IP
exit
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
RungingAuthor Commented:
I have also just tried this:
http://kb.juniper.net/index?page=content&id=KB9976&actp=search&searchid=1262292409203

I enabled the L2TP services, and also Ping just to make sure it was working.  I could ping the IP, but couldn't open the L2TP ports.  It seems like it only applies to UDP ports?
0
 
deimarkCommented:
I may have missed something here, but you have the folllowing server configured:

set service "UDP_1701" protocol udp src-port 0-65535 dst-port 1701-1701

But no associated VIP for this.

Also, the article above that ou tried, can you please post teh config extract for that as the artile syays, it should work when you use a MIP and not a VIP
0
 
Sanga CollinsSystems AdminCommented:
If you use a VIP, the VPN software will have to take NAT in to consideration when creating the tunnels. It is not impossible to do it this way, butthere are many pitfals that can make it bothersome.

If you however use a MIP to your mac server you should be succesful in setting up your VPN. In my experience settig up both an windows VPN server and Linux open source VPN server, I had much better results using a MIP
0
 
RungingAuthor Commented:
I have tried setting up a MIP as well.  I'm going to call my ISP this morning to see if they block these ports or something, I'm not too sure whats going on.  Here's my current config trying to use a MIP for the VPN ports.  This is driving me crazy!

set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "Address Book" protocol tcp src-port 0-65535 dst-port 8800-8800
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "TCP_10000" protocol tcp src-port 0-65535 dst-port 8080-8080
set service "TCP_139" protocol tcp src-port 0-65535 dst-port 139-139
set service "TCP_445" protocol tcp src-port 0-65535 dst-port 445-445
set service "TCP_548" protocol tcp src-port 0-65535 dst-port 548-548
set service "TCP_8008" protocol tcp src-port 0-65535 dst-port 8008-8008
set service "TCP_8443" protocol tcp src-port 0-65535 dst-port 8443-8443
set service "UDP_1701" protocol udp src-port 0-65535 dst-port 1701-1701
set service "UDP_4500" protocol udp src-port 0-65535 dst-port 4500-4500
set service "UDP_500" protocol udp src-port 0-65535 dst-port 500-500
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "Administrator"
set admin password "Password"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 10.10.10.1/24
set interface ethernet1 nat
set interface ethernet3 ip ExternalIP/29
set interface ethernet3 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
unset interface ethernet3 ip manageable
set interface ethernet3 manage ping
set interface ethernet3 vip untrust 8008 "TCP_8008" 10.10.10.6
set interface ethernet3 vip untrust 8800 "Address Book" 10.10.10.6
set interface ethernet3 vip untrust 8080 "TCP_10000" 10.10.10.5
set interface ethernet3 vip untrust 3389 "RDP" 10.10.10.2
set interface ethernet3 vip untrust 548 "TCP_548" 10.10.10.6
set interface ethernet3 vip untrust 139 "TCP_139" 10.10.10.6
set interface ethernet3 vip untrust 445 "TCP_445" 10.10.10.6
set interface ethernet3 vip untrust 8443 "TCP_8443" 10.10.10.6
set interface "ethernet3" mip ExternalIP host 10.10.10.6 netmask 255.255.255.255 vrouter "trust-vr"
set domain iwm.local
set hostname firewall
set dns host dns1 10.10.10.2
set dns host dns2 10.10.10.2
set address "Trust" "10.10.10.0/24" 10.10.10.0 255.255.255.0
set address "Trust" "10.10.10.1/255.255.255.0" 10.10.10.1 255.255.255.0
set address "Trust" "10.10.10.6/255.255.255.0" 10.10.10.6 255.255.255.0
set address "Trust" "10.10.10.6/32" 10.10.10.6 255.255.255.255
set address "Untrust" "10.10.10.0/255.255.255.0" 10.10.10.0 255.255.255.0
set address "Untrust" "10.10.10.1/255.255.255.0" 10.10.10.1 255.255.255.0
set address "Untrust" "10.10.10.6/255.255.255.0" 10.10.10.6 255.255.255.0
set address "Global" "*.*.*.*" *.*.*.*
set address "Global" "10.10.10.*" 10.10.10.*
set ippool "Apple VPN" ExternalIP Range
set user "vpnuser" uid 1
set user "vpnuser" type  l2tp
set user "vpnuser" password "12345678"
unset user "vpnuser" type auth
set user "vpnuser" "enable"
set ike gateway "Apple VPN" address 64.190.253.66 Main outgoing-interface "ethernet3" preshare "6QF16mXZN1Mv0qswnAC2xs1F4OnK00ueBQ==" sec-level standard
set ike gateway "Apple VPN" cert peer-ca all
set ike respond-bad-spi 1
set xauth default ippool "Apple VPN"
set xauth default dns1 4.2.2.2
set vpn "Apple VPN IKE" gateway "Apple VPN" no-replay tunnel idletime 0 sec-level standard
set l2tp default dns1 4.2.2.2
set l2tp default ippool "Apple VPN"
set l2tp "PSS VPN" id 1 outgoing-interface ethernet3 keepalive 60
set l2tp "PSS VPN" remote-setting ippool "Apple VPN"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log count
set policy id 4 name "VPN Tunnel" from "Trust" to "Untrust"  "Any" "10.10.10.6/255.255.255.0" "ANY" tunnel vpn "Apple VPN IKE" id 2 log
set policy id 6 name "Apple VPN" from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "ANY" permit log
set policy id 7 name "Apple VPN" from "Untrust" to "Trust"  "Any" "MIP(ExternalIP)" "IKE" permit log
set policy id 7
set service "L2TP"
set service "PING"
set service "UDP_1701"
set service "UDP_4500"
set service "UDP_500"
exit
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route  0.0.0.0/0 interface ethernet3 gateway ExternalIP
exit
0
 
bsohn417Commented:
u create mip if you have static IP,
if u have DHCP from ISP use VIP. ones you ports created/VIP you will need to create policy to allow traffic in from untrust to zone (whatever your zone) with created ports.


for example

Xbox Live 1 -
UDP scr port: 0 - 65535 dst port 3074-3074
TCP scr port: 0 - 65535 dst port 3074-3074
TCP scr port: 0 - 65535 dst port 88-88
Timeout Never
Xbox Live 2 -
UDP scr port: 0 - 65535 dst port 3074-3074
TCP scr port: 0 - 65535 dst port 3074-3074
Timeout 30
Xbox Live 3 -
TCP scr port: 0 - 65535 dst port 88-88
timeout 30

Instructions:
Web Management Interface -> Objects -> Services -> Custom -> Click New
Fill in the service name ad information as I have discribed above and click
OK.

On the Untrust Interface I added a VIP service for Xbox Live 2 and Xbox Live
3 pointing to my Xbox's Static Assigned IP address.
Instructions:
Web Managerment page -> Network -> Interfaces -> Click Edit on the Untrust
Interface -> Click VIP on the Properties up top -> Click New VIP service
0
 
RungingAuthor Commented:
None of this has worked.  I'll just forward AFP/iCal/AB ports instead.

Thanks for your help.
0
 
RungingAuthor Commented:
It wasn't fully answered, none of these worked and I resorted to forwarding other ports rather than establishing a VPN.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 5
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now