Solved

port forwarding on juniper ssg20

Posted on 2011-03-20
22
2,909 Views
Last Modified: 2012-05-11
i've used the webgui to setup a vip/port forward:
external/untrust port 6660  =>  192.168.1.73 in the trust zone......

and a policy to allow untrust to trust.......

but, it is not working   ---  i can see an error in the log that says it 'cant reach the server at 192.168.1.73'

surely i've missed something in the vip setup -- or something more basic than that? the internal machines are having no problem accessing the internet, and the juniper, too....
0
Comment
Question by:jimwarrenus
  • 11
  • 10
22 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 35176298
Please show VIP and policy:
get config | incl vip

I assume your internal port is not 6660 - did you use the correct internal port in your VIP definition?
0
 

Author Comment

by:jimwarrenus
ID: 35176330
i'll get cli access setup --- havent done that yet

yes, the internal port is 6660--- is that a problem?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35176391
No, I just thought you want to map that port to another one internally. Could you tell which log entry you refer to regarding the "can't reach" part?
0
 

Author Comment

by:jimwarrenus
ID: 35176655
listed as 'most recent alarms' ----see screenshot

Total alarms: 1    (Emergencies: 0; Alerts: 0; Critical: 1)  More...              
 
Date/Time  Level  Description
2011-03-19 18:58:25  critical VIP server 192.168.1.73 cannot be contacted.
 

ScreenShot490.jpg
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35176707
That is the "Server Auto Detection" part of your VIP service definition. Don't use it. I don't know if it matters at all, but for internal services it is completely unnecessary.
Anyway, since you enabled that setting, if the SSG cannot reach the server, it will not forward.
I don't know why the SSG is telling you it cannot reach the server, though. Is there a routing issue? Is that server on a different subnet from the SSG?
0
 

Author Comment

by:jimwarrenus
ID: 35176833
here's the get config output....

cullman-> get config | incl vip
set interface ethernet0/0 vip interface-ip 6660 "BigAnt" 192.168.1.73
set policy id 3 name "BigAnt" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)
" "BigAnt" permit
cullman->

as a sidenote, at this point the webui isnt allowing any access anymore..... actually it looks like the login succeeds, but it is only displaying a blank page......  
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35177123
I don't know of any reason why the WebUI should display blank pages only, sorry. The menu is DHTML, and might not work (it doesn't with IE9), but the page itself is HTML code and should always be displayed.

You have restricted your policy to "BigAnt" service. I suppose that is defined as dst-port 6660 and the correct protocol (UDP or TCP). You don't need the service restriction on that policy - only VIP traffic can pass, and so only services defined as VIP. But it does not harm, as long as you do not use more than this service. It just a common pitfall.

We still need to know if 192.168.1.73 is reachable from the SSG. Can you perform a
    trace-route 192.168.1.73 from eth0/0
and the same with your Trust interface?
Is policy 3 the first of your Untrust policies? If not, is it at least above any "deny" policy?
0
 

Author Comment

by:jimwarrenus
ID: 35177227
this command does fail
trace-route 192.168.1.73 from eth0/0


btw, i do need to port forward additional ports (6660, 6661, and 2229) from the external
interface to 192.168.1.73.....   do i need to do something different that vip?

and for policies
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 3 name "BigAnt" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)
" "BigAnt" permit
set policy id 3
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35177308
So policy 3 seems to be the only Untrust policy. For test, always activate session logging (at session begin) in policies. As soon as you are sure the policies work, you can switch it off to reduce logging.

What do you mean with "this command does fail"? Syntax error or no response?

For defining more than one VIP port, at least if managed via a single entry, you need to issue
   set vip multi-port
   reset safe-config no-prompt
but careful, that will reboot the device (because of the last command). Without rebooting the setting does not apply.
After having set multi-port (and performed the reboot), you can use a single VIP entry having defined more than one service port, or several different VIP entries. The former is ok if those ports need to be forwarded to the same IP (as they do here), and you do not want to "dynamically" add and remove available ports.
But before we consider working on multi-port, that single one should work, shouldn't it?
0
 

Author Comment

by:jimwarrenus
ID: 35177337
But before we consider working on multi-port, that single one should work, shouldn't it?
that was my thought with starting with just the one......   until i can see that work i cant see any reason to go further....

the command works.... the trace is unsuccessful....
cullman-> trace-route 192.168.1.73 from ethernet0/0
Type escape sequence to escape

Send ICMP echos to 192.168.1.73, timeout is 2 seconds,  maximum hops are 32,  tr
ace from ethernet0/0
1       *       *       *
2       *


0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35177354
Now try the same replacing eth0/0 by your LAN (Trust) port. Though I assume that will not work either ...
Maybe you should show me your full config, or at least the output of    get interface.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jimwarrenus
ID: 35177379
trace-route from the trust port is successful.....

cullman-> trace-route 192.168.1.73 from bgroup0
Type escape sequence to escape

Send ICMP echos to 192.168.1.73, timeout is 2 seconds,  maximum hops are 32,  tr
ace from bgroup0
1       2ms     2ms     2ms     192.168.1.73
Trace complete
cullman->

and get config
cullman-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN
 State VSD
serial0/0      0.0.0.0/0                         Null        N/A               -
   D   -
eth0/0         12.196.138.242/21                 Untrust     b0c6.9a33.4440    -
   U   -
eth0/1         0.0.0.0/0                         DMZ         b0c6.9a33.4445    -
   D   -
wireless0/0    192.168.2.1/24                    Trust       b0c6.9a33.444d    -
   D   -
wireless0/1    0.0.0.0/0                         Null        b0c6.9a33.444e    -
   D   -
wireless0/2    0.0.0.0/0                         Null        b0c6.9a33.4455    -
   D   -
wireless0/3    0.0.0.0/0                         Null        b0c6.9a33.4456    -
   D   -
bgroup0        192.168.1.254/24                  Trust       b0c6.9a33.4449    -
   U   -
  eth0/2       N/A                               N/A         N/A               -
   D   -
  eth0/4       N/A                               N/A         N/A               -
   U   -
bgroup1        10.10.10.2/24                     Untrust     b0c6.9a33.444a    -
   U   -
  eth0/3       N/A                               N/A         N/A               -
   U   -
bgroup2        0.0.0.0/0                         Null        b0c6.9a33.444b    -
   D   -
bgroup3        0.0.0.0/0                         Null        b0c6.9a33.444c    -
   D   -
vlan1          0.0.0.0/0                         VLAN        b0c6.9a33.444f    1
   D   -
null           0.0.0.0/0                         Null        N/A               -
   U   0
cullman->

0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35177482
That's the correct behaviour. You have no policy from Untrust to trust for 192.168.1.73, which is correct - you do not need such. And that IP is reachable from Trust, so the VIP should work.

Switch off the "Server Auto Detection" as stated in http:#a35176707, switch on session logging (http:#a35177308), and try to access the VIP. Make sure you test from outside, with a different IP not in your /21 network.
If you test from inside, you need to allow traffic Trust - Untrust for your virtual port(s) first by defining an additional policy.
0
 

Author Comment

by:jimwarrenus
ID: 35177591
i got auto detection turned off, and logging turned on.....    the forwarding is still not working
but i dont see any logging results from the attempt?
this is from reports - system log - event.....
(screenshoot of untrust to trust policy attached....)

2011-03-20 19:52:14 info System configuration saved by admin via web from host 192.168.1.70 to 192.168.1.254:443 by admin.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:50:14 warn Admin user "admin" logged in for Web(https) management (port 443) from 192.168.1.70:3436
2011-03-20 19:49:47 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3391
2011-03-20 19:49:29 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3387
2011-03-20 19:43:04 notif VIP server 192.168.1.73 is now in manual mode.
2011-03-20 19:43:01 info System configuration saved by admin via web from host 192.168.1.70 to 192.168.1.254:80 by admin.
2011-03-20 19:43:01 notif VIP (12.196.138.242:6660 BigAnt 192.168.1.73) New by admin via web from host 192.168.1.70 to 192.168.1.254:80
2011-03-20 19:43:01 notif VIP (12.196.138.242:6660 BigAnt 192.168.1.73) Remove by admin via web from host 192.168.1.70 to 192.168.1.254:80
2011-03-20 19:41:45 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3024

ScreenShot491.jpg
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35178975
Logging is done in the policy. On both the policy table and the Reports > Policies table you should have a grid symbol. Clicking there retrieves the corresponding policy log.
0
 

Author Comment

by:jimwarrenus
ID: 35179076
hmm, still no entry....

Traffic log for policy : ID Source Destination Service Action
3 Untrust/Any Global/VIP(ethernet0/0) BigAnt Permit
 

Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received Close Reason
No entry available
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35179159
It seems as "BigAnt" is not the port or protocol or both used actually. Check the service entry. Maybe you have set source port instead of destination port.
Without seeing the complete config, I can only guess. Would you consider to post the config, sanitized (only public IPsm, usernames and company names need to be masked)?
And you did not tell where you are testing from - is it from outside your LAN?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35189813
might seem off the wall, but did you try to disable 'server autodetect' ?

when i port forward for my xbox and online gaming, i disable server autodetect and my VIPs then begin to work. :)
0
 

Author Comment

by:jimwarrenus
ID: 35190237
yep, server autodetect is disabled.....

Qlemo ---  config attached.......  and yes, all testing is being done from outside the LAN juniper-config.txt
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 35191701
I suppose this lines are not correct:
   set service "BigAnt" protocol tcp src-port 6660-6660 dst-port 6660-6660
   set service "BigAntDocs" protocol tcp src-port 6661-6661 dst-port 6661-6661
   set service "SFTP" protocol tcp src-port 2229-2229 dst-port 2229-2229
It is unlikely that source and destination port will both be fixed. IMO those lines should sound
   set service "BigAnt" protocol tcp dst-port 6660-6660
   set service "BigAntDocs" protocol tcp dst-port 6661-6661
   set service "SFTP" protocol tcp dst-port 2229-2229
which will allow any source port.
0
 

Author Comment

by:jimwarrenus
ID: 35192073
definitely worth a try --- i'll be able to test it later today.....
thanks
0
 

Author Closing Comment

by:jimwarrenus
ID: 35207417
Thanks, that did it!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now