Solved

port forwarding on juniper ssg20

Posted on 2011-03-20
22
2,945 Views
Last Modified: 2012-05-11
i've used the webgui to setup a vip/port forward:
external/untrust port 6660  =>  192.168.1.73 in the trust zone......

and a policy to allow untrust to trust.......

but, it is not working   ---  i can see an error in the log that says it 'cant reach the server at 192.168.1.73'

surely i've missed something in the vip setup -- or something more basic than that? the internal machines are having no problem accessing the internet, and the juniper, too....
0
Comment
Question by:jimwarrenus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 10
22 Comments
 
LVL 70

Expert Comment

by:Qlemo
ID: 35176298
Please show VIP and policy:
get config | incl vip

I assume your internal port is not 6660 - did you use the correct internal port in your VIP definition?
0
 

Author Comment

by:jimwarrenus
ID: 35176330
i'll get cli access setup --- havent done that yet

yes, the internal port is 6660--- is that a problem?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35176391
No, I just thought you want to map that port to another one internally. Could you tell which log entry you refer to regarding the "can't reach" part?
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:jimwarrenus
ID: 35176655
listed as 'most recent alarms' ----see screenshot

Total alarms: 1    (Emergencies: 0; Alerts: 0; Critical: 1)  More...              
 
Date/Time  Level  Description
2011-03-19 18:58:25  critical VIP server 192.168.1.73 cannot be contacted.
 

ScreenShot490.jpg
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35176707
That is the "Server Auto Detection" part of your VIP service definition. Don't use it. I don't know if it matters at all, but for internal services it is completely unnecessary.
Anyway, since you enabled that setting, if the SSG cannot reach the server, it will not forward.
I don't know why the SSG is telling you it cannot reach the server, though. Is there a routing issue? Is that server on a different subnet from the SSG?
0
 

Author Comment

by:jimwarrenus
ID: 35176833
here's the get config output....

cullman-> get config | incl vip
set interface ethernet0/0 vip interface-ip 6660 "BigAnt" 192.168.1.73
set policy id 3 name "BigAnt" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)
" "BigAnt" permit
cullman->

as a sidenote, at this point the webui isnt allowing any access anymore..... actually it looks like the login succeeds, but it is only displaying a blank page......  
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35177123
I don't know of any reason why the WebUI should display blank pages only, sorry. The menu is DHTML, and might not work (it doesn't with IE9), but the page itself is HTML code and should always be displayed.

You have restricted your policy to "BigAnt" service. I suppose that is defined as dst-port 6660 and the correct protocol (UDP or TCP). You don't need the service restriction on that policy - only VIP traffic can pass, and so only services defined as VIP. But it does not harm, as long as you do not use more than this service. It just a common pitfall.

We still need to know if 192.168.1.73 is reachable from the SSG. Can you perform a
    trace-route 192.168.1.73 from eth0/0
and the same with your Trust interface?
Is policy 3 the first of your Untrust policies? If not, is it at least above any "deny" policy?
0
 

Author Comment

by:jimwarrenus
ID: 35177227
this command does fail
trace-route 192.168.1.73 from eth0/0


btw, i do need to port forward additional ports (6660, 6661, and 2229) from the external
interface to 192.168.1.73.....   do i need to do something different that vip?

and for policies
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 3 name "BigAnt" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)
" "BigAnt" permit
set policy id 3
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35177308
So policy 3 seems to be the only Untrust policy. For test, always activate session logging (at session begin) in policies. As soon as you are sure the policies work, you can switch it off to reduce logging.

What do you mean with "this command does fail"? Syntax error or no response?

For defining more than one VIP port, at least if managed via a single entry, you need to issue
   set vip multi-port
   reset safe-config no-prompt
but careful, that will reboot the device (because of the last command). Without rebooting the setting does not apply.
After having set multi-port (and performed the reboot), you can use a single VIP entry having defined more than one service port, or several different VIP entries. The former is ok if those ports need to be forwarded to the same IP (as they do here), and you do not want to "dynamically" add and remove available ports.
But before we consider working on multi-port, that single one should work, shouldn't it?
0
 

Author Comment

by:jimwarrenus
ID: 35177337
But before we consider working on multi-port, that single one should work, shouldn't it?
that was my thought with starting with just the one......   until i can see that work i cant see any reason to go further....

the command works.... the trace is unsuccessful....
cullman-> trace-route 192.168.1.73 from ethernet0/0
Type escape sequence to escape

Send ICMP echos to 192.168.1.73, timeout is 2 seconds,  maximum hops are 32,  tr
ace from ethernet0/0
1       *       *       *
2       *


0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35177354
Now try the same replacing eth0/0 by your LAN (Trust) port. Though I assume that will not work either ...
Maybe you should show me your full config, or at least the output of    get interface.
0
 

Author Comment

by:jimwarrenus
ID: 35177379
trace-route from the trust port is successful.....

cullman-> trace-route 192.168.1.73 from bgroup0
Type escape sequence to escape

Send ICMP echos to 192.168.1.73, timeout is 2 seconds,  maximum hops are 32,  tr
ace from bgroup0
1       2ms     2ms     2ms     192.168.1.73
Trace complete
cullman->

and get config
cullman-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN
 State VSD
serial0/0      0.0.0.0/0                         Null        N/A               -
   D   -
eth0/0         12.196.138.242/21                 Untrust     b0c6.9a33.4440    -
   U   -
eth0/1         0.0.0.0/0                         DMZ         b0c6.9a33.4445    -
   D   -
wireless0/0    192.168.2.1/24                    Trust       b0c6.9a33.444d    -
   D   -
wireless0/1    0.0.0.0/0                         Null        b0c6.9a33.444e    -
   D   -
wireless0/2    0.0.0.0/0                         Null        b0c6.9a33.4455    -
   D   -
wireless0/3    0.0.0.0/0                         Null        b0c6.9a33.4456    -
   D   -
bgroup0        192.168.1.254/24                  Trust       b0c6.9a33.4449    -
   U   -
  eth0/2       N/A                               N/A         N/A               -
   D   -
  eth0/4       N/A                               N/A         N/A               -
   U   -
bgroup1        10.10.10.2/24                     Untrust     b0c6.9a33.444a    -
   U   -
  eth0/3       N/A                               N/A         N/A               -
   U   -
bgroup2        0.0.0.0/0                         Null        b0c6.9a33.444b    -
   D   -
bgroup3        0.0.0.0/0                         Null        b0c6.9a33.444c    -
   D   -
vlan1          0.0.0.0/0                         VLAN        b0c6.9a33.444f    1
   D   -
null           0.0.0.0/0                         Null        N/A               -
   U   0
cullman->

0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35177482
That's the correct behaviour. You have no policy from Untrust to trust for 192.168.1.73, which is correct - you do not need such. And that IP is reachable from Trust, so the VIP should work.

Switch off the "Server Auto Detection" as stated in http:#a35176707, switch on session logging (http:#a35177308), and try to access the VIP. Make sure you test from outside, with a different IP not in your /21 network.
If you test from inside, you need to allow traffic Trust - Untrust for your virtual port(s) first by defining an additional policy.
0
 

Author Comment

by:jimwarrenus
ID: 35177591
i got auto detection turned off, and logging turned on.....    the forwarding is still not working
but i dont see any logging results from the attempt?
this is from reports - system log - event.....
(screenshoot of untrust to trust policy attached....)

2011-03-20 19:52:14 info System configuration saved by admin via web from host 192.168.1.70 to 192.168.1.254:443 by admin.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:50:14 warn Admin user "admin" logged in for Web(https) management (port 443) from 192.168.1.70:3436
2011-03-20 19:49:47 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3391
2011-03-20 19:49:29 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3387
2011-03-20 19:43:04 notif VIP server 192.168.1.73 is now in manual mode.
2011-03-20 19:43:01 info System configuration saved by admin via web from host 192.168.1.70 to 192.168.1.254:80 by admin.
2011-03-20 19:43:01 notif VIP (12.196.138.242:6660 BigAnt 192.168.1.73) New by admin via web from host 192.168.1.70 to 192.168.1.254:80
2011-03-20 19:43:01 notif VIP (12.196.138.242:6660 BigAnt 192.168.1.73) Remove by admin via web from host 192.168.1.70 to 192.168.1.254:80
2011-03-20 19:41:45 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3024

ScreenShot491.jpg
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35178975
Logging is done in the policy. On both the policy table and the Reports > Policies table you should have a grid symbol. Clicking there retrieves the corresponding policy log.
0
 

Author Comment

by:jimwarrenus
ID: 35179076
hmm, still no entry....

Traffic log for policy : ID Source Destination Service Action
3 Untrust/Any Global/VIP(ethernet0/0) BigAnt Permit
 

Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received Close Reason
No entry available
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35179159
It seems as "BigAnt" is not the port or protocol or both used actually. Check the service entry. Maybe you have set source port instead of destination port.
Without seeing the complete config, I can only guess. Would you consider to post the config, sanitized (only public IPsm, usernames and company names need to be masked)?
And you did not tell where you are testing from - is it from outside your LAN?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35189813
might seem off the wall, but did you try to disable 'server autodetect' ?

when i port forward for my xbox and online gaming, i disable server autodetect and my VIPs then begin to work. :)
0
 

Author Comment

by:jimwarrenus
ID: 35190237
yep, server autodetect is disabled.....

Qlemo ---  config attached.......  and yes, all testing is being done from outside the LAN juniper-config.txt
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 35191701
I suppose this lines are not correct:
   set service "BigAnt" protocol tcp src-port 6660-6660 dst-port 6660-6660
   set service "BigAntDocs" protocol tcp src-port 6661-6661 dst-port 6661-6661
   set service "SFTP" protocol tcp src-port 2229-2229 dst-port 2229-2229
It is unlikely that source and destination port will both be fixed. IMO those lines should sound
   set service "BigAnt" protocol tcp dst-port 6660-6660
   set service "BigAntDocs" protocol tcp dst-port 6661-6661
   set service "SFTP" protocol tcp dst-port 2229-2229
which will allow any source port.
0
 

Author Comment

by:jimwarrenus
ID: 35192073
definitely worth a try --- i'll be able to test it later today.....
thanks
0
 

Author Closing Comment

by:jimwarrenus
ID: 35207417
Thanks, that did it!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question