jimwarrenus
asked on
port forwarding on juniper ssg20
i've used the webgui to setup a vip/port forward:
external/untrust port 6660 => 192.168.1.73 in the trust zone......
and a policy to allow untrust to trust.......
but, it is not working --- i can see an error in the log that says it 'cant reach the server at 192.168.1.73'
surely i've missed something in the vip setup -- or something more basic than that? the internal machines are having no problem accessing the internet, and the juniper, too....
external/untrust port 6660 => 192.168.1.73 in the trust zone......
and a policy to allow untrust to trust.......
but, it is not working --- i can see an error in the log that says it 'cant reach the server at 192.168.1.73'
surely i've missed something in the vip setup -- or something more basic than that? the internal machines are having no problem accessing the internet, and the juniper, too....
ASKER
i'll get cli access setup --- havent done that yet
yes, the internal port is 6660--- is that a problem?
yes, the internal port is 6660--- is that a problem?
No, I just thought you want to map that port to another one internally. Could you tell which log entry you refer to regarding the "can't reach" part?
ASKER
listed as 'most recent alarms' ----see screenshot
Total alarms: 1 (Emergencies: 0; Alerts: 0; Critical: 1) More...
Date/Time Level Description
2011-03-19 18:58:25 critical VIP server 192.168.1.73 cannot be contacted.
ScreenShot490.jpg
Total alarms: 1 (Emergencies: 0; Alerts: 0; Critical: 1) More...
Date/Time Level Description
2011-03-19 18:58:25 critical VIP server 192.168.1.73 cannot be contacted.
ScreenShot490.jpg
That is the "Server Auto Detection" part of your VIP service definition. Don't use it. I don't know if it matters at all, but for internal services it is completely unnecessary.
Anyway, since you enabled that setting, if the SSG cannot reach the server, it will not forward.
I don't know why the SSG is telling you it cannot reach the server, though. Is there a routing issue? Is that server on a different subnet from the SSG?
Anyway, since you enabled that setting, if the SSG cannot reach the server, it will not forward.
I don't know why the SSG is telling you it cannot reach the server, though. Is there a routing issue? Is that server on a different subnet from the SSG?
ASKER
here's the get config output....
cullman-> get config | incl vip
set interface ethernet0/0 vip interface-ip 6660 "BigAnt" 192.168.1.73
set policy id 3 name "BigAnt" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)
" "BigAnt" permit
cullman->
as a sidenote, at this point the webui isnt allowing any access anymore..... actually it looks like the login succeeds, but it is only displaying a blank page......
cullman-> get config | incl vip
set interface ethernet0/0 vip interface-ip 6660 "BigAnt" 192.168.1.73
set policy id 3 name "BigAnt" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)
" "BigAnt" permit
cullman->
as a sidenote, at this point the webui isnt allowing any access anymore..... actually it looks like the login succeeds, but it is only displaying a blank page......
I don't know of any reason why the WebUI should display blank pages only, sorry. The menu is DHTML, and might not work (it doesn't with IE9), but the page itself is HTML code and should always be displayed.
You have restricted your policy to "BigAnt" service. I suppose that is defined as dst-port 6660 and the correct protocol (UDP or TCP). You don't need the service restriction on that policy - only VIP traffic can pass, and so only services defined as VIP. But it does not harm, as long as you do not use more than this service. It just a common pitfall.
We still need to know if 192.168.1.73 is reachable from the SSG. Can you perform a
trace-route 192.168.1.73 from eth0/0
and the same with your Trust interface?
Is policy 3 the first of your Untrust policies? If not, is it at least above any "deny" policy?
You have restricted your policy to "BigAnt" service. I suppose that is defined as dst-port 6660 and the correct protocol (UDP or TCP). You don't need the service restriction on that policy - only VIP traffic can pass, and so only services defined as VIP. But it does not harm, as long as you do not use more than this service. It just a common pitfall.
We still need to know if 192.168.1.73 is reachable from the SSG. Can you perform a
trace-route 192.168.1.73 from eth0/0
and the same with your Trust interface?
Is policy 3 the first of your Untrust policies? If not, is it at least above any "deny" policy?
ASKER
this command does fail
trace-route 192.168.1.73 from eth0/0
btw, i do need to port forward additional ports (6660, 6661, and 2229) from the external
interface to 192.168.1.73..... do i need to do something different that vip?
and for policies
set policy id 2 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 3 name "BigAnt" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)
" "BigAnt" permit
set policy id 3
trace-route 192.168.1.73 from eth0/0
btw, i do need to port forward additional ports (6660, 6661, and 2229) from the external
interface to 192.168.1.73..... do i need to do something different that vip?
and for policies
set policy id 2 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 3 name "BigAnt" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)
" "BigAnt" permit
set policy id 3
So policy 3 seems to be the only Untrust policy. For test, always activate session logging (at session begin) in policies. As soon as you are sure the policies work, you can switch it off to reduce logging.
What do you mean with "this command does fail"? Syntax error or no response?
For defining more than one VIP port, at least if managed via a single entry, you need to issue
set vip multi-port
reset safe-config no-prompt
but careful, that will reboot the device (because of the last command). Without rebooting the setting does not apply.
After having set multi-port (and performed the reboot), you can use a single VIP entry having defined more than one service port, or several different VIP entries. The former is ok if those ports need to be forwarded to the same IP (as they do here), and you do not want to "dynamically" add and remove available ports.
But before we consider working on multi-port, that single one should work, shouldn't it?
What do you mean with "this command does fail"? Syntax error or no response?
For defining more than one VIP port, at least if managed via a single entry, you need to issue
set vip multi-port
reset safe-config no-prompt
but careful, that will reboot the device (because of the last command). Without rebooting the setting does not apply.
After having set multi-port (and performed the reboot), you can use a single VIP entry having defined more than one service port, or several different VIP entries. The former is ok if those ports need to be forwarded to the same IP (as they do here), and you do not want to "dynamically" add and remove available ports.
But before we consider working on multi-port, that single one should work, shouldn't it?
ASKER
But before we consider working on multi-port, that single one should work, shouldn't it?
that was my thought with starting with just the one...... until i can see that work i cant see any reason to go further....
the command works.... the trace is unsuccessful....
cullman-> trace-route 192.168.1.73 from ethernet0/0
Type escape sequence to escape
Send ICMP echos to 192.168.1.73, timeout is 2 seconds, maximum hops are 32, tr
ace from ethernet0/0
1 * * *
2 *
that was my thought with starting with just the one...... until i can see that work i cant see any reason to go further....
the command works.... the trace is unsuccessful....
cullman-> trace-route 192.168.1.73 from ethernet0/0
Type escape sequence to escape
Send ICMP echos to 192.168.1.73, timeout is 2 seconds, maximum hops are 32, tr
ace from ethernet0/0
1 * * *
2 *
Now try the same replacing eth0/0 by your LAN (Trust) port. Though I assume that will not work either ...
Maybe you should show me your full config, or at least the output of get interface.
Maybe you should show me your full config, or at least the output of get interface.
ASKER
trace-route from the trust port is successful.....
cullman-> trace-route 192.168.1.73 from bgroup0
Type escape sequence to escape
Send ICMP echos to 192.168.1.73, timeout is 2 seconds, maximum hops are 32, tr
ace from bgroup0
1 2ms 2ms 2ms 192.168.1.73
Trace complete
cullman->
and get config
cullman-> get int
A - Active, I - Inactive, U - Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN
State VSD
serial0/0 0.0.0.0/0 Null N/A -
D -
eth0/0 12.196.138.242/21 Untrust b0c6.9a33.4440 -
U -
eth0/1 0.0.0.0/0 DMZ b0c6.9a33.4445 -
D -
wireless0/0 192.168.2.1/24 Trust b0c6.9a33.444d -
D -
wireless0/1 0.0.0.0/0 Null b0c6.9a33.444e -
D -
wireless0/2 0.0.0.0/0 Null b0c6.9a33.4455 -
D -
wireless0/3 0.0.0.0/0 Null b0c6.9a33.4456 -
D -
bgroup0 192.168.1.254/24 Trust b0c6.9a33.4449 -
U -
eth0/2 N/A N/A N/A -
D -
eth0/4 N/A N/A N/A -
U -
bgroup1 10.10.10.2/24 Untrust b0c6.9a33.444a -
U -
eth0/3 N/A N/A N/A -
U -
bgroup2 0.0.0.0/0 Null b0c6.9a33.444b -
D -
bgroup3 0.0.0.0/0 Null b0c6.9a33.444c -
D -
vlan1 0.0.0.0/0 VLAN b0c6.9a33.444f 1
D -
null 0.0.0.0/0 Null N/A -
U 0
cullman->
cullman-> trace-route 192.168.1.73 from bgroup0
Type escape sequence to escape
Send ICMP echos to 192.168.1.73, timeout is 2 seconds, maximum hops are 32, tr
ace from bgroup0
1 2ms 2ms 2ms 192.168.1.73
Trace complete
cullman->
and get config
cullman-> get int
A - Active, I - Inactive, U - Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN
State VSD
serial0/0 0.0.0.0/0 Null N/A -
D -
eth0/0 12.196.138.242/21 Untrust b0c6.9a33.4440 -
U -
eth0/1 0.0.0.0/0 DMZ b0c6.9a33.4445 -
D -
wireless0/0 192.168.2.1/24 Trust b0c6.9a33.444d -
D -
wireless0/1 0.0.0.0/0 Null b0c6.9a33.444e -
D -
wireless0/2 0.0.0.0/0 Null b0c6.9a33.4455 -
D -
wireless0/3 0.0.0.0/0 Null b0c6.9a33.4456 -
D -
bgroup0 192.168.1.254/24 Trust b0c6.9a33.4449 -
U -
eth0/2 N/A N/A N/A -
D -
eth0/4 N/A N/A N/A -
U -
bgroup1 10.10.10.2/24 Untrust b0c6.9a33.444a -
U -
eth0/3 N/A N/A N/A -
U -
bgroup2 0.0.0.0/0 Null b0c6.9a33.444b -
D -
bgroup3 0.0.0.0/0 Null b0c6.9a33.444c -
D -
vlan1 0.0.0.0/0 VLAN b0c6.9a33.444f 1
D -
null 0.0.0.0/0 Null N/A -
U 0
cullman->
That's the correct behaviour. You have no policy from Untrust to trust for 192.168.1.73, which is correct - you do not need such. And that IP is reachable from Trust, so the VIP should work.
Switch off the "Server Auto Detection" as stated in http:#a35176707, switch on session logging (http:#a35177308), and try to access the VIP. Make sure you test from outside, with a different IP not in your /21 network.
If you test from inside, you need to allow traffic Trust - Untrust for your virtual port(s) first by defining an additional policy.
Switch off the "Server Auto Detection" as stated in http:#a35176707, switch on session logging (http:#a35177308), and try to access the VIP. Make sure you test from outside, with a different IP not in your /21 network.
If you test from inside, you need to allow traffic Trust - Untrust for your virtual port(s) first by defining an additional policy.
ASKER
i got auto detection turned off, and logging turned on..... the forwarding is still not working
but i dont see any logging results from the attempt?
this is from reports - system log - event.....
(screenshoot of untrust to trust policy attached....)
2011-03-20 19:52:14 info System configuration saved by admin via web from host 192.168.1.70 to 192.168.1.254:443 by admin.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigA
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigA
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigA
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigA
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigA
2011-03-20 19:50:14 warn Admin user "admin" logged in for Web(https) management (port 443) from 192.168.1.70:3436
2011-03-20 19:49:47 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3391
2011-03-20 19:49:29 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3387
2011-03-20 19:43:04 notif VIP server 192.168.1.73 is now in manual mode.
2011-03-20 19:43:01 info System configuration saved by admin via web from host 192.168.1.70 to 192.168.1.254:80 by admin.
2011-03-20 19:43:01 notif VIP (12.196.138.242:6660 BigAnt 192.168.1.73) New by admin via web from host 192.168.1.70 to 192.168.1.254:80
2011-03-20 19:43:01 notif VIP (12.196.138.242:6660 BigAnt 192.168.1.73) Remove by admin via web from host 192.168.1.70 to 192.168.1.254:80
2011-03-20 19:41:45 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3024
ScreenShot491.jpg
but i dont see any logging results from the attempt?
this is from reports - system log - event.....
(screenshoot of untrust to trust policy attached....)
2011-03-20 19:52:14 info System configuration saved by admin via web from host 192.168.1.70 to 192.168.1.254:443 by admin.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigA
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigA
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigA
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigA
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigA
2011-03-20 19:50:14 warn Admin user "admin" logged in for Web(https) management (port 443) from 192.168.1.70:3436
2011-03-20 19:49:47 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3391
2011-03-20 19:49:29 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3387
2011-03-20 19:43:04 notif VIP server 192.168.1.73 is now in manual mode.
2011-03-20 19:43:01 info System configuration saved by admin via web from host 192.168.1.70 to 192.168.1.254:80 by admin.
2011-03-20 19:43:01 notif VIP (12.196.138.242:6660 BigAnt 192.168.1.73) New by admin via web from host 192.168.1.70 to 192.168.1.254:80
2011-03-20 19:43:01 notif VIP (12.196.138.242:6660 BigAnt 192.168.1.73) Remove by admin via web from host 192.168.1.70 to 192.168.1.254:80
2011-03-20 19:41:45 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3024
ScreenShot491.jpg
Logging is done in the policy. On both the policy table and the Reports > Policies table you should have a grid symbol. Clicking there retrieves the corresponding policy log.
ASKER
hmm, still no entry....
Traffic log for policy : ID Source Destination Service Action
3 Untrust/Any Global/VIP(ethernet0/0) BigAnt Permit
Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received Close Reason
No entry available
Traffic log for policy : ID Source Destination Service Action
3 Untrust/Any Global/VIP(ethernet0/0) BigAnt Permit
Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received Close Reason
No entry available
It seems as "BigAnt" is not the port or protocol or both used actually. Check the service entry. Maybe you have set source port instead of destination port.
Without seeing the complete config, I can only guess. Would you consider to post the config, sanitized (only public IPsm, usernames and company names need to be masked)?
And you did not tell where you are testing from - is it from outside your LAN?
Without seeing the complete config, I can only guess. Would you consider to post the config, sanitized (only public IPsm, usernames and company names need to be masked)?
And you did not tell where you are testing from - is it from outside your LAN?
might seem off the wall, but did you try to disable 'server autodetect' ?
when i port forward for my xbox and online gaming, i disable server autodetect and my VIPs then begin to work. :)
when i port forward for my xbox and online gaming, i disable server autodetect and my VIPs then begin to work. :)
ASKER
yep, server autodetect is disabled.....
Qlemo --- config attached....... and yes, all testing is being done from outside the LAN juniper-config.txt
Qlemo --- config attached....... and yes, all testing is being done from outside the LAN juniper-config.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
definitely worth a try --- i'll be able to test it later today.....
thanks
thanks
ASKER
Thanks, that did it!
get config | incl vip
I assume your internal port is not 6660 - did you use the correct internal port in your VIP definition?