[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3003
  • Last Modified:

port forwarding on juniper ssg20

i've used the webgui to setup a vip/port forward:
external/untrust port 6660  =>  192.168.1.73 in the trust zone......

and a policy to allow untrust to trust.......

but, it is not working   ---  i can see an error in the log that says it 'cant reach the server at 192.168.1.73'

surely i've missed something in the vip setup -- or something more basic than that? the internal machines are having no problem accessing the internet, and the juniper, too....
0
jimwarrenus
Asked:
jimwarrenus
  • 11
  • 10
1 Solution
 
QlemoC++ DeveloperCommented:
Please show VIP and policy:
get config | incl vip

I assume your internal port is not 6660 - did you use the correct internal port in your VIP definition?
0
 
jimwarrenusAuthor Commented:
i'll get cli access setup --- havent done that yet

yes, the internal port is 6660--- is that a problem?
0
 
QlemoC++ DeveloperCommented:
No, I just thought you want to map that port to another one internally. Could you tell which log entry you refer to regarding the "can't reach" part?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jimwarrenusAuthor Commented:
listed as 'most recent alarms' ----see screenshot

Total alarms: 1    (Emergencies: 0; Alerts: 0; Critical: 1)  More...              
 
Date/Time  Level  Description
2011-03-19 18:58:25  critical VIP server 192.168.1.73 cannot be contacted.
 

ScreenShot490.jpg
0
 
QlemoC++ DeveloperCommented:
That is the "Server Auto Detection" part of your VIP service definition. Don't use it. I don't know if it matters at all, but for internal services it is completely unnecessary.
Anyway, since you enabled that setting, if the SSG cannot reach the server, it will not forward.
I don't know why the SSG is telling you it cannot reach the server, though. Is there a routing issue? Is that server on a different subnet from the SSG?
0
 
jimwarrenusAuthor Commented:
here's the get config output....

cullman-> get config | incl vip
set interface ethernet0/0 vip interface-ip 6660 "BigAnt" 192.168.1.73
set policy id 3 name "BigAnt" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)
" "BigAnt" permit
cullman->

as a sidenote, at this point the webui isnt allowing any access anymore..... actually it looks like the login succeeds, but it is only displaying a blank page......  
0
 
QlemoC++ DeveloperCommented:
I don't know of any reason why the WebUI should display blank pages only, sorry. The menu is DHTML, and might not work (it doesn't with IE9), but the page itself is HTML code and should always be displayed.

You have restricted your policy to "BigAnt" service. I suppose that is defined as dst-port 6660 and the correct protocol (UDP or TCP). You don't need the service restriction on that policy - only VIP traffic can pass, and so only services defined as VIP. But it does not harm, as long as you do not use more than this service. It just a common pitfall.

We still need to know if 192.168.1.73 is reachable from the SSG. Can you perform a
    trace-route 192.168.1.73 from eth0/0
and the same with your Trust interface?
Is policy 3 the first of your Untrust policies? If not, is it at least above any "deny" policy?
0
 
jimwarrenusAuthor Commented:
this command does fail
trace-route 192.168.1.73 from eth0/0


btw, i do need to port forward additional ports (6660, 6661, and 2229) from the external
interface to 192.168.1.73.....   do i need to do something different that vip?

and for policies
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 3 name "BigAnt" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)
" "BigAnt" permit
set policy id 3
0
 
QlemoC++ DeveloperCommented:
So policy 3 seems to be the only Untrust policy. For test, always activate session logging (at session begin) in policies. As soon as you are sure the policies work, you can switch it off to reduce logging.

What do you mean with "this command does fail"? Syntax error or no response?

For defining more than one VIP port, at least if managed via a single entry, you need to issue
   set vip multi-port
   reset safe-config no-prompt
but careful, that will reboot the device (because of the last command). Without rebooting the setting does not apply.
After having set multi-port (and performed the reboot), you can use a single VIP entry having defined more than one service port, or several different VIP entries. The former is ok if those ports need to be forwarded to the same IP (as they do here), and you do not want to "dynamically" add and remove available ports.
But before we consider working on multi-port, that single one should work, shouldn't it?
0
 
jimwarrenusAuthor Commented:
But before we consider working on multi-port, that single one should work, shouldn't it?
that was my thought with starting with just the one......   until i can see that work i cant see any reason to go further....

the command works.... the trace is unsuccessful....
cullman-> trace-route 192.168.1.73 from ethernet0/0
Type escape sequence to escape

Send ICMP echos to 192.168.1.73, timeout is 2 seconds,  maximum hops are 32,  tr
ace from ethernet0/0
1       *       *       *
2       *


0
 
QlemoC++ DeveloperCommented:
Now try the same replacing eth0/0 by your LAN (Trust) port. Though I assume that will not work either ...
Maybe you should show me your full config, or at least the output of    get interface.
0
 
jimwarrenusAuthor Commented:
trace-route from the trust port is successful.....

cullman-> trace-route 192.168.1.73 from bgroup0
Type escape sequence to escape

Send ICMP echos to 192.168.1.73, timeout is 2 seconds,  maximum hops are 32,  tr
ace from bgroup0
1       2ms     2ms     2ms     192.168.1.73
Trace complete
cullman->

and get config
cullman-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN
 State VSD
serial0/0      0.0.0.0/0                         Null        N/A               -
   D   -
eth0/0         12.196.138.242/21                 Untrust     b0c6.9a33.4440    -
   U   -
eth0/1         0.0.0.0/0                         DMZ         b0c6.9a33.4445    -
   D   -
wireless0/0    192.168.2.1/24                    Trust       b0c6.9a33.444d    -
   D   -
wireless0/1    0.0.0.0/0                         Null        b0c6.9a33.444e    -
   D   -
wireless0/2    0.0.0.0/0                         Null        b0c6.9a33.4455    -
   D   -
wireless0/3    0.0.0.0/0                         Null        b0c6.9a33.4456    -
   D   -
bgroup0        192.168.1.254/24                  Trust       b0c6.9a33.4449    -
   U   -
  eth0/2       N/A                               N/A         N/A               -
   D   -
  eth0/4       N/A                               N/A         N/A               -
   U   -
bgroup1        10.10.10.2/24                     Untrust     b0c6.9a33.444a    -
   U   -
  eth0/3       N/A                               N/A         N/A               -
   U   -
bgroup2        0.0.0.0/0                         Null        b0c6.9a33.444b    -
   D   -
bgroup3        0.0.0.0/0                         Null        b0c6.9a33.444c    -
   D   -
vlan1          0.0.0.0/0                         VLAN        b0c6.9a33.444f    1
   D   -
null           0.0.0.0/0                         Null        N/A               -
   U   0
cullman->

0
 
QlemoC++ DeveloperCommented:
That's the correct behaviour. You have no policy from Untrust to trust for 192.168.1.73, which is correct - you do not need such. And that IP is reachable from Trust, so the VIP should work.

Switch off the "Server Auto Detection" as stated in http:#a35176707, switch on session logging (http:#a35177308), and try to access the VIP. Make sure you test from outside, with a different IP not in your /21 network.
If you test from inside, you need to allow traffic Trust - Untrust for your virtual port(s) first by defining an additional policy.
0
 
jimwarrenusAuthor Commented:
i got auto detection turned off, and logging turned on.....    the forwarding is still not working
but i dont see any logging results from the attempt?
this is from reports - system log - event.....
(screenshoot of untrust to trust policy attached....)

2011-03-20 19:52:14 info System configuration saved by admin via web from host 192.168.1.70 to 192.168.1.254:443 by admin.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:52:14 notif Policy (3, Untrust->Trust, Any->VIP(ethernet0/0),BigAnt, Permit) was modified by admin via web from host 192.168.1.70 to 192.168.1.254:443.
2011-03-20 19:50:14 warn Admin user "admin" logged in for Web(https) management (port 443) from 192.168.1.70:3436
2011-03-20 19:49:47 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3391
2011-03-20 19:49:29 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3387
2011-03-20 19:43:04 notif VIP server 192.168.1.73 is now in manual mode.
2011-03-20 19:43:01 info System configuration saved by admin via web from host 192.168.1.70 to 192.168.1.254:80 by admin.
2011-03-20 19:43:01 notif VIP (12.196.138.242:6660 BigAnt 192.168.1.73) New by admin via web from host 192.168.1.70 to 192.168.1.254:80
2011-03-20 19:43:01 notif VIP (12.196.138.242:6660 BigAnt 192.168.1.73) Remove by admin via web from host 192.168.1.70 to 192.168.1.254:80
2011-03-20 19:41:45 warn Admin user "admin" logged in for Web(http) management (port 80) from 192.168.1.70:3024

ScreenShot491.jpg
0
 
QlemoC++ DeveloperCommented:
Logging is done in the policy. On both the policy table and the Reports > Policies table you should have a grid symbol. Clicking there retrieves the corresponding policy log.
0
 
jimwarrenusAuthor Commented:
hmm, still no entry....

Traffic log for policy : ID Source Destination Service Action
3 Untrust/Any Global/VIP(ethernet0/0) BigAnt Permit
 

Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received Close Reason
No entry available
0
 
QlemoC++ DeveloperCommented:
It seems as "BigAnt" is not the port or protocol or both used actually. Check the service entry. Maybe you have set source port instead of destination port.
Without seeing the complete config, I can only guess. Would you consider to post the config, sanitized (only public IPsm, usernames and company names need to be masked)?
And you did not tell where you are testing from - is it from outside your LAN?
0
 
Sanga CollinsSystems AdminCommented:
might seem off the wall, but did you try to disable 'server autodetect' ?

when i port forward for my xbox and online gaming, i disable server autodetect and my VIPs then begin to work. :)
0
 
jimwarrenusAuthor Commented:
yep, server autodetect is disabled.....

Qlemo ---  config attached.......  and yes, all testing is being done from outside the LAN juniper-config.txt
0
 
QlemoC++ DeveloperCommented:
I suppose this lines are not correct:
   set service "BigAnt" protocol tcp src-port 6660-6660 dst-port 6660-6660
   set service "BigAntDocs" protocol tcp src-port 6661-6661 dst-port 6661-6661
   set service "SFTP" protocol tcp src-port 2229-2229 dst-port 2229-2229
It is unlikely that source and destination port will both be fixed. IMO those lines should sound
   set service "BigAnt" protocol tcp dst-port 6660-6660
   set service "BigAntDocs" protocol tcp dst-port 6661-6661
   set service "SFTP" protocol tcp dst-port 2229-2229
which will allow any source port.
0
 
jimwarrenusAuthor Commented:
definitely worth a try --- i'll be able to test it later today.....
thanks
0
 
jimwarrenusAuthor Commented:
Thanks, that did it!
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 11
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now