• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 257
  • Last Modified:

Port Forwarding on Juniper SSG 140 Firewall

I am trying to add a new virtual port on my Juniper SSG 140.  I have configured a New VIP Service pointing Virtual Port 8015 as a HTTP port pointing to a server on my network.  The status of the VIP in the Juniper is showing as OK but when I do an online port scan it is telling me that my public IP is not responding on that port.  Other VIPs I have configured are working.  I'm not sure where to start troubleshooting this issue.
0
PDIS
Asked:
PDIS
  • 4
  • 4
  • 4
2 Solutions
 
arnoldCommented:
Check where you placed the port forward to make sure it is not below a deny rule. Also make sure the server/ip to which you pointed is listening on the port

Move the rule closer to the top.... or within the same grouping as your other port forward policies.

Do you have an explicit deny rule? If so, make sure this policy is not below it.
0
 
PDISAuthor Commented:
Thank you so much for your response.  

I do not have any explicit deny rules.

I am trying to open port 8020 for http  and 554 for RTSP.  

Internally if I go to the server from a web browser using http://192.168.1.250:8020 I can access the page I need so I believe the port is working properly on the server.

In my Juniper SSG 140 I have created a VIP on our external port with virtual port 8020, service HTTP pointing to internal server 192.168.1.250

Also under Policies, Untrust to Trust I created an entry.  Source Any, Destination 192.168.1.250, Service HTTP, Allow

I rebooted the firewall just in case but when I go use an online port scanner and look for 8020 on our public IP, I get an error that the Public IP isn't responding on port 8020.
0
 
arnoldCommented:
In which section did you add the policy, trust/untrust?

It is hard to provide answers to question where we can not see what you have?
Double check that you placed the rule in the correct section, untrust zone deals with your incoming rules. Make sure if you have multiple public IPs that you attach the rule to the public/external IP you want .
Make sure that the internal IP to which You are pointing this forwarding rule actually is listening on the port you want and is actually responsive when connected from outside and not being restricted by other means/IP access..etc.
Can you internally browse the site at http://192.168.1.250? does the server have multiple site (hostname based):??


when you are scnning are you scanning from outside your network or from the LAN?

Can you reduct/masquerade and post the text output of your
show policy untrust.

If you have IDS/IPS make sure that is not what is blocking you 8020 to web forward...
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
"Service HTTP" means internal port 80, so you'll have to change the service in the VIP table.
For the VIP policies it is much easier and not less secure to keep a single one for all VIP services - that is no specific target IP and service. Using a VIPped interface address as source already allows only those services you have set up VIP for.
0
 
PDISAuthor Commented:
-Yes, I can internally browse the site using http://192.168.1.250:8015
-I am scanning from outside the network using t1shopper.com
-I have two attachments, the first shows the Policies, The destination is listed as nDVR which is 192.168.1.250
Juniper Policies Untrust to Trust-The second attachment is the VIP screen for our public IP.  You will see Virtual Port 8015 pointing as a Service Port, Pointing to 192.168.1.250
VIP for Public IP on Juniper
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
As said, you are mapping public port 8015 to private port 80 (HTTP) that way.
The target of policy 53 needs to be "VIP(ethernet...)", not the internal address.
I would also change policy 53 to (Any, VIP, Any service) unless you want to specifically switch allowance of single ports, e.g. by time schedule, on demand or whatever.
0
 
arnoldCommented:
You are browsing to lan ip port 8015 but you
Untrusted to trust
Interface ip (public ip) port 8015 => 192.168.1.250 port 80

Are you able to view http://192.168.1.250
If your site is configured on port 8015, your port forward needs to go
Untrust, trust
Any port 8020 => 192.168.1.250 port 8015

Your request and your seeming setup do not correspond.
I
0
 
PDISAuthor Commented:
I am not able to view http://192.168.1.250 without adding the port on the end.  I do not see a way to add a new policy from untrust to trust specifying ports

CreatePolicy.PNG
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
The ports (source and destination) are derived from the service you provide in the policy. E.g. HTTP means destination port 80.
Create a new service with destination port 8015, and use that in the policy.
0
 
arnoldCommented:
What app is listening on port 8015 on 192.168.1.250?
One option us to as qlemo pointed out, define a new services using port 8015..
The other option is to configure the app to listen on port 80 whereby your existing policy will start working.

In the service, do you gave a custom/new option?
0
 
PDISAuthor Commented:
I did need to create a custom service for 8015 and use that in my policy.  Thank you so much
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
In future you should give the "correct" answer more points than any workaround (changing the application port might not be feasible or desired, and there is no need to do here).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 4
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now