Solved

Port Forwarding on Juniper SSG 140 Firewall

Posted on 2016-08-25
13
42 Views
Last Modified: 2016-11-23
I am trying to add a new virtual port on my Juniper SSG 140.  I have configured a New VIP Service pointing Virtual Port 8015 as a HTTP port pointing to a server on my network.  The status of the VIP in the Juniper is showing as OK but when I do an online port scan it is telling me that my public IP is not responding on that port.  Other VIPs I have configured are working.  I'm not sure where to start troubleshooting this issue.
0
Comment
Question by:PDIS
  • 4
  • 4
  • 4
13 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 41771532
Check where you placed the port forward to make sure it is not below a deny rule. Also make sure the server/ip to which you pointed is listening on the port

Move the rule closer to the top.... or within the same grouping as your other port forward policies.

Do you have an explicit deny rule? If so, make sure this policy is not below it.
0
 

Author Comment

by:PDIS
ID: 41776188
Thank you so much for your response.  

I do not have any explicit deny rules.

I am trying to open port 8020 for http  and 554 for RTSP.  

Internally if I go to the server from a web browser using http://192.168.1.250:8020 I can access the page I need so I believe the port is working properly on the server.

In my Juniper SSG 140 I have created a VIP on our external port with virtual port 8020, service HTTP pointing to internal server 192.168.1.250

Also under Policies, Untrust to Trust I created an entry.  Source Any, Destination 192.168.1.250, Service HTTP, Allow

I rebooted the firewall just in case but when I go use an online port scanner and look for 8020 on our public IP, I get an error that the Public IP isn't responding on port 8020.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41776829
In which section did you add the policy, trust/untrust?

It is hard to provide answers to question where we can not see what you have?
Double check that you placed the rule in the correct section, untrust zone deals with your incoming rules. Make sure if you have multiple public IPs that you attach the rule to the public/external IP you want .
Make sure that the internal IP to which You are pointing this forwarding rule actually is listening on the port you want and is actually responsive when connected from outside and not being restricted by other means/IP access..etc.
Can you internally browse the site at http://192.168.1.250? does the server have multiple site (hostname based):??


when you are scnning are you scanning from outside your network or from the LAN?

Can you reduct/masquerade and post the text output of your
show policy untrust.

If you have IDS/IPS make sure that is not what is blocking you 8020 to web forward...
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41776850
"Service HTTP" means internal port 80, so you'll have to change the service in the VIP table.
For the VIP policies it is much easier and not less secure to keep a single one for all VIP services - that is no specific target IP and service. Using a VIPped interface address as source already allows only those services you have set up VIP for.
0
 

Author Comment

by:PDIS
ID: 41777888
-Yes, I can internally browse the site using http://192.168.1.250:8015
-I am scanning from outside the network using t1shopper.com
-I have two attachments, the first shows the Policies, The destination is listed as nDVR which is 192.168.1.250
Juniper Policies Untrust to Trust-The second attachment is the VIP screen for our public IP.  You will see Virtual Port 8015 pointing as a Service Port, Pointing to 192.168.1.250
VIP for Public IP on Juniper
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41777942
As said, you are mapping public port 8015 to private port 80 (HTTP) that way.
The target of policy 53 needs to be "VIP(ethernet...)", not the internal address.
I would also change policy 53 to (Any, VIP, Any service) unless you want to specifically switch allowance of single ports, e.g. by time schedule, on demand or whatever.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 76

Expert Comment

by:arnold
ID: 41778113
You are browsing to lan ip port 8015 but you
Untrusted to trust
Interface ip (public ip) port 8015 => 192.168.1.250 port 80

Are you able to view http://192.168.1.250
If your site is configured on port 8015, your port forward needs to go
Untrust, trust
Any port 8020 => 192.168.1.250 port 8015

Your request and your seeming setup do not correspond.
I
0
 

Author Comment

by:PDIS
ID: 41778283
I am not able to view http://192.168.1.250 without adding the port on the end.  I do not see a way to add a new policy from untrust to trust specifying ports

CreatePolicy.PNG
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 250 total points
ID: 41778572
The ports (source and destination) are derived from the service you provide in the policy. E.g. HTTP means destination port 80.
Create a new service with destination port 8015, and use that in the policy.
0
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
ID: 41779242
What app is listening on port 8015 on 192.168.1.250?
One option us to as qlemo pointed out, define a new services using port 8015..
The other option is to configure the app to listen on port 80 whereby your existing policy will start working.

In the service, do you gave a custom/new option?
0
 

Author Comment

by:PDIS
ID: 41798491
I did need to create a custom service for 8015 and use that in my policy.  Thank you so much
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41899653
In future you should give the "correct" answer more points than any workaround (changing the application port might not be feasible or desired, and there is no need to do here).
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now