Link to home
Start Free TrialLog in
Avatar of PDIS
PDIS

asked on

Port Forwarding on Juniper SSG 140 Firewall

I am trying to add a new virtual port on my Juniper SSG 140.  I have configured a New VIP Service pointing Virtual Port 8015 as a HTTP port pointing to a server on my network.  The status of the VIP in the Juniper is showing as OK but when I do an online port scan it is telling me that my public IP is not responding on that port.  Other VIPs I have configured are working.  I'm not sure where to start troubleshooting this issue.
Avatar of arnold
arnold
Flag of United States of America image

Check where you placed the port forward to make sure it is not below a deny rule. Also make sure the server/ip to which you pointed is listening on the port

Move the rule closer to the top.... or within the same grouping as your other port forward policies.

Do you have an explicit deny rule? If so, make sure this policy is not below it.
Avatar of PDIS
PDIS

ASKER

Thank you so much for your response.  

I do not have any explicit deny rules.

I am trying to open port 8020 for http  and 554 for RTSP.  

Internally if I go to the server from a web browser using http://192.168.1.250:8020 I can access the page I need so I believe the port is working properly on the server.

In my Juniper SSG 140 I have created a VIP on our external port with virtual port 8020, service HTTP pointing to internal server 192.168.1.250

Also under Policies, Untrust to Trust I created an entry.  Source Any, Destination 192.168.1.250, Service HTTP, Allow

I rebooted the firewall just in case but when I go use an online port scanner and look for 8020 on our public IP, I get an error that the Public IP isn't responding on port 8020.
In which section did you add the policy, trust/untrust?

It is hard to provide answers to question where we can not see what you have?
Double check that you placed the rule in the correct section, untrust zone deals with your incoming rules. Make sure if you have multiple public IPs that you attach the rule to the public/external IP you want .
Make sure that the internal IP to which You are pointing this forwarding rule actually is listening on the port you want and is actually responsive when connected from outside and not being restricted by other means/IP access..etc.
Can you internally browse the site at http://192.168.1.250? does the server have multiple site (hostname based):??


when you are scnning are you scanning from outside your network or from the LAN?

Can you reduct/masquerade and post the text output of your
show policy untrust.

If you have IDS/IPS make sure that is not what is blocking you 8020 to web forward...
"Service HTTP" means internal port 80, so you'll have to change the service in the VIP table.
For the VIP policies it is much easier and not less secure to keep a single one for all VIP services - that is no specific target IP and service. Using a VIPped interface address as source already allows only those services you have set up VIP for.
Avatar of PDIS

ASKER

-Yes, I can internally browse the site using http://192.168.1.250:8015
-I am scanning from outside the network using t1shopper.com
-I have two attachments, the first shows the Policies, The destination is listed as nDVR which is 192.168.1.250
User generated image-The second attachment is the VIP screen for our public IP.  You will see Virtual Port 8015 pointing as a Service Port, Pointing to 192.168.1.250
User generated image
As said, you are mapping public port 8015 to private port 80 (HTTP) that way.
The target of policy 53 needs to be "VIP(ethernet...)", not the internal address.
I would also change policy 53 to (Any, VIP, Any service) unless you want to specifically switch allowance of single ports, e.g. by time schedule, on demand or whatever.
You are browsing to lan ip port 8015 but you
Untrusted to trust
Interface ip (public ip) port 8015 => 192.168.1.250 port 80

Are you able to view http://192.168.1.250
If your site is configured on port 8015, your port forward needs to go
Untrust, trust
Any port 8020 => 192.168.1.250 port 8015

Your request and your seeming setup do not correspond.
I
Avatar of PDIS

ASKER

I am not able to view http://192.168.1.250 without adding the port on the end.  I do not see a way to add a new policy from untrust to trust specifying ports

User generated image
SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of PDIS

ASKER

I did need to create a custom service for 8015 and use that in my policy.  Thank you so much
In future you should give the "correct" answer more points than any workaround (changing the application port might not be feasible or desired, and there is no need to do here).