From the internet, unable to access J-Web based on KB17223 FBF

APESMA · ‎07-21-2011

Hi All,

I have similar issue and has been fixed when accessing jweb with from LAN.

## Last changed: 2011-11-19 21:06:36 EST
version 10.4R7.5;
system {
    host-name SRX210HXMel;
    domain-name apesma.local;
    time-zone Australia/Melbourne;
    root-authentication {
        encrypted-password "StrongPassword"; ## SECRET-DATA
    }
    name-server {
        1.1.1.254;
        2.2.2.254;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                port 89;
            }
            https {
                port 10443;
                system-generated-certificate;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 49;
    max-configuration-rollbacks 49;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            description Port4Trust;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 10.20.3.254/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description Port4DMZ1;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.1/26;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            description Port4DMZ2;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.65/26;
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            description Port4DMZ3;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.129/26;
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            description Port4DMZ4;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.193/26;
                address 172.16.3.12/24;
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            description Port4AAPTMel;
            family inet {
                address 1.1.1.2/24;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            description Port4OptusMel;
            family inet {
                address 2.2.2.2/24;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet isp-instances;
    }
    static {
        route 0.0.0.0/0 next-hop 2.2.2.1;
    }
    rib-groups {
        isp-instances {
            import-rib [ inet.0 ISP-1.inet.0 ISP-2.inet.0 ISP-3.inet.0 ISP-4.inet.0 ];
        }
    }
}
protocols {
    stp;
}
security {
    alg {
        sccp disable;
        sip disable;
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set OUTGOING {
                from zone [ dmz1 dmz2 dmz3 dmz4 trust ];
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool vDBServer {
                address 192.168.3.66/32 port 443;
            }
            rule-set DNATTest {
                from interface fe-0/0/7.0;
                rule vDBServer {
                    match {
                        destination-address 2.2.2.115/32;
                    }
                    then {
                        destination-nat pool vDBServer;
                    }
                }
            }
        }
        proxy-arp {
            interface fe-0/0/7.0 {
                address {
                    2.2.2.115/32;
                }
            }
        }
    }
    policies {
        from-zone dmz2 to-zone untrust {
            policy dmz2-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dmz4 to-zone untrust {
            policy dmz4-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone dmz2 {
            policy ISP2-http-incoming {
                match {
                    source-address any;
                    destination-address web-server;
                    application [ junos-https junos-http ];
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone dmz2 {
            address-book {
                address web-server 192.168.3.66/32;
            }
            interfaces {
                fe-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone trust {
            tcp-rst;
            address-book {
                address mail-server 10.20.3.5/32;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                fe-0/0/6.0;
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            http;
                            https;
                        }
                    }
                }
            }
        }
        security-zone dmz1 {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone dmz4 {
            interfaces {
                fe-0/0/4.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone dmz3 {
            interfaces {
                fe-0/0/3.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter filter-based-forwarding {
            term jweb {
                from {
                    destination-address {
                        10.20.3.254/32;
                        192.168.3.1/32;
                        192.168.3.65/32;
                        192.168.3.129/32;
                        192.168.3.193/32;
                        1.1.1.2/32;
                    }
                }
                then accept;
            }
            term VoIP {
                from {
                    source-address {
                        172.16.3.242/32;
                    }
                }
                then {
                    routing-instance ISP-1;
                }
            }
            term Subnet-10.20.3.0-ISP-1 {
                from {
                    source-address {
                        10.20.3.0/24;
                    }
                }
                then {
                    routing-instance ISP-1;
                }
            }
            term DMZ2-ISP-2 {
                from {
                    source-address {
                        192.168.3.64/26;
                    }
                }
                then {
                    routing-instance ISP-2;
                }
            }
            term default {
                then accept;
            }
        }
    }
}
routing-instances {
    ISP-1 {
        description AAPTMel;
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 1.1.1.1;
            }
        }
    }
    ISP-2 {
        description OptusMel;
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 2.2.2.1;
            }
        }
    }
    ISP-3 {
        description MyISP3;
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 3.3.3.1;
            }
        }
    }
    ISP-4 {
        description MyISP4;
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 4.4.4.1;
            }
        }
    }
}
applications {
    application junos-ssh inactivity-timeout never;
}

But i can't access j-web from the internet:

http://1.1.1.2:89

https://1.1.1.2:10443

could you please shed some light on the issue.

thanks and regards,

Bob

pk · ‎10-09-2008

Hi

As I can see 1.1.1.2 is on interface fe-0/0/6, however from security-zone
settings, only ping is enabled on that interface. Can you try to enable
http/https for host-inbound also. If it does not help, please try

a) enable host-inbound-traffic any-service on the interface;

b) access http/https via 2.2.2.2 address on fe-0/0/7 interface

and tell me if it works.

Best Regards,
Peter (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC, JNCIP-(M,ENT) JNCIS-(SA,AC,FWV) JNCIA-(IDP,WX)
[Juniper Authorized Education & Support in Russia]

APESMA · ‎07-21-2011

thank you very much for your help PK, Solution provided works, i was confused with IPs between fe-0/0/6 and fe-0/0/7. Once again, thanks for taking time to check up the config file for me. Bob

From the internet, unable to access J-Web based on KB17223 FBF

Re: From the internet, unable to access J-Web based on KB17223 FBF

Re: From the internet, unable to access J-Web based on KB17223 FBF