SRX Services Gateway
Reply
Contributor
APESMA
Posts: 33
Registered: ‎07-21-2011
0
Accepted Solution

From the internet, unable to access J-Web based on KB17223 FBF

[ Edited ]

Hi All,

 

I have similar issue and has been fixed when accessing jweb with from LAN.

 

## Last changed: 2011-11-19 21:06:36 EST
version 10.4R7.5;
system {
    host-name SRX210HXMel;
    domain-name apesma.local;
    time-zone Australia/Melbourne;
    root-authentication {
        encrypted-password "StrongPassword"; ## SECRET-DATA
    }
    name-server {
        1.1.1.254;
        2.2.2.254;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                port 89;
            }
            https {
                port 10443;
                system-generated-certificate;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 49;
    max-configuration-rollbacks 49;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            description Port4Trust;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 10.20.3.254/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description Port4DMZ1;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.1/26;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            description Port4DMZ2;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.65/26;
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            description Port4DMZ3;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.129/26;
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            description Port4DMZ4;
            family inet {
                filter {
                    input filter-based-forwarding;
                }
                address 192.168.3.193/26;
                address 172.16.3.12/24;
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            description Port4AAPTMel;
            family inet {
                address 1.1.1.2/24;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            description Port4OptusMel;
            family inet {
                address 2.2.2.2/24;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet isp-instances;
    }
    static {
        route 0.0.0.0/0 next-hop 2.2.2.1;
    }
    rib-groups {
        isp-instances {
            import-rib [ inet.0 ISP-1.inet.0 ISP-2.inet.0 ISP-3.inet.0 ISP-4.inet.0 ];
        }
    }
}
protocols {
    stp;
}
security {
    alg {
        sccp disable;
        sip disable;
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set OUTGOING {
                from zone [ dmz1 dmz2 dmz3 dmz4 trust ];
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool vDBServer {
                address 192.168.3.66/32 port 443;
            }
            rule-set DNATTest {
                from interface fe-0/0/7.0;
                rule vDBServer {
                    match {
                        destination-address 2.2.2.115/32;
                    }
                    then {
                        destination-nat pool vDBServer;
                    }
                }
            }
        }
        proxy-arp {
            interface fe-0/0/7.0 {
                address {
                    2.2.2.115/32;
                }
            }
        }
    }
    policies {
        from-zone dmz2 to-zone untrust {
            policy dmz2-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dmz4 to-zone untrust {
            policy dmz4-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone dmz2 {
            policy ISP2-http-incoming {
                match {
                    source-address any;
                    destination-address web-server;
                    application [ junos-https junos-http ];
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone dmz2 {
            address-book {
                address web-server 192.168.3.66/32;
            }
            interfaces {
                fe-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone trust {
            tcp-rst;
            address-book {
                address mail-server 10.20.3.5/32;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                fe-0/0/6.0;
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            http;
                            https;
} } } } } security-zone dmz1 { interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } } } } } security-zone dmz4 { interfaces { fe-0/0/4.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone dmz3 { interfaces { fe-0/0/3.0 { host-inbound-traffic { system-services { all; } } } } } } } firewall { family inet { filter filter-based-forwarding { term jweb { from { destination-address { 10.20.3.254/32; 192.168.3.1/32; 192.168.3.65/32; 192.168.3.129/32; 192.168.3.193/32; 1.1.1.2/32; } } then accept; } term VoIP { from { source-address { 172.16.3.242/32; } } then { routing-instance ISP-1; } } term Subnet-10.20.3.0-ISP-1 { from { source-address { 10.20.3.0/24; } } then { routing-instance ISP-1; } } term DMZ2-ISP-2 { from { source-address { 192.168.3.64/26; } } then { routing-instance ISP-2; } } term default { then accept; } } } } routing-instances { ISP-1 { description AAPTMel; instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 1.1.1.1; } } } ISP-2 { description OptusMel; instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 2.2.2.1; } } } ISP-3 { description MyISP3; instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 3.3.3.1; } } } ISP-4 { description MyISP4; instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 4.4.4.1; } } } } applications { application junos-ssh inactivity-timeout never; }

 But i can't access j-web from the internet:

http://1.1.1.2:89

https://1.1.1.2:10443

 

could you please shed some light on the issue.

 

thanks and regards,

 

Bob

Distinguished Expert
Distinguished Expert
pk
Posts: 793
Registered: ‎10-09-2008
0

Re: From the internet, unable to access J-Web based on KB17223 FBF

Hi

 

As I can see 1.1.1.2 is on interface fe-0/0/6, however from security-zone
settings, only ping is enabled on that interface. Can you try to enable
http/https for host-inbound also. If it does not help, please try

 

a) enable host-inbound-traffic any-service on the interface;

 

b) access http/https via 2.2.2.2 address on fe-0/0/7 interface

 

and tell me if it works.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Contributor
APESMA
Posts: 33
Registered: ‎07-21-2011
0

Re: From the internet, unable to access J-Web based on KB17223 FBF

thank you very much for your help PK, Solution provided works, i was confused with IPs between fe-0/0/6 and fe-0/0/7. Once again, thanks for taking time to check up the config file for me. Bob
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.