SRX

I am sitting for a long while and can't find a solution for the described problem. The server has his old configuration. I set default route and nat for internet access from LAN on the srx.

The server is accessible with his public ip from LAN side, but not from the Internet. Can someone give me a hint how to allow access to the server from Internet? trusted zone? arp-proxy?  dmz? I have to finish this till morning. please help.

Just guessing, because you don't give many details. 

You have a server which used to be used behind your Internet router, and it has a public IP address. Now there's an SRX in between. 

Did the SRX replace your previous Internet router? Or, was it put between your Internet router and the server?

Basically, what devices are between the Internet and the server, and are any of them doing NAT or firewall?

It would also be helpful if you posted your SRX config (either attach a text file, or paste it in using the HTML tab with <pre> before and </pre> after), and say what subnet the server is on.

Thx for the respond.The SRX replaced another router from a different vendor.

The situations is like this. Internet - SRX - Server. The server has two NIC. One with the public IP, the other with LAN IP. The SRX has a very simple configuration:

;
system {
    host-name sz-pipe;
    root-authentication {
        encrypted-password "$1$vu1xm1Br$mtQ9y9J.xShyVTmHE7JuV1"; ## SECRET-DATA
    }
    services {
        ssh;
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family inet;
        }
    }
    fe-0/0/6 {
        unit 0 {
            family inet;
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                address 83.238.xx.38/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 83.238.xx.37;
    }
}
security {
    nat {
        source {
            rule-set interface-nat {
                from zone trust;
                to zone untrust;
                rule rule1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            http;
                            https;
                            ssh;
                            telnet;
                            dhcp;
                        }
                    }
                }
                lo0.0;
                fe-0/0/6.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/7.0;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
}

I had before ip adresses assigned on fe6 and 5 with LAN IP and public IP from the same subnet as the serverspublic IP. Did not work. I don't need any security. Just Internet for LAN via NAT and transparent public IP on the server. the servers pubic IP is from a different subnet than the upstream router.

I have now the problem that i want to switch the first 5 ports and want to have access to the webinterface and cli from all of them.

Of course after removing the ip from ge0 and assigning it to vlan i have no access to the router any more. A very good documentation.

.

        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit; <- hehe
                }

"I had before ip adresses assigned on fe6 and 5 with LAN IP and public IP from the same subnet as the serverspublic IP."

That's what you want, but  fe5 and fe6 are in the trust zone, which is why you couldn't reach the server from the outside - there's no rule to allow it. Also, your untrust to trust rule makes everything going out NATted - that would include the server's public IP. 

Put fe5 and fe6 in the untrust zone, or create a dmz zone, and then a permit rule

        from-zone untrust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

        from-zone untrust to-zone server {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone server {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

I did it like this. But the servers webpages are not accessible from LAN side

The problem was a firewall rule on the webserver.