SRX Services Gateway
Reply
W60
Visitor
W60
Posts: 9
Registered: ‎09-08-2011
0

How to manage (SSH/HTTPS) SRX on an internal IP remotely?

All, I believe I did see a post at some point regarding this but I have failed to turn it up - apologies. Coming from ScreenOS background and finding the leap "hard" to the JunOS on the SRX. I realise the idea of the manage-ip is not in JunOS, but wanting to setup something similar so I can manage via SSH/HTTPS the SRX on one of its internal interfaces, but the client accessing the management (i.e. me) traffic is first routed in on a site to site vpn that terminates on the SRX. Is this possible as I have read that as the traffic is being routed back out of a different interface it will fail. Any tips or links to similar posts are gratefully received.
Distinguished Expert
MMcD
Posts: 630
Registered: ‎07-20-2010
0

Re: How to manage (SSH/HTTPS) SRX on an internal IP remotely?

[ Edited ]

Hi there,

 

Do you specifically want to manage the SRX on one of its internal interfaces? As you could just enable HTTPS/SSH on the specific zone terminating the VPN and also on the st (secure tunnel) interface and lock it down with a filter to your specific requirements.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21006

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
hvk
Contributor
hvk
Posts: 31
Registered: ‎06-03-2008
0

Re: How to manage (SSH/HTTPS) SRX on an internal IP remotely?

Hi,

 

I got similar problem.

 

I have DynVPN to SRX and I have access to all resources in remote LAN, I can ping the internal (trusted) interface of the SRX via the VPN tunnel, but I cannot SSH to it. I have found [KB21489], but it explains only a problem with overlapping networks - I am using different network for DynVPN pool.

 

Any help or links to similar posts are gratefully received.

 

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: How to manage (SSH/HTTPS) SRX on an internal IP remotely?

Hi ,

 

If you are using a different network for Dynamic VPN, it should work normally. could you please attach the flow trace,if possible ?

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
hvk
Contributor
hvk
Posts: 31
Registered: ‎06-03-2008
0

Re: How to manage (SSH/HTTPS) SRX on an internal IP remotely?

Hi,

 

I do not have access to the SRX at the moment, but what exactly do you need?

 

I have checked session flow and traffic is permitted, it comes from WAN interface. Ping and ssh is allowed in host-inbound on that interface. I am using the newest Junos 12.1R1.9. It looks like traffic just vanishes.

 

Thanks.

hvk
Contributor
hvk
Posts: 31
Registered: ‎06-03-2008
0

Re: How to manage (SSH/HTTPS) SRX on an internal IP remotely?

 

Hi,

 

Checked the configuration and tried to disable features which I thought maybe causing problem, but still no luck. Traffic via SRX works fine from DynVPN client to remote LAN, can ping SRX, but any attempt to establish some tcp connectivity to it fails (https, ssh). It looks like packes are vanishing. I could not find anything in policie logs which would direct me any way. As this is test box I have downgraded it back to R11.4, but still same situation.

 

Other thing I have noticed that if I want to send all traffic via VPN tunnel (no split tunneling) and use SRX as gateway to Internet for DynVPN client it also does not work, maybe some config issue for that part, but I cannot see anything in the  firewall filters or traffic flow (sh sec flow session...) or syslog messages - e.g. I am trying to ping from DynVPN client 4.2.2.2.

 

Any ideas would be more then welcome.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.