SRX

Hi all,

I do try to connect my SRX650 via web management, but i got an error msg "Forbidden 403 Error"

Any one suggest ?

Thanks

web-management {
            http {
                interface ge-6/0/2.0;
            }
---(more)---
                                        
            https {
                system-generated-certificate;
                interface ge-0/0/2.0;

Hi VinhNG,

Check this KB article:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24817

Verify if there are any filter's configured on the interface to block j-web access.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

rparthi,

Thanks for your kindly advise,

Could you pls let us know how to check the filter informations and pls show me how to add the other port in http web-management like as your link above?

Thanks,

Hi VinhNG,

Are you able to access J-web using http using ge-6/0/2 interface?

are you connecting from PC which is on the same subnet as ge-6/0/2?

Regards,

rparthi

Hi rparthi,

Response your question:

1. No

2. Yes

Pls help us

Vinh Ng

Hi VInhNg,

Share the following information;

1. System services configuration
2. IP address of PC from where you are trying to access J-web
3. Interface Ip address that you are using to access the J-web
4. show route for the PC ip address
5. show security zone details for the interface that you are trying to J-web
6. From SRX , are you able to Ping PC ip address.
7. show interface terse output

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi rparthi,

Please see my ans as below:

Share the following information;

1. System services configuration
2. IP address of PC from where you are trying to access J-web

IPv4 Address. . . . . . . . . . . : 10.0.20.22
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.20.1

3. Interface Ip address that you are using to access the J-web

Ge-0/0/2.0

4. show route for the PC ip address

Please show me, in which command line I can do?

5. show security zone details for the interface that you are trying to J-web

Please show me, in which command line I can do?

6. From SRX , are you able to Ping PC ip address.

admin@SRX650# run ping 10.0.20.22
PING 10.0.20.22 (10.0.20.22): 56 data bytes
64 bytes from 10.0.20.22: icmp_seq=0 ttl=128 time=2.395 ms
64 bytes from 10.0.20.22: icmp_seq=1 ttl=128 time=7.219 ms
64 bytes from 10.0.20.22: icmp_seq=2 ttl=128 time=1.575 ms
64 bytes from 10.0.20.22: icmp_seq=3 ttl=128 time=3.047 ms
64 bytes from 10.0.20.22: icmp_seq=4 ttl=128 time=2.405 ms
64 bytes from 10.0.20.22: icmp_seq=5 ttl=128 time=1.746 ms
64 bytes from 10.0.20.22: icmp_seq=6 ttl=128 time=1.615 ms
^C
--- 10.0.20.22 ping statistics ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.575/2.857/7.219/1.848 ms

7. show interface terse output

nterface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     172.16.64.195/27
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
sp-0/0/0.16383          up    up   inet     10.0.0.1            --> 10.0.0.16
                                            10.0.0.6            --> 0/0
                                            128.0.0.1           --> 128.0.1.16
                                            128.0.0.6           --> 0/0
ge-0/0/1                up    down
ge-0/0/1.0              up    down inet     192.168.8.1/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     125.234.236.142/30
ge-0/0/3                up    down
ge-0/0/3.0              up    down inet     192.168.1.252/24
ge-6/0/0                up    down
ge-6/0/0.0              up    down inet     3.3.3.3/27
ge-6/0/1                up    up
ge-6/0/1.0              up    up   eth-switch
ge-6/0/2                up    up
ge-6/0/2.0              up    up   eth-switch
ge-6/0/3                up    down
ge-6/0/3.0              up    down inet     192.168.255.254/24
ge-6/0/4                up    up
ge-6/0/4.0              up    up   eth-switch
ge-6/0/5                up    down
ge-6/0/5.0              up    down eth-switch
ge-6/0/6                up    up
ge-6/0/6.0              up    up   eth-switch
ge-6/0/7                up    down
ge-6/0/7.0              up    down eth-switch
ge-6/0/8                up    down
ge-6/0/8.0              up    down eth-switch
ge-6/0/9                up    down
ge-6/0/9.0              up    down eth-switch
ge-6/0/10               up    up
ge-6/0/10.0             up    up   eth-switch
ge-6/0/11               up    up
ge-6/0/11.0             up    up   eth-switch
ge-6/0/12               up    up
ge-6/0/12.0             up    up   eth-switch
ge-6/0/13               up    down
ge-6/0/13.0             up    down eth-switch
ge-6/0/14               up    up
ge-6/0/14.0             up    up   eth-switch
ge-6/0/15               up    down
ge-6/0/15.0             up    down eth-switch
ge-6/0/16               up    up
ge-6/0/16.0             up    up   eth-switch
ge-6/0/17               up    up
ge-6/0/17.0             up    up   eth-switch
ge-6/0/18               up    down
ge-6/0/18.0             up    down eth-switch
ge-6/0/19               up    up
ge-6/0/19.0             up    up   eth-switch
ge-6/0/20               up    down
ge-6/0/20.0             up    down eth-switch
ge-6/0/21               up    up
ge-6/0/21.0             up    up   eth-switch
ge-6/0/22               up    down
ge-6/0/22.0             up    down eth-switch
ge-6/0/23               up    down
ge-6/0/23.0             up    down eth-switch
fxp2                    up    up
gre                     up    up
ipip                    up    up
lo0                     up    up
lo0.0                   up    up   inet     127.0.0.1           --> 0/0
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    up
vlan.0                  up    down inet
vlan.1                  up    up   inet     10.0.1.1/24
vlan.10                 up    up   inet     10.0.10.1/24
vlan.20                 up    up   inet     10.0.20.1/24
vlan.30                 up    up   inet     10.0.30.1/24
vlan.40                 up    up   inet     10.0.40.1/24
vlan.50                 up    up   inet     10.0.50.1/24
vlan.60                 up    up   inet     10.0.160.1/22
vlan.70                 up    up   inet     10.0.70.1/24
vlan.80                 up    up   inet     10.0.80.1/24
vlan.90                 up    up   inet     10.0.90.1/24
vlan.100                up    up   inet     192.168.2.1/24
vlan.110                up    up   inet     10.0.110.1/24
vlan.120                up    up   inet     10.0.120.1/24
vlan.130                up    up   inet     10.0.130.1/24
vlan.140                up    up   inet     10.0.140.1/24
vlan.150                up    up   inet     10.0.150.1/24
vlan.201                up    up   inet     10.0.201.1/24
vlan.202                up    up   inet     10.0.202.1/24
vlan.203                up    up   inet     10.0.203.1/24
vlan.204                up    up   inet     10.0.204.1/24
vlan.205                up    up   inet     10.0.205.1/24
vlan.206                up    up   inet     10.0.206.1/24
vlan.207                up    up   inet     10.0.207.1/24
vlan.208                up    up   inet     10.0.208.1/24
vlan.209                up    up   inet     10.0.209.1/24
vlan.210                up    up   inet     10.0.210.1/24
vlan.211                up    up   inet     10.0.211.1/24
vlan.212                up    up   inet     10.0.212.1/24
vlan.213                up    up   inet     10.0.213.1/24
vlan.214                up    up   inet     10.0.214.1/24
vlan.215                up    up   inet     10.0.215.1/24
vlan.216                up    up   inet     10.0.216.1/24
vlan.217                up    up   inet     10.0.217.1/24
vlan.218                up    up   inet     10.0.218.1/24
vlan.219                up    up   inet     10.0.219.1/24
vlan.220                up    up   inet     10.0.220.1/24
vlan.221                up    up   inet     10.0.221.1/24
vlan.222                up    up   inet     10.0.222.1/24
vlan.223                up    up   inet     10.0.223.1/24
vlan.224                up    up   inet     10.0.224.1/24
vlan.225                up    up   inet     10.0.225.1/24
vlan.226                up    up   inet     10.0.226.1/24
vlan.227                up    up   inet     10.0.227.1/24
vlan.300                up    up   inet     192.168.3.1/24
vlan.400                up    up   inet     192.168.4.1/24

Hi VinhNg,

From the update , i think you are trying to manage J-web using https connection for the ge-0/0/2 interface ip address from your local network of 10.0.20.x/24 network.

it will not work.

Your configuration states that you can access J-web using https://125.234.236.142 from internet only and not from inside network.

to access from inside 10.0.20.x network , you need to add vlan.20 interface to the web-management list.

set system services web-management https interface vlan.20

++++++++++++++++++++++

https needs to be enabled on the security zones.

set security zones security-zones XXXXX interface vlan.20 host-inbound-services system-services https

++++++++++++++++++++++++++++++++

With current configuration , you can manage your device through J-web using ge-0/0/2 interface ip address .

This will work only from Internet and not from 10.0.20.x or other networks internal to the firewall.

+++++++++++++++++++++++++++++++

To manage J-web from 10.0.20.X PC , do the following:

1. add VLAN.20 interface to system services web-management https interface vlan.20

2. ensure security zone for vlan.20 interface has https enabled.

3. Use https://10.0.20.1 from PC 10.0.20.22 and check if it is working or not.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi rparthi,

Sure, I want to manage J-web from my local network.

Let us try to test via your guidance reference!

I can connect my router via J-web using https://125.234.236.142 but why I can not use account with the same "admin+password" current console to login?

Pls help us.

Vinh Ng.

Hi VinhNg,

You should be able to use the same user account to access all the management session.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10083

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16647

Telnet will not work for root login account.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi rparthi,

I am not sure but it seems have the user telnet can login J-web management already on the configuration?

Can you help us how to check this user?

Vinh Ng

Hi rparthi,

Please give us an expert advise from you?

Thanks,

Vinh Ng