SRX Services Gateway
Reply
Visitor
bruno71
Posts: 2
Registered: ‎03-20-2011
0

Trying to Redirect Port 80 Public IP from fe-0/0/7 to 192.168.1.107 and having issues

version 10.4R2.7;
system {
    host-name home;
    root-authentication {
        encrypted-password ""; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        xnm-clear-text;
        web-management {
            https {
                system-generated-certificate;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
                exclude-address {
                    192.168.1.107;
                }
            }
            propagate-settings fe-0/0/7.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    interface-range interfaces-trust {
        member ge-0/0/0;
        member ge-0/0/1;
        member fe-0/0/2;
        member fe-0/0/3;
        member fe-0/0/4;
        member fe-0/0/5;
        member fe-0/0/6;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                dhcp;                   
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool server-web {
                address 192.168.1.107/32 port 80;
            }
            rule-set home-servers {
                from interface fe-0/0/7.0;
                rule forward-web {
                    match {
                        destination-address {Public_IP};
                        destination-port 80;
                    }
                    then {
                        destination-nat pool server-web;
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address web_server 192.168.1.107/32;
            }                           
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            ping;
                            http;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address web_server;
                    application junos-http;
                }
                then {
                    permit;
                }
            }
        }
    }
}

Recognized Expert
rasmus
Posts: 379
Registered: ‎02-28-2010
0

Re: Trying to Redirect Port 80 Public IP from fe-0/0/7 to 192.168.1.107 and having issues

can you explain what issue you are getting ...

 

desination rule home-servers is generally ok ...

 

regards

Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Distinguished Expert
dfex
Posts: 734
Registered: ‎04-17-2008
0

Re: Trying to Redirect Port 80 Public IP from fe-0/0/7 to 192.168.1.107 and having issues

[ Edited ]

Try:

 

 

delete security zones security-zone untrust host-inbound-traffic system-services http

 and commit.  

 

The "host-inbound-traffic" statement is only used for services that terminate directly on the SRX, such as in this case J-Web.  Since I see you are using HTTPS for web-management, this line is not required, but I believe it is taking priority over the NAT configuration, so your inbound connections are probably being directed to J-Web which isn't running on port 80.

 

You may be able to see this with "show security flow sessions" which will show the inbound traffic hitting "self-traffic-policy" instead of "untrust-to-trust".

 

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Visitor
bruno71
Posts: 2
Registered: ‎03-20-2011
0

Re: Trying to Redirect Port 80 Public IP from fe-0/0/7 to 192.168.1.107 and having issues

 

To answer to first persons question,  I am trying to access a web server that has an ip address of 192.168.1.107 from both inside and outside of the firewall.  Every time I get "The connection has timed out".

 

 

I tried runnng the delete statement below but I believe the interface was missing.  I tried that too with no luck.

 

delete security zones security-zone untrust host-inbound-traffic system-services http

I tried to get to the page from outside the firewall and from inside the firewall.

 

from inside the firewall trying to access 65.229.114.137

Session ID: 39553, Policy name: trust-to-untrust/4, Timeout: 18, Valid
  In: 192.168.1.9/49430 --> 65.229.114.137/80;tcp, If: vlan.0, Pkts: 3, Bytes: 192
  Out: 192.168.1.107/80 --> 65.229.114.137/39204;tcp, If: vlan.0, Pkts: 0, Bytes: 0

 

 

from outside the firewall trying to access 65.229.114.137

Session ID: 40078, Policy name: untrust-to-trust/5, Timeout: 16, Valid
  In: 75.212.104.138/50757 --> 65.229.114.137/80;tcp, If: fe-0/0/7.0, Pkts: 2, Bytes: 96
  Out: 192.168.1.107/80 --> 75.212.104.138/50757;tcp, If: vlan.0, Pkts: 0, Bytes: 0

 

Thank you

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: Trying to Redirect Port 80 Public IP from fe-0/0/7 to 192.168.1.107 and having issues

Run flow traceoptions to get understanding how SRX is handling traffic to see why untrust to trust isn't working. But based on the session it looks like we don't see a reply from 192.168.1.107 to untrust client. Is web service running on 192.168.1.107? Can 192.168.1.9 reach http directly to 192.168.1.107? Is the server perhaps running a Windows Firewall or similar which is blocking the request from unknown source IP?

From within trust zone this won't work because your host is on same subnet as your web server. Reason is because when client sends HTTP syn packet from 192.168.1.9 --> 65.229.114.137, web server sees it as from 192.168.1.9 --> 192.168.1.107. Hence syn/ack will go directly from 192.168.1.107 --> 192.168.1.9 and never go back to SRX. It will instead ARP for 192.168.1.9 and send directly. But client will not see this as proper syn/ack since original request was to different Server IP. Only way this would work Is if you also did source-nat interface nat rule so that web requests come into server with source IP as SRX itself. Only this way can web server properly send syn/ack back to SRX to get dest-nat reversed on return to the client. Alternatively you could also put webser er on different subnet as your clients.

-Richard
Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Trying to Redirect Port 80 Public IP from fe-0/0/7 to 192.168.1.107 and having issues

It looks like your internal clients are making a trip through the untrust zone to get back into the trust zone for the web server because you're hitting the NAT IP of the server.

 

For something like this, I'd either do as Richard suggested and move your server(s) into a different zone (DMZ or Servers or whatever) and keep it separate from where your clients live, or you could do some stuff with DNS views and/or the DNS ALG to send your internal clients directly to the internal server, and external clients would hit the translated IP.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.