SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Unable to HTTPS to the webgui thru a VPN st0

    Posted 02-18-2016 13:19

    SRX-100 at our remote site.

    When I try to HTTPS://192.168.203.1, I get the following error:

    Access Error: 401 -- Unauthorized

    Interface is not authorized for HTTP access

     

    I am at the corporate office. We have the st0 up, and I can ssh.

     

     

    set version 12.1X44-D35.5
set system host-name vpnloaner03
set system domain-name mass.com
set system time-zone EST
set system root-authentication encrypted-password ""
set system name-server 10.10.10.10
set system name-server 10.20.10.10
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-resolution no-resolve-on-input
set system login user admin full-name Administrator
set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication encrypted-password ""
set system services ssh max-sessions-per-connection 32
set system services telnet
set system services netconf ssh
set system services web-management http interface vlan.1
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.1
set system services web-management https interface fe-0/0/0.0
set system services web-management session idle-timeout 60
set system services dhcp option 161 string wyse.mass.com
set system services dhcp option 186 string wyse.mass.com
set system services dhcp pool 192.168.203.0/24 address-range low 192.168.203.50
set system services dhcp pool 192.168.203.0/24 address-range high 192.168.203.249
set system services dhcp pool 192.168.203.0/24 router 192.168.203.1
set system services dhcp propagate-settings fe-0/0/0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system syslog file default-log-messages any info
set system syslog file default-log-messages match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES|(AIS_DATA_AVAILABLE)"
set system syslog file default-log-messages structured-data
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server us.ntp.pool.org
set interfaces fe-0/0/0 unit 0 family inet dhcp
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan1
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan1
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan1
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan1
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan1
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan1
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan1
set interfaces st0 unit 0 family inet address 192.168.200.203/24
set interfaces vlan unit 1 family inet address 192.168.203.1/24
set snmp trap-group space targets 10.10.9.6
set routing-options static route 192.168.200.0/24 next-hop st0.0
set routing-options static route 10.0.0.0/8 next-hop st0.0
set routing-options static route 10.10.13.30/32 next-hop st0.0
set protocols stp
set security ike policy ike_pol_vpnloaner03 mode aggressive
set security ike policy ike_pol_vpnloaner03 proposal-set standard
set security ike policy ike_pol_vpnloaner03 pre-shared-key ascii-text "$9$5QnCtpBESe0BclKWdVqmPfFn/Ct1Ec"
set security ike gateway gw_vpnloaner03 ike-policy ike_pol_vpnloaner03
set security ike gateway gw_vpnloaner03 address 75.112.50.226
set security ike gateway gw_vpnloaner03 local-identity hostname vpnloaner03
set security ike gateway gw_vpnloaner03 external-interface fe-0/0/0.0
set security ipsec policy ipsec_pol_vpnloaner03 perfect-forward-secrecy keys group1
set security ipsec policy ipsec_pol_vpnloaner03 proposal-set standard
set security ipsec vpn vpnloaner03 bind-interface st0.0
set security ipsec vpn vpnloaner03 ike gateway gw_vpnloaner03
set security ipsec vpn vpnloaner03 ike ipsec-policy ipsec_pol_vpnloaner03
set security ipsec vpn vpnloaner03 establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set nsw_srcnat from zone Internal
set security nat source rule-set nsw_srcnat to zone Internet
set security nat source rule-set nsw_srcnat rule nsw-src-interface match source-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface match destination-address 0.0.0.0/0
set security nat source rule-set nsw_srcnat rule nsw-src-interface then source-nat interface
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet match source-address any
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet match destination-address any
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet match application any
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet then permit
set security policies from-zone Internal to-zone Internet policy policy_out_vpnloaner03 match source-address addr_192_168_203_0_24
set security policies from-zone Internal to-zone Internet policy policy_out_vpnloaner03 match destination-address addr_192_168_200_0_24
set security policies from-zone Internal to-zone Internet policy policy_out_vpnloaner03 match application any
set security policies from-zone Internal to-zone Internet policy policy_out_vpnloaner03 then permit
set security policies from-zone Internet to-zone Internal policy policy_in_vpnloaner03 match source-address addr_10_0_0_0_8
set security policies from-zone Internet to-zone Internal policy policy_in_vpnloaner03 match source-address addr_192_168_0_0_16
set security policies from-zone Internet to-zone Internal policy policy_in_vpnloaner03 match destination-address addr_192_168_203_0_24
set security policies from-zone Internet to-zone Internal policy policy_in_vpnloaner03 match application any
set security policies from-zone Internet to-zone Internal policy policy_in_vpnloaner03 then permit
set security zones security-zone Internal address-book address addr_192_168_203_0_24 192.168.203.0/24
set security zones security-zone Internal host-inbound-traffic system-services all
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services ping
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services dhcp
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services http
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services https
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services ssh
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services telnet
set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services snmp
set security zones security-zone Internet address-book address addr_192_168_0_0_16 192.168.0.0/16
set security zones security-zone Internet address-book address addr_10_0_0_0_8 10.0.0.0/8
set security zones security-zone Internet address-book address addr_192_168_200_0_24 192.168.200.0/24
set security zones security-zone Internet host-inbound-traffic system-services ike
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services snmp
set security zones security-zone Internet interfaces st0.0 host-inbound-traffic system-services https
set security zones security-zone Internet interfaces st0.0 host-inbound-traffic system-services ping
set security zones security-zone Internet interfaces st0.0 host-inbound-traffic system-services ike
set security zones security-zone Internet interfaces st0.0 host-inbound-traffic system-services ssh
set security zones security-zone Internet interfaces st0.0 host-inbound-traffic system-services snmp
set vlans vlan1 vlan-id 3
set vlans vlan1 l3-interface vlan.1

     

     



  • 2.  RE: Unable to HTTPS to the webgui thru a VPN st0

    Posted 02-18-2016 13:40

    Hi,

     

    This is because you've restricted access to HTTP / HTTPS traffic to vlan.1 and fe-0/0/0.0

     

    set system services web-management http interface vlan.1
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.1
set system services web-management https interface fe-0/0/0.0

     

    Removing thos commands should give you access to webui through the st0 interface .



  • 3.  RE: Unable to HTTPS to the webgui thru a VPN st0

    Posted 02-19-2016 05:19

    Abed AL-R.

     

    I was able to delete just the http line and get in that way, but would rather go thru https:

     

    When I try to delete, I get this;

     


    [edit system services web-management]
    'https'
    Missing mandatory statement: 'local-certificate' or 'pki-local-certificate' or 'system-generated-certificate'
    error: configuration check-out failed: (missing statements)
     

    thanks



  • 4.  RE: Unable to HTTPS to the webgui thru a VPN st0
    Best Answer

    Posted 02-19-2016 11:04

    Hi,

     

    Sorry for missleading, this line should not be deleted since it not restrecting related line .

    set system services web-management https system-generated-certificate

    Only do not restrict http\s traffic to vlan.1 and fe-0/0/0 interface .