SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 6
Registered: ‎05-18-2017
0 Kudos

Webserver not working

[ Edited ]

Hello,

 

I am trying to set up a webserver.

I need the following:

 

187.72.138.193 > 10.196.24.31 on port 80

 

What am I doing wrong?

When I try to access it from outside it keeps loading forever then an error appears (timed out).

 

I am using SRX220H2 with JUNOS Software Release [12.1X44-D15.5]

 

I tried the following:

 

set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/24

set applications application HTTP protocol tcp

set applications application HTTP destination-port 80

set security nat destination pool dnat_10_196_24_31m24 address 10.196.24.31/24 port 80

set security nat destination rule-set DEST-NAT from zone untrust

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-address 187.72.138.193/32

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-port 80

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 then destination-nat pool dnat_10_196_24_31m24

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match source-address any

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match destination-address WebServer

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match application HTTP

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ then permit

set security nat source rule-set DMZ-TO-INTERNET from zone DMZ-trust

set security nat source rule-set DMZ-TO-INTERNET to zone untrust

set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match source-address 10.196.24.31/24
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match destination-address 0.0.0.0/0
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET then source-nat interface

You can check below my conf file:

 

## Last changed: 2017-05-19 21:30:15 UTC
version 12.1X44.5;
system {
    host-name rotem_brazil_aqa;
    authentication-order password;
    root-authentication {
        encrypted-password "$1$n8cjdRxy$egOP32tYsiL.x4qMR71050";
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user admin {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$vo1HUMSt$GYLlMi6geHv9zTEg0OFAG.";
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                port 80;
            }
            https {
                system-generated-certificate;
            }
        }
        dhcp {
            name-server {
                10.196.24.31;
            }
            router {
                10.196.24.1;
            }
            pool 10.196.24.0/24 {
                address-range low 10.196.24.51 high 10.196.24.210;
                exclude-address {
                    10.196.24.177;
                    10.196.24.178;
                    10.196.24.74;
                }
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 187.72.138.193/28;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.196.25.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-1/0/0 {
        description "##Backbone##";
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "##Backbone##";
            family inet {
                address 10.196.24.1/24 {
                    primary;
                }
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
            family inet6;
        }
    }
    vlan {
        unit 0;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 187.72.138.206;
        route 10.0.0.0/8 next-hop st0.0;
        route 58.87.44.105/32 next-hop st0.0;
        route 58.87.44.106/32 next-hop st0.0;
        route 58.87.44.107/32 next-hop st0.0;
        route 58.87.44.93/32 next-hop st0.0;
    }
}
protocols {
    stp;
}
security {
    ike {
        proposal pre-g2-3des-sha {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy Rotem {
            mode aggressive;
            proposals pre-g2-3des-sha;
            pre-shared-key ascii-text "$9$kmQnhclWX-tueW8LbwjHqmz6ApB";
        }
        gateway Rotem {
            ike-policy Rotem;
            address 58.87.57.67;
            local-identity hostname rotem_brazil_newararaquara;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        proposal esp-3des-sha {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy Rotem {
            proposals esp-3des-sha;
        }
        vpn Rotem {
            bind-interface st0.0;
            ike {
                gateway Rotem;
                no-anti-replay;
                ipsec-policy Rotem;
            }
            establish-tunnels immediately;
        }
    }
    utm {
        feature-profile {
            web-filtering {
                type surf-control-integrated;
                surf-control-integrated {
                    server;
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set DMZ-TO-INTERNET {
                from zone DMZ-trust;
                to zone untrust;
                rule DMZ-TO-INTERNET {
                    match {
                        source-address 10.196.24.31/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool dnat_10_196_24_31m24 {
                address 10.196.24.31/24 port 80;
            }
            rule-set DEST-NAT {
                from zone untrust;
                rule WEB-SERVER-TCP-80 {
                    match {
                        destination-address 187.72.138.193/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool dnat_10_196_24_31m24;
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy catia-alc-license {
                description catia-alc-license;
                match {
                    source-address trust;
                    destination-address [ catia catia2 catia3 ];
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy RotemVPN {
                match {
                    source-address 10.0.0.0/8;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }
        from-zone untrust to-zone DMZ-trust {
            policy INTERNET-TO-DMZ {
                match {
                    source-address any;
                    destination-address WebServer;
                    application HTTP;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address trust 10.196.24.0/32;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                ge-1/0/0.0;
            }
        }
        security-zone untrust {
            address-book {
                address 10.0.0.0/8 10.0.0.0/8;
                address catia 10.196.34.46/32;
                address catia2 10.196.34.47/32;
                address catia3 10.196.34.48/32;
            }
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ike;
                            all;
                        }
                    }
                }
                st0.0;
            }
        }
        security-zone DMZ-trust {
            address-book {
                address WebServer 10.196.24.31/24;
            }
        }
    }
}
applications {
    application HTTP {
        protocol tcp;
        destination-port 80;
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

 

Kind regards.

 

 

EDIT: I noticed trying to run "commit" after every single command that when I run the first one it doesn't work if I let /24 mask, do you know why? It only accepts /32 atthe end. My internal network is /24 so what can I do? I am talking about the:

set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/24

 

 

Highlighted
Recognized Expert
Posts: 198
Registered: ‎04-03-2015
0 Kudos

Re: Webserver not working

Hi,

 

The IP 10.196.24.31 is a part of the subnet 10.196.24.0/24. Hence you will be unable to give the address entry as 10.196.24.31/24.

 

Moreover, you cannot perform a destination nat of a single IP (Interface IP) and port 80 to a whole internal subnet.

 

Hence, you will have to use a /32 to make it work.

 

Regards,

Sahil Sharma

Please mark my response as Solution if it Helps, Kudos are Appreciated as well.

Visitor
Posts: 6
Registered: ‎05-18-2017
0 Kudos

Re: Webserver not working

hi.

 

could you PLEASEEEEEEEEEEEEEEE edit my commands in order to make it work?

im new on SRX configuring ... i need it working asap for my company website, i will study about SRX once I get it solved.

 

 

set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/24

set applications application HTTP protocol tcp

set applications application HTTP destination-port 80

set security nat destination pool dnat_10_196_24_31m24 address 10.196.24.31/24 port 80

set security nat destination rule-set DEST-NAT from zone untrust

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-address 187.72.138.193/32

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-port 80

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 then destination-nat pool dnat_10_196_24_31m24

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match source-address any

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match destination-address WebServer

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match application HTTP

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ then permit

set security nat source rule-set DMZ-TO-INTERNET from zone DMZ-trust

set security nat source rule-set DMZ-TO-INTERNET to zone untrust

set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match source-address 10.196.24.31/24
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match destination-address 0.0.0.0/0
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET then source-nat interface

THANKS

Recognized Expert
Posts: 198
Registered: ‎04-03-2015
0 Kudos

Re: Webserver not working

Hi,

Please change subnet in the following 2 commads to /32 as shown below :-

 

set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/32
set security nat destination pool dnat_10_196_24_31m24 address 10.196.24.31/32 port 80

 

This should work.

 

HTH !

 

Regards,

Sahil Sharma

Please mark my response as Solution if it Helps, Kudos are Appreciated as well.

Visitor
Posts: 6
Registered: ‎05-18-2017
0 Kudos

Re: Webserver not working

What about the line:

 

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-address 187.72.138.193/32

Should I use /32 after IP?

 

Kind regards.

Recognized Expert
Posts: 198
Registered: ‎04-03-2015
0 Kudos

Re: Webserver not working

Hi,

 

Yes, but even if you dont explicitly state a /32 after the IP, it will be taken as a single /32 only.

 

Regards,

Sahil Sharma

Please mark my response as Solution if it Helps, Kudos are Appreciated as well.

 

 

Visitor
Posts: 6
Registered: ‎05-18-2017
0 Kudos

Re: Webserver not working

Not working. It keeps loading then it gives an error.

 

Try it by yourself, try to access the IP 187.72.138.193 using your browser.

 

Find below my config.

 

    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user admin {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$vo1HUMSt$GYLlMi6geHv9zTEg0OFAG.";
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                port 80;
            }
            https {
                system-generated-certificate;
            }
        }
        dhcp {
            maximum-lease-time 28800;
            default-lease-time 300;
            name-server {
                10.196.24.31;
            }
            router {
                10.196.24.1;
            }
            pool 10.196.24.0/24 {
                address-range low 10.196.24.51 high 10.196.24.210;
                exclude-address {
                    10.196.24.177;
                    10.196.24.178;
                    10.196.24.74;
                }
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 200.160.7.186 prefer;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 187.72.138.193/28;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.196.25.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-1/0/0 {
        description "##Backbone##";
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "##Backbone##";
            family inet {
                address 10.196.24.1/24 {
                    primary;
                }
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
            family inet6;
        }
    }
    vlan {
        unit 0;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 187.72.138.206;
        route 10.0.0.0/8 next-hop st0.0;
        route 58.87.44.105/32 next-hop st0.0;
        route 58.87.44.106/32 next-hop st0.0;
        route 58.87.44.107/32 next-hop st0.0;
        route 58.87.44.93/32 next-hop st0.0;
    }
}
protocols {
    stp;
}
security {
    ike {
        proposal pre-g2-3des-sha {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy Rotem {
            mode aggressive;
            proposals pre-g2-3des-sha;
            pre-shared-key ascii-text "$9$kmQnhclWX-tueW8LbwjHqmz6ApB";
        }
        gateway Rotem {
            ike-policy Rotem;
            address 58.87.57.67;
            local-identity hostname rotem_brazil_newararaquara;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        proposal esp-3des-sha {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy Rotem {
            proposals esp-3des-sha;
        }
        vpn Rotem {
            bind-interface st0.0;
            ike {
                gateway Rotem;
                no-anti-replay;
                ipsec-policy Rotem;
            }
            establish-tunnels immediately;
        }
    }
    utm {
        feature-profile {
            web-filtering {
                type surf-control-integrated;
                surf-control-integrated {
                    server;
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set DMZ-TO-INTERNET {
                from zone DMZ-trust;
                to zone untrust;
                rule DMZ-TO-INTERNET {
                    match {
                        source-address 10.196.24.31/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool dnat_10_196_24_31m24 {
                address 10.196.24.31/32 port 80;
            }
            rule-set DEST-NAT {
                from zone untrust;
                rule WEB-SERVER-TCP-80 {
                    match {
                        destination-address 187.72.138.193/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool dnat_10_196_24_31m24;
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy catia-alc-license {
                description catia-alc-license;
                match {
                    source-address trust;
                    destination-address [ catia catia2 catia3 ];
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy RotemVPN {
                match {
                    source-address 10.0.0.0/8;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }
        from-zone untrust to-zone DMZ-trust {
            policy INTERNET-TO-DMZ {
                match {
                    source-address any;
                    destination-address WebServer;
                    application HTTP;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address trust 10.196.24.0/32;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                ge-1/0/0.0;
            }
        }
        security-zone untrust {
            address-book {
                address 10.0.0.0/8 10.0.0.0/8;
                address catia 10.196.34.46/32;
                address catia2 10.196.34.47/32;
                address catia3 10.196.34.48/32;
            }
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ike;
                            all;
                        }
                    }
                }
                st0.0;
            }
        }
        security-zone DMZ-trust {
            address-book {
                address WebServer 10.196.24.31/32;
            }
        }
    }
}
applications {
    application HTTP {
        protocol tcp;
        destination-port 80;
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}