SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 17
Registered: ‎05-18-2017
0 Kudos
Accepted Solution

Webserver not working

[ Edited ]

Hello,

 

I am trying to set up a webserver.

I need the following:

 

187.72.138.193 > 10.196.24.31 on port 80

 

What am I doing wrong?

When I try to access it from outside it keeps loading forever then an error appears (timed out).

 

I am using SRX220H2 with JUNOS Software Release [12.1X44-D15.5]

 

I tried the following:

 

set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/24

set applications application HTTP protocol tcp

set applications application HTTP destination-port 80

set security nat destination pool dnat_10_196_24_31m24 address 10.196.24.31/24 port 80

set security nat destination rule-set DEST-NAT from zone untrust

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-address 187.72.138.193/32

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-port 80

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 then destination-nat pool dnat_10_196_24_31m24

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match source-address any

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match destination-address WebServer

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match application HTTP

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ then permit

set security nat source rule-set DMZ-TO-INTERNET from zone DMZ-trust

set security nat source rule-set DMZ-TO-INTERNET to zone untrust

set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match source-address 10.196.24.31/24
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match destination-address 0.0.0.0/0
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET then source-nat interface

 

 

Recognized Expert
Posts: 199
Registered: ‎04-03-2015
0 Kudos

Re: Webserver not working

Hi,

 

The IP 10.196.24.31 is a part of the subnet 10.196.24.0/24. Hence you will be unable to give the address entry as 10.196.24.31/24.

 

Moreover, you cannot perform a destination nat of a single IP (Interface IP) and port 80 to a whole internal subnet.

 

Hence, you will have to use a /32 to make it work.

 

Regards,

Sahil Sharma

Please mark my response as Solution if it Helps, Kudos are Appreciated as well.

Contributor
Posts: 17
Registered: ‎05-18-2017
0 Kudos

Re: Webserver not working

hi.

 

could you PLEASEEEEEEEEEEEEEEE edit my commands in order to make it work?

im new on SRX configuring ... i need it working asap for my company website, i will study about SRX once I get it solved.

 

 

set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/24

set applications application HTTP protocol tcp

set applications application HTTP destination-port 80

set security nat destination pool dnat_10_196_24_31m24 address 10.196.24.31/24 port 80

set security nat destination rule-set DEST-NAT from zone untrust

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-address 187.72.138.193/32

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-port 80

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 then destination-nat pool dnat_10_196_24_31m24

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match source-address any

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match destination-address WebServer

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match application HTTP

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ then permit

set security nat source rule-set DMZ-TO-INTERNET from zone DMZ-trust

set security nat source rule-set DMZ-TO-INTERNET to zone untrust

set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match source-address 10.196.24.31/24
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match destination-address 0.0.0.0/0
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET then source-nat interface

THANKS

Recognized Expert
Posts: 199
Registered: ‎04-03-2015
0 Kudos

Re: Webserver not working

Hi,

Please change subnet in the following 2 commads to /32 as shown below :-

 

set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/32
set security nat destination pool dnat_10_196_24_31m24 address 10.196.24.31/32 port 80

 

This should work.

 

HTH !

 

Regards,

Sahil Sharma

Please mark my response as Solution if it Helps, Kudos are Appreciated as well.

Contributor
Posts: 17
Registered: ‎05-18-2017
0 Kudos

Re: Webserver not working

What about the line:

 

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-address 187.72.138.193/32

Should I use /32 after IP?

 

Kind regards.

Recognized Expert
Posts: 199
Registered: ‎04-03-2015
0 Kudos

Re: Webserver not working

Hi,

 

Yes, but even if you dont explicitly state a /32 after the IP, it will be taken as a single /32 only.

 

Regards,

Sahil Sharma

Please mark my response as Solution if it Helps, Kudos are Appreciated as well.

 

 

Contributor
Posts: 17
Registered: ‎05-18-2017
0 Kudos

Re: Webserver not working

[ Edited ]

Not working. It keeps loading then it gives an error.

 

Try it by yourself, try to access the IP 187.72.138.193 using your browser.

 

Distinguished Expert
Posts: 4,873
Registered: ‎03-30-2009
0 Kudos

Re: Webserver not working

From your configuration it looks like you are forwarding the same address in use by the actual interface ge-0/0/0 to your web server.

 

Since the SRX is using port 80 already on this address you cannot forward that port.

 

Your options are:

use a different address in your /28 for your web server forwarding

remove ge-0/0/0 from web mgmt (recommended because publishing mgmt to the internet is not best practice)

change the web mgmt port used by the SRX

 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 17
Registered: ‎05-18-2017
0 Kudos

Re: Webserver not working

[ Edited ]

OK I changed the port of web management to 8081 as you can see on my conf below.

 

Now when I access my external IP (187.72.138.193) from an external network on port 80 I got a timeout error.

When I access my external IP from an external network on port 8081 I see my SRX device web management page.

Distinguished Expert
Posts: 1,816
Registered: ‎06-06-2011
0 Kudos

Re: Webserver not working

add the following:

 

set security nat proxy-arp interface ge-0/0/0.0 address 187.72.138.193/28
set security nat destination rule-set DEST-NAT from interface ge-0/0/0.0
set applications application HTTP application-protocol http

or
why not use application junos-http instead of defining appication HTTP?

 

As a best practice, instead of adding host-inbound-traffic system-services all, add http and https

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Contributor
Posts: 17
Registered: ‎05-18-2017
0 Kudos

Re: Webserver not working

[ Edited ]

on the third command I got the syntax error:

 

1.PNG

 

 

And after trying to commit the first and second command I got the following error:

 

root@device# commit
[edit security nat proxy-arp interface ge-0/0/0.0]
  'address 187.72.138.193/28'
    Proxy ARP IP address range [187.72.138.193 187.72.138.207] overlaps with interface IP address range [187.72.138.193 187.72.138.193] defined on interface 'ge-0/0/0.0'
error: configuration check-out failed

 

please help me.

Distinguished Expert
Posts: 1,816
Registered: ‎06-06-2011
0 Kudos

Re: Webserver not working

app-config.jpg

 

 

 187.72.138.193/32   < my bad - use /32

 sure why your application does not work

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Contributor
Posts: 17
Registered: ‎05-18-2017
0 Kudos

Re: Webserver not working

[ Edited ]

Cannot commit.

 

please check step by step:

Distinguished Expert
Posts: 1,816
Registered: ‎06-06-2011
0 Kudos

Re: Webserver not working

Lets try this one at a time.

deactivate applications application HTTP

delete the proxy-arp statement.

In the security policy, delete the application HTTP and replace it with junos-http

commit and test.

 

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Contributor
Posts: 17
Registered: ‎05-18-2017
0 Kudos

Re: Webserver not working

[ Edited ]

Hi,

 

I am new on SRX configuration so could you please be more clear?

I don't know junos-http, I think I removed the first configuration we made

Distinguished Expert
Posts: 1,816
Registered: ‎06-06-2011
0 Kudos

Re: Webserver not working


why not use application junos-http instead of defining appication HTTP?

}
from-zone untrust to-zone DMZ-trust {
policy INTERNET-TO-DMZ {
match {
source-address any;
destination-address WebServer;
application HTTP; <=====Delete this and use junos-http whichis already created for you as you can see. for the image.

applications {
application HTTP { <======Deactivate this application
protocol tcp;
destination-port 80;


Use these commands to delete HTTP rom the policy and add junos-http:
At the top of the heirarchy, save your configuration
#save rdgcatell_config (use this to restore if you need to0
#deactivate applications application HTTP
#edit security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ
#delete match application HTTP
#set match application junos-http
#set match application junos-https
#delete security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

commit confirmed
Test- if all is well then enter commit within 10 minutes, otherwise the configuration will rollback
BTW you don't have an IP address on interface vlan.0? Is that working okay?

 

When you try to connect if it fails,

>show security flow session to see the packet flow

If no go, then we set up data-path debug

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Distinguished Expert
Posts: 1,816
Registered: ‎06-06-2011
0 Kudos

Re: Webserver not working

 

Set a specific management url for jweb for e.g. so when you access the public IP it does not bring up the web management. If you need the web management then you would simply add the http://<IP>/jwebmgmt

# set system services web-management management-url jwebmgmt;
# set system services web-management http interface ge-0/0/0.0
# set system services web-management http interface vlan.0 <=== need to add an IP that the vlan clients in trust use as the gateway and that you use for web management

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Distinguished Expert
Posts: 1,816
Registered: ‎06-06-2011
0 Kudos

Re: Webserver not working

 noticed a config in others which I did not see here and not ally aware. Add this to your configuration

 }
        from-zone untrust to-zone DMZ-trust {
            policy INTERNET-TO-DMZ {
                match {
                    source-address any;
                    destination-address WebServer;
                    application HTTP;
                }
                then {
                    permit destination-address

 

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Contributor
Posts: 17
Registered: ‎05-18-2017
0 Kudos

Re: Webserver not working

[ Edited ]

When I tried to run the following command I got a syntax error on "security-zone" part.

 

delete security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

 

 

 

Distinguished Expert
Posts: 1,816
Registered: ‎06-06-2011
0 Kudos

Re: Webserver not working

set security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http

set security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]