02-24-2012 11:42 AM
We have a Juniper SSG140 and I'm having a heck of a time trying to get port forwarding working. Specifically trying to get ports 80 and 443 for a publicly accessible web server. Previously I had configured it with MIP with a Untrust to Trust policy. This isn't working. In the guide it says:
set interface ethernet2 mip 220.127.116.11 host 10.1.1.5 netmask 255.255.255.0 vrouter trust-vr
set policy from untrust to trust any mip(18.104.22.168) http permit
When I do this I can see in the logs that traffic is arriving to the server but either isn't getting to the client or is appearing to be from a different IP (we have a range of IPs and the MIP is not mapped to our default untrust IP). I tried adding a Trust to Untrust policy to allow traffic from the internal server out and messed around with NAT-src but it just doesn't seem to work. Any suggestions?
Solved! Go to Solution.
02-26-2012 02:43 AM
Can you run de debug?
set ff dst-ip 22.214.171.124.5
debug flow bacic
try to connect to the mip
get db stream
The debug output should show what's happening. You could post it to let us all help you.
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
02-27-2012 12:46 AM
The command should be:
set interface ethernet2 mip 126.96.36.199 host 10.1.1.5 netmask 255.255.255.255 vrouter trust-vr
set interface ethernet2 mip 188.8.131.52 host 10.1.1.5 vrouter trust-vr
The command you have used maps a C-net to another C-net. But I do not think that you have 256 public IPs. Besides, you need an one-to-one mapping for a pair of a private and a public IPs.
02-27-2012 08:28 AM - edited 02-27-2012 08:30 AM
Thanks for your help. I had forgot that the server was set with a different gateway than the SSG140. Once I changed that it worked fine. I thought I was going crazy.
EDIT: Also yes I made a typo on the netmask on my post but had 255.255.255.255 as the netmask for the MIP on the SSG.