02-24-2012 11:42 AM
We have a Juniper SSG140 and I'm having a heck of a time trying to get port forwarding working. Specifically trying to get ports 80 and 443 for a publicly accessible web server. Previously I had configured it with MIP with a Untrust to Trust policy. This isn't working. In the guide it says:
set interface ethernet2 mip 126.96.36.199 host 10.1.1.5 netmask 255.255.255.0 vrouter trust-vr
set policy from untrust to trust any mip(188.8.131.52) http permit
When I do this I can see in the logs that traffic is arriving to the server but either isn't getting to the client or is appearing to be from a different IP (we have a range of IPs and the MIP is not mapped to our default untrust IP). I tried adding a Trust to Untrust policy to allow traffic from the internal server out and messed around with NAT-src but it just doesn't seem to work. Any suggestions?
Solved! Go to Solution.
02-26-2012 02:43 AM
Can you run de debug?
set ff dst-ip 184.108.40.206.5
debug flow bacic
try to connect to the mip
get db stream
The debug output should show what's happening. You could post it to let us all help you.
02-27-2012 12:46 AM
The command should be:
set interface ethernet2 mip 220.127.116.11 host 10.1.1.5 netmask 255.255.255.255 vrouter trust-vr
set interface ethernet2 mip 18.104.22.168 host 10.1.1.5 vrouter trust-vr
The command you have used maps a C-net to another C-net. But I do not think that you have 256 public IPs. Besides, you need an one-to-one mapping for a pair of a private and a public IPs.
02-27-2012 08:28 AM - edited 02-27-2012 08:30 AM
Thanks for your help. I had forgot that the server was set with a different gateway than the SSG140. Once I changed that it worked fine. I thought I was going crazy.
EDIT: Also yes I made a typo on the netmask on my post but had 255.255.255.255 as the netmask for the MIP on the SSG.