Screen OS

 Newbie here.  I need detailed WebUi instructions to forward port 2222 from internet to trusted zone. I want to use 2222 for SSH.

untrust ip address 192.168.1.4,  trust ip address 10.10.200.1   target address  10.10.200.112.  the isp has port 2222 forwarded to 192.168.1.4

Help.  Thanks!

You would add that service (TCP 2222) under policy elements.  Then create a VIP on the external interface that forwards that particular service to your internal host.  Then create a policy from untrust to trust that allows that service.

Ron

And in that policy select the VIP as destination!

Thanks both of you!!  I'll try and let you know.

I thought i did everything right, but still not connecting ...  config file attached.  thanks again

unset key protection enable
set clock timezone -6
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "SSH2222" protocol tcp src-port 2222-2222 dst-port 2222-2222 timeout never
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "ssg5"
set admin password "nOC1HLrHGMkOcxGP2shBk9AtNGH/en"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 192.168.1.97/24
set interface ethernet0/0 route
set interface ethernet0/1 ip 10.10.150.1/24
set interface ethernet0/1 nat
set interface bgroup0 ip 10.10.200.1/24
set interface bgroup0 nat
set interface ethernet0/0 proxy dns
set interface ethernet0/1 proxy dns
set interface bgroup0 proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage web
set interface ethernet0/1 manage ssh
set interface ethernet0/1 manage web
set interface bgroup0 vip interface-ip 2222 "SSH" 10.10.200.112
set interface ethernet0/1 dhcp server service
set interface bgroup0 dhcp server service
set interface ethernet0/1 dhcp server enable
set interface bgroup0 dhcp server auto
set interface ethernet0/1 dhcp server option lease 1440000
set interface ethernet0/1 dhcp server option gateway 192.168.1.254
set interface ethernet0/1 dhcp server option domainname networktel.net
set interface ethernet0/1 dhcp server option dns1 216.107.78.218
set interface ethernet0/1 dhcp server option dns2 216.83.236.227
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface bgroup0 dhcp server option domainname networktel.net
set interface bgroup0 dhcp server option dns1 216.107.78.218
set interface bgroup0 dhcp server option dns2 216.83.236.227
set interface bgroup0 dhcp server ip 10.10.200.100 to 10.10.200.149
unset interface ethernet0/1 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain networktel.net
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 216.107.78.218 src-interface ethernet0/0
set dns host dns2 216.83.236.227 src-interface ethernet0/0
set dns host dns3 0.0.0.0
set dns host schedule 23:00 interval 4
set dns host name vxn1.datawire.net 129.33.160.116
set dns host name vxn.datawire.net 216.220.36.75
set dns host name netconnect1.paymentech.net 65.124.118.120
set dns proxy
set dns proxy enable
set dns server-select domain * outgoing-interface ethernet0/0 primary-server 216.107.78.218 secondary-server 216.83.236.227 failover
set address "Trust" "192.168.1.4/24" 192.168.1.4 255.255.255.0
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol type sc-cpa
set url protocol sc-cpa
set category "White_List" url "*.download.microsoft.com/"
set category "White_List" url "*.download.windowsupdate.com/"
set category "White_List" url "*.mcafee.com/"
set category "White_List" url "*.update.microsoft.com/"
set category "White_List" url "*.windowsupdate.com/"
set category "White_List" url "*.windowsupdate.microsoft.com/"
set category "White_List" url "download.microsoft.com/"
set category "White_List" url "download.windowsupdate.com/"
set category "White_List" url "netconnect1.paymentech.net/"
set category "White_List" url "ntservicepack.microsoft.com/"
set category "White_List" url "test.stats.update.microsoft.com/"
set category "White_List" url "update.microsoft.com/"
set category "White_List" url "vxn.datawire.net/"
set category "White_List" url "vxn1.datawire.net/"
set category "White_List" url "windowsupdate.microsoft.com/"
set profile "Jasons_Profile" other block
set profile "Jasons_Profile" "White_List" white-list
set profile "Jasons_Profile" "Adult/Sexually Explicit" block
set profile "Jasons_Profile" "Advertisements" block
set profile "Jasons_Profile" "Arts & Entertainment" block
set profile "Jasons_Profile" "Chat" block
set profile "Jasons_Profile" "Computing & Internet" block
set profile "Jasons_Profile" "Criminal Skills" block
set profile "Jasons_Profile" "Drugs, Alcohol & Tobacco" block
set profile "Jasons_Profile" "Education" block
set profile "Jasons_Profile" "Finance & Investment" block
set profile "Jasons_Profile" "Food & Drink" block
set profile "Jasons_Profile" "Gambling" block
set profile "Jasons_Profile" "Games" block
set profile "Jasons_Profile" "Glamour & Intimate Apparel" block
set profile "Jasons_Profile" "Government & Politics" block
set profile "Jasons_Profile" "Hacking" block
set profile "Jasons_Profile" "Hate Speech" block
set profile "Jasons_Profile" "Health & Medicine" block
set profile "Jasons_Profile" "Hobbies & Recreation" block
set profile "Jasons_Profile" "Hosting Sites" block
set profile "Jasons_Profile" "Job Search & Career Development" block
set profile "Jasons_Profile" "Kids Sites" block
set profile "Jasons_Profile" "Lifestyle & Culture" block
set profile "Jasons_Profile" "Motor Vehicles" block
set profile "Jasons_Profile" "News" block
set profile "Jasons_Profile" "Personals & Dating" block
set profile "Jasons_Profile" "Photo Searches" block
set profile "Jasons_Profile" "Real Estate" block
set profile "Jasons_Profile" "Reference" block
set profile "Jasons_Profile" "Religion" block
set profile "Jasons_Profile" "Remote Proxies" block
set profile "Jasons_Profile" "Search Engines" permit
set profile "Jasons_Profile" "**bleep** Education" block
set profile "Jasons_Profile" "Shopping" block
set profile "Jasons_Profile" "Sports" block
set profile "Jasons_Profile" "Streaming Media" block
set profile "Jasons_Profile" "Travel" block
set profile "Jasons_Profile" "Usenet News" block
set profile "Jasons_Profile" "Violence" block
set profile "Jasons_Profile" "Weapons" block
set profile "Jasons_Profile" "Web-based Email" block
set enable
set log all
set deny-message "Your page is blocked due to a security policy that prohibits access to $URL_CATEGORY"
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit url-filter
set policy id 1
set url protocol sc-cpa profile "Jasons_Profile"
exit
set policy id 2 name "SSH-22-2222" from "Untrust" to "Trust"  "Any" "192.168.1.4/24" "SSH2222" permit
set policy id 2
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0168122009000144"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway 192.168.1.254 permanent
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

I don't think you want the source port set to 2222-2222, just the destination port.  Leave the source port to anything.

Ron

Works fine. Thanks.  Instead of using a virtual ip, I let it default to the ethernet 0/0 ip address. 

Thanks lots for your help.  Source port of 2222 has to be there because that's the port being forwarded by the isp.

Thanks again!