ScreenOS Firewalls (NOT SRX)
Reply
Visitor
cripperz
Posts: 4
Registered: ‎03-27-2010
0

SSG 140 Port forwarding from untrust to trust for rsyncd 873

Hi all,

 

I have been trying to do port forwarding from untrust ip to trust ip on port 873. I have been doing alot of search and trying a couple of stuff.

 

I have added VIP from internet ip (firewall ip) as well in untrust interface to 192.168.3.200 (server which has the rsyncd).

 

Added service port src 0-65535 to dst port 873-873. Added policy from untrust any to trust vip.

 

where did i go wrong?

Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: SSG 140 Port forwarding from untrust to trust for rsyncd 873

Hi

 

Have you tried to follow the below Resolution Guide.

 

 

KB11909 - NAT Resolution Guide - How to configure Network Address Translation (NAT) in ScreenOS

 

 

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Visitor
cripperz
Posts: 4
Registered: ‎03-27-2010
0

Re: SSG 140 Port forwarding from untrust to trust for rsyncd 873

 

tried to follow some KB steps. Still got no luck

 

http://www.juniper.net/techpubs/software/screenos/screenos6.1.0/ce_v8.pdf  <-- follow step page 47

Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: SSG 140 Port forwarding from untrust to trust for rsyncd 873

Hi

 

I think this link might help you.

 

As you see the policy is a bit different as it stat that it is from Untrust to Untrust.

 

http://kb.juniper.net/index?page=content&id=KB12631&actp=search&searchid=1270312680925&smlogin=true

 

 

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Visitor
cripperz
Posts: 4
Registered: ‎03-27-2010
0

Re: SSG 140 Port forwarding from untrust to trust for rsyncd 873

hi there,

 

ok another unsuccessful attempt.

 

My 192.168.3.200 is a windows server with port 873 open. This falls under trust interface of 192.168.3.1 on ethernet3 trust

 

My firewall is on 1.1.1.1 address and its interface address is 1.1.1.1 on ethernet2 untrust

 

I am just intending to allow external user to access 1.1.1.1 port 873 which is a service hosted within my network 192.168.3.200

 

Anyone can advise please.

Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: SSG 140 Port forwarding from untrust to trust for rsyncd 873

Hi

 

Allright

 

If you use the untrust interface IP tor access to an internal host you have to use VIP.

 

There is a guide in the NAT resolution Guide for this.

 

If you are still unsuccesfull the best way to troubleshoot the issue is doing debuging.

 

For debugging you have to go through the following steps.

 

First you setup a flowfilter to record only the traffic you need to debug.

 

set ff src-ip xx.xx.xx.xx dst-ip yy.yy.yy.yy

set ff src-ip yy.yy.yy.yy dst-ip xx.xx.xx.xx

 

debug flow basic - activates debugging

 

clear db - clears the debug memory in case it should contain information from a previous debug

 

Now the firewall records what traffic that matches the flowfilter.

 

get db stream - Gets the content from the debug buffer.

 

If you want to save the debug information it can be send to a tftp-server.

 

get db stream > tftp zz.zz.zz.zz debugfile.txt

 

The debug can be stopped with undebug all 

 

The output will give you information as to what the firewall does with the traffic.

 

If you are having trouble interpreting the output you are welcome to post the output.

 

Alternatively you can post your firewall config for review

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
TravisJohnson
Posts: 116
Registered: ‎12-14-2009
0

Re: SSG 140 Port forwarding from untrust to trust for rsyncd 873

to make it simple....edit this

 


set interface ethernet0/4 vip interface-ip 80 "HTTP" 192.168.13.30
set policy id 5 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/4)" "HTTP" permit log

________________________________________________


If my post helped you, please feel free to give me kudos.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.