ScreenOS Firewalls (NOT SRX)
Reply
Visitor
dsteinschneider
Posts: 6
Registered: ‎11-06-2010
0

SSG 5 v 5.4 - Using VIP - built in services will forward but not my custom services

Every example I've found for setting up inbound port mapping (KB11910) is always http or ftp both of which I have working with my cable modem single external IP which is also the untrusted Eth 0/0 address. I have followed numerous threads and KB's for using VIP in this scenario to forward ports to inside hosts but for services I created in the web ui they don't work. Is this a common error or do you need to see my config file. BTW, what should I redact when posting besides my external IP?

 

Thanks

Visitor
dsteinschneider
Posts: 6
Registered: ‎11-06-2010
0

Re: SSG 5 v 5.4 - Using VIP - built in services will forward but not my custom services

I figured it out. I went back to policies and edited the VIP(ethernet0/0) policy and clicked edit and then next to service clicked the Multiple button and added the services I created. I did this once before but must have had something else wrong because it didn't appear to work.

 

I'm using the CLI to read the setups but web UI to edit.

Visitor
dsteinschneider
Posts: 6
Registered: ‎11-06-2010
0

Re: SSG 5 v 5.4 - Using VIP - built in services will forward but not my custom services

Everything port forwarded in VIP except Remote Desktop Protocol. I assume that there is either ALG or I have to use a built in service. I'm trying to port map 33892 to 3389 to an inside host

 

Can anyone tell me the best way to setup RDC for 10 hosts? I map 33890 thorugh  33899 to a set of 10 host ip's inside at 3389. 33891 takes me to 192.1168.1.2 - 33892 takes me to 192.168.1.3 etc.

Contributor
ghaugsness@yahoo.com
Posts: 37
Registered: ‎06-04-2010
0

Re: SSG 5 v 5.4 - Using VIP - built in services will forward but not my custom services

There shouldn't be anything special needed to be able to port forward to 3389. I don't think any ALGs come into play here but if there are you could do a debug nat gate and a debug asp all and then debug flow basic on your src and dst, in the db stream you should see the policy hitting the ALG.

 

I would change the listener port on the hosts say 3389-3399.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.