ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Posts: 33
Registered: ‎02-14-2009
0
Accepted Solution

Simple port based redirection in WebUI

Hi, 

 

I am a novice, and only familiar with the WebUI. I have to redirect on an SSG5 requests incoming on the untrusted zone (ethernet 0/0) on port 3000 to a PC with IP 22.33.44.66 connected in the trusted zone (bgroup0, - 22.33.44.55/24) actually on the Ethernet 0/6. 

For running the server and testing the access with a browser I'm using the same PC.

 

While accessing myself on my PC's trusted IP address 22.33.44.66:3000 it all works fine, but whatever I tried from forums and manuals (policies, VIP) I can't get it working if I try to make the same request on my public fix IP (on the ethernet 0/0).

Can someone explain how to do it in the WebUI?

 

Akos 

 

Distinguished Expert
Screenie
Posts: 1,080
Registered: ‎01-10-2008
0

Re: Simple port based redirection in WebUI

Which version of ScreenOS are you running?
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Posts: 33
Registered: ‎02-14-2009
0

Re: Simple port based redirection in WebUI

Hi Screenie,

 

It is 6.1.0r4.0.

 

:smileyhappy: 

 

Akos 

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: Simple port based redirection in WebUI

This sounds like basic VIP. Have you tried accessing from untrust side outside your network to your PC inside? The reason I say that is if you are trying to test from your PC on trust zone to your public VIP address on untrust, then you will not be able to reach your VIP since traffic is not originating from untrust zone. So your test is not a good test. You really need to be testing from a PC on untrust side to your public IP. In that case the VIP should work.

 

Try testing from host on untrust side and if you have problems still then provide some config snippets.

 

-Richard

Distinguished Expert
Screenie
Posts: 1,080
Registered: ‎01-10-2008
0

Re: Simple port based redirection in WebUI

Exactly my idea. Define the VIP and create a policy from untrust to trust invaking the VIP.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Posts: 33
Registered: ‎02-14-2009
0

Re: Simple port based redirection in WebUI

Ok, I'll try it and inform you!

 

Another detail: since I'd like to limit the outer world to have access only on port 3000 I guess I have to define a "Custom service" for that and use it instead of the predefined "Any, HTTP, Telnet..." from the selection when confuguring, have I?

 

Distinguished Expert
Screenie
Posts: 1,080
Registered: ‎01-10-2008
0

Re: Simple port based redirection in WebUI

Yes, you're right here: you have to define a custom service. It's under policy policy elements in the gui.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Posts: 33
Registered: ‎02-14-2009

Re: Simple port based redirection in WebUI

[ Edited ]

Hi all,

 

It works! Yes, it is a basic VIP task, but it was just my lack of knowledge and misunderstanding of the SSG5's architecture.

With the "custom servce + vip at the untrust + policy from untrust->trust" works fine.

It was not the problem accessing my public fix IP from the same PC or any other from the trusted zone. Now this one works fine too and I asked a friend to do a query with his browser from home and it worked!   

 

Though it works, I have still some questions "why"?

 

- Services: The request comes from http://xxx.xxx.xxx.xxx:3000 to my port 3000. Why source 0-65535? Doesn't it expose me more than necessary? Could it be source 3000-3000 and destination 3000-3000 to narrow the accessible port range?

 

- What am I now exactly doing? As I figured out, it should be something like this:

The request to the port 3000 comes into my untrusted zone on my fix public IP on Ethernet0/0.

The Policy redirects it to the VIP of my Ethernet0/0 because the custom service is the one with destination to port 3000.

Finally the VIP takes care to forward it to the IP address in the trusted zone I entered in the "Map to IP" field because it is foing to the port 3000 I entered in the field "Virtual port". Correct me if I am wrong!

 

Many thanks for the help! 

Message Edited by b_akos on 03-08-2009 11:51 AM
Distinguished Expert
Screenie
Posts: 1,080
Registered: ‎01-10-2008
0

Re: Simple port based redirection in WebUI

In a IP connection for allmost every protocol the sourceport is randomly choosen between 1024 and 65535. The destination port is "fixed"on a well known portnumber. Had it been different on one connection of a certain protocol between a source and destination would have been possible. So the services are defiened with sourceport 0 to 65535. In my opnion 1024 tot 65535 would have been better.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.