Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Why can't I forward to my DMZ Web Server?

    Posted 03-21-2013 17:02
      |   view attached

    I have a simple network on SSG20 running 6.3.0r13.0

     

    4 zones

    Trust (2 interfaces: 10.1.1.0 and 10.66.0.0)

    1 Untrust (1 Public interface - public ISP)

    DMZ (1 interface 10.1.2.0)

     

    Untrust is connected to static IP from ISP.

     

    Untrust has VIP pointing to web server in DMZ (port 81) and a server in Trust (port 80)

     

    The VIP to Trust works fine.

    From DMZ I can access Trust and Untrust services (have Any-Any policies for now)

    I have src-NATed DMZ-to-Untrust Policy

     

    I have Internet access from Trust (and DMZ also) via route configuration. See attached cfg.

     

    For the life of me, I cannot figure out why traffic is not getting forwarded from Internet to DMZ server! when I do a debug trace, I see traffic being forwarded to DMZ server (10.1.2.4), but nothing comes back. How can that be when the server 10.1.2.4 has all access to the outside?

     

    Much appreciated.

     

     

     

    Attachment(s)

    txt
    _cfg(1).txt   18 KB 1 version


  • 2.  RE: Why can't I forward to my DMZ Web Server?
    Best Answer

    Posted 03-21-2013 19:19

    Hi,

     

    1. do a 'get vip' and check status of VIP on dmz.
    2. do src-nat on policy id 15.
    3. get log traffic policy 15

    If after above 3 steps you dont see a response from Server, then I suggest to do a packet capture on server.

    Hope this helps.

     

    Regards.
    Hardeep

     



  • 3.  RE: Why can't I forward to my DMZ Web Server?

    Posted 03-22-2013 07:29

    You are correct!

     

    The issue was on the server. After doing a tcpdump trace, I realized Linux firewall was blocking port 80.

     

    thanks