Screen OS

Hi,

 

I'm trying to set up port forwarding so that people outside of our network can access an HTTP service running on a desktop within the network. I can't seem to get it to work so am hoping one of you kind folk will help me! The firewall is an SSG5 and this is what I have done so far:

 

1. Bound an interface to an untrust zone and defined a virtual IP on this interface
2. Configured the virtual port (80) and mapped it to port 80 on the IP address of the web server that I'm trying to allow HTTP access to. So it's set up so that VIP 10.1.2.10 with VIP of 80 is mapped to port 80 (HTTP) on 192.168.135.22 (the internal IP of the web server)The status of the VIP service says 'OK'
3. I have set a policy that allows HTTP traffic from any source to access address book entry VIP (10.1.2.XX)
4. My understanding is that I would then use http://195.54.XXX.XX:10.1.2.10 to access the HTTP service from outside the network (with 195.54.XXX.XX being my EXTERNAL IP address) 

It's not working so does anyone have any idea what I'm doing wrong?

I'm by no means experienced in networking so please bare with me if I have not provided enough info!

 

The config file is below

 

thanks

Charlie

 

set clock timezone -1
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "Dialup"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Dialup" block
unset zone "Dialup" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "bgroup1" zone "Untrust"
set interface "bgroup2" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 10.1.2.2/24
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.135.254/24
set interface bgroup0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/0
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface ethernet0/0 vip 10.1.2.10 80 "HTTP" 192.168.135.22
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server option lease 1440
set interface bgroup0 dhcp server option dns1 195.54.225.10
set interface bgroup0 dhcp server option dns2 195.54.226.10
set interface bgroup0 dhcp server ip 192.168.135.10 to 192.168.135.30
unset interface bgroup0 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config updatable
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 195.54.225.10 src-interface ethernet0/0
set dns host dns2 195.54.226.10 src-interface ethernet0/0
set dns host dns3 0.0.0.0
set dns proxy
set dns proxy enable
set dns server-select domain vistadiagnostics.co.uk outgoing-interface ethernet0/0 primary-server 195.54.225.10 secondary-server 195.54.226.10 failover
set address "Trust" "192.168.135.0/24" 192.168.135.0 255.255.255.0
set address "Trust" "192.168.135.250/32" 192.168.135.250 255.255.255.255
set address "Trust" "192.168.226.0/24" 192.168.226.0 255.255.255.0
set address "Trust" "192.169.135.0/24" 192.169.135.0 255.255.255.0
set address "Untrust" "192.168.135.0/24" 192.168.135.0 255.255.255.0
set address "Untrust" "192.168.226.0/24" 192.168.226.0 255.255.255.0
set ippool "Global" 172.1.2.3 172.1.2.10
set user "BBRad" uid 2
set user "BBRad" ike-id fqdn "BBRAD1" share-limit 1
set user "BBRad" type ike l2tp
set user "BBRad" remote ippool "Global"
set user "BBRad" password
unset user "BBRad" type auth
set user "BBRad" "enable"
set ike gateway "HAL" address 81.140.72.60 Main outgoing-interface "ethernet0/0" preshare
set ike gateway "WindowsVPN" dialup "BBRad" Main outgoing-interface "ethernet0/0" preshare
unset ike gateway "WindowsVPN" nat-traversal
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "hal" gateway "HAL" no-replay tunnel idletime 0 proposal
set vpn "hal" monitor
set vpn "WindowsVPN-vpn" gateway "WindowsVPN" no-replay transport idletime 0 proposal
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set l2tp default dns1 195.54.225.10
set l2tp default dns2 195.54.226.10
set l2tp default ippool "Global"
set l2tp "WindowsVPN-BBrad" id 1 outgoing-interface ethernet0/0 keepalive 60
set url protocol websense
exit
set policy id 2 name "HALvpn" from "Untrust" to "Trust"  "192.168.226.0/24" "192.168.135.0/24" "ANY" tunnel
set policy id 2
set log session-init
exit
set policy id 3 name "HALvpn" from "Trust" to "Untrust"  "192.168.135.0/24" "192.168.226.0/24" "ANY" tunnel vpn "hal" id 0x3 pair-policy 2 log
set policy id 3
set log session-init
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 4 from "Untrust" to "Trust"  "Dial-Up VPN" "192.168.135.250/32" "ANY" tunnel vpn "WindowsVPN-vpn" id 0x5 l2tp "WindowsVPN-BBrad" log
set policy id 4
exit
set policy id 5 name "MedDream" from "Untrust" to "Trust"  "Any" "VIP(10.1.2.10)" "HTTP" permit
set policy id 5
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set ntp server "us.pool.ntp.org"
set ntp server backup1 "ca.pool.ntp.org"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway 10.1.2.1 permanent
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 

 

You might want to change your admin port to avoid a confict between the vip you have setup and the built in web managment on the device.

 

set admin port 8080

save

 

The only thing that needs to be clarified is your network setup.  In your config you have an untrust IP of 10.1.2.10 which hosts the VIP.  Where is this 195.54.x.x address hosted.  So either the 195.54.x.x has to live on the untrust interface, or you will need another device between the internet and your juniper firewall to nat between your external IP and your 10.1.2.10 address. 

 

 

Hope this helps you.

 

 

Hi Shadow

 

Thanks for your reply.

Thinking about it we are in managed offices so I guess the 195.54.xx is hosted by them and is allocated to us (as I said I'm pretty new to networking so please forgive me!) I assumed that because I can externally access the firewall admin via 195.54.xx, that I could just set up a VIP and I would be in business.

 

So what you are saying is that there isn't anything to NAT the 10.1.2.10 to the correct internal IP/port number- what I have done is irrelevant because the NAT is happening before that on inbound traffic?

 

If this is the case is there another way I can grant HTTP access to this computer without involving the IT dept of the managed offices I am in?

 

thanks

 

 

 

If you can access the firewall management from that external IP then you should be okay.  Your management company is providing NAT services from that external range to your 10.1.2.10 address.

 

The solution of changing the admin port should allow that VIP to work then.  You will just need to append the port number when you web access the firewall from remote for management.

 

So if you run the following cli you should be good. 

 

set admin port 8080

save

 

So to access the VIP it would be

 

http://195.54.x.x

 

To manage the firewall it would be

 

http://195.54.x.x:8080

 

Sorry, I meant to say I have changed the admin port to 8080 as you suggested but it's not working I'm afraid. I can access admin ok on 195.54.xxx.xx:8080, but nothing is showing on 195.54.xxx.xx

The virtual port I set up is still using virtual port 80 which is mapped to HTTP (80) on the internal IP of the computer that is acting as web server.

I've raised the issue with Juniper support as well to see if they have any ideas because we are at the boundaries of my knowledge here...

 

thanks

Charlie

Your configuration is a bit confusing.

 

set interface ethernet0/0 ip 10.1.2.2/24 this command says the interface's ip address is 2.2. Yet you are trying to set up a VIP on 2.10. Also you say you have only one external ip address. I understand you have a mapping from 195.54.XXX.XX to 10.1.2.2 so why use 2.10 in your vip when you can easily set 2.2? Change that and you will have reachability to the http port in your lan. If you really desire to use 2.10, ask the provider to do their own port forwarding to port 80 for 10.1.2.10. Best way to verify what happens with all these mappings is to go to the policy menu, edit the policy from untrust to trust an check  both Logging  and  "at Session Beginning" and then save. After that you should have a small icon in the Options tab for that policy, click on it and see the traffic. You should have something like this.

 

Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port

86.4.117.177:24432	10.1.2.2:80	86.4.117.177:24432	192.168.135.22:80

Vic, Shadow,

 

Thanks to both of you- setting the VIP correctly to 2.2 and using port 8080 for admin logon has solved the problem.

 

thanks again

Charlie