ScreenOS Firewalls (NOT SRX)
Reply
Visitor
valentin@telecomcti.com
Posts: 8
Registered: ‎02-27-2012
0

port forwarding issue (can not access the IP associated to a port from ouside)

Hello

 

I'm new ti Juniper world and did try to config a service to be access remotely but I miss a step or missunderstood the instructions. Can someone help?

 

Here is what I did:

- create my new service (transport protocol, source port, destination port)

- create the new VIP under interface (untrusted= outside interface), map the port to service and destination IP

- create policy (source address VIP untrust), destination IP for the custom service and the service

- using CLI "set vip multi-port then reset"

- check the status for the new VIP = OK

Try to access the service (http://external IP:smileytongue:ort number)  return message  "Internet Explorer could not connect to...." 

 

Much appreciated your help

 

Distinguished Expert
Screenie
Posts: 1,073
Registered: ‎01-10-2008
0

Re: port forwarding issue (can not access the IP associated to a port from ouside)

What kind of device on which software version are you talking about?

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
oZEEo
Posts: 9
Registered: ‎11-15-2011
0

Re: port forwarding issue (can not access the IP associated to a port from ouside)

Can you explain what you are trying to achieve in more detail!

 

are yo trying to access a website/server using the public IP address from outside? if yes, your step where you create a policy is wrong. your policy should look like this

 

Untrust >trust

Any > VIP (PUBLIC IP)   Service

 

assuming that your Trust >untrust is open. otherwise you must also create a policy for this.

 

 

 

Visitor
valentin@telecomcti.com
Posts: 8
Registered: ‎02-27-2012
0

Re: port forwarding issue (can not access the IP associated to a port from ouside)

I'm using a Juniper-NS5GT 

Firmware Version:
5.4.0r10.0 (Firewall+VPN)

Step 1 (creat service)

Objects-->Services-->Custom-----service name, protocol tcp, source port (low)9091 to (high)9091, destination port 9091 to 9091

 

Step 2 (creat policies)

sources address = VIP(untrust), destination address = my host to be reach from outside (step 1), serive = my service on step 1, application = IGNORE, Action = permit, Enable = checked

 

Step 3 (add new VIP)

Netwok-->Interface-->Untrust-->Edit-->VIP-->New VIP Service:

virtual IP= my untrust interface, virtual port = my port 9091, map to service = my service (step 1), map IP = internal host IP (step1),server auto detection = enable.

Step 4

telnet into the netscreen:

and then type this command:

set vip multi-port

then type: reset

then type:

y

and again:
y

In reset ...

close the black box.

 

Checked VIP Services status = OK

 

Thank you

Visitor
valentin@telecomcti.com
Posts: 8
Registered: ‎02-27-2012
0

Re: port forwarding issue (can not access the IP associated to a port from ouside)

Try to open a port to access a DVR from home

Here is what I'm using and what I did:

 

I'm using a Juniper-NS5GT 

Firmware Version:
5.4.0r10.0 (Firewall+VPN)

Step 1 (creat service)

Objects-->Services-->Custom-----service name, protocol tcp, source port (low)9091 to (high)9091, destination port 9091 to 9091

 

Step 2 (creat policies)

sources address = VIP(untrust), destination address = my host to be reach from outside (step 1), serive = my service on step 1, application = IGNORE, Action = permit, Enable = checked

 

Step 3 (add new VIP)

Netwok-->Interface-->Untrust-->Edit-->VIP-->New VIP Service:

virtual IP= my untrust interface, virtual port = my port 9091, map to service = my service (step 1), map IP = internal host IP (step1),server auto detection = enable.

Step 4

telnet into the netscreen:

and then type this command:

set vip multi-port

then type: reset

then type:

y

and again:
y

In reset ...

close the black box.

 

Checked VIP Services status = OK

 

Thank you

Super Contributor
Spud
Posts: 131
Registered: ‎02-08-2008
0

Re: port forwarding issue (can not access the IP associated to a port from ouside)

[ Edited ]

The VIP should be the destination address in the policy, not the source. You don't need to add the host's internal IP to the policy, the VIP translation takes care of that automatically. The source IP would normally be 'Any' for a publicly-accessible service (or, you can restrict it to specific source IPs if you want).

 

Also, you might not need to specify source ports when creating the service. Most of the time you would allow from any source port to a specific destination port. It's uncommon to use a specific source port.

Visitor
valentin@telecomcti.com
Posts: 8
Registered: ‎02-27-2012
0

Re: port forwarding issue (can not access the IP associated to a port from ouside)

Spun you are the BEST

 

Thank you it's working.

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.