ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
valentin@telecomcti…
Visitor
valentin@telecomcti.com
Posts: 8
Registered: ‎02-27-2012
0

port forwarding issue (can not access the IP associated to a port from ouside)

Options

‎02-27-2012 08:52 AM

Hello

 

I'm new ti Juniper world and did try to config a service to be access remotely but I miss a step or missunderstood the instructions. Can someone help?

 

Here is what I did:

- create my new service (transport protocol, source port, destination port)

- create the new VIP under interface (untrusted= outside interface), map the port to service and destination IP

- create policy (source address VIP untrust), destination IP for the custom service and the service

- using CLI "set vip multi-port then reset"

- check the status for the new VIP = OK

Try to access the service (http://external IP:smileytongue:ort number)  return message  "Internet Explorer could not connect to...." 

 

Much appreciated your help

 

Message 1 of 7 (280 Views)
 
Reply
Distinguished Expert
Distinguished Expert
Screenie
Posts: 945
Registered: ‎01-10-2008
0

Re: port forwarding issue (can not access the IP associated to a port from ouside)

Options

‎02-28-2012 02:49 PM

What kind of device on which software version are you talking about?

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 2 of 7 (264 Views)
 
Reply
oZEEo
Visitor
oZEEo
Posts: 9
Registered: ‎11-15-2011
0

Re: port forwarding issue (can not access the IP associated to a port from ouside)

Options

‎03-01-2012 05:33 AM

Can you explain what you are trying to achieve in more detail!

 

are yo trying to access a website/server using the public IP address from outside? if yes, your step where you create a policy is wrong. your policy should look like this

 

Untrust >trust

Any > VIP (PUBLIC IP)   Service

 

assuming that your Trust >untrust is open. otherwise you must also create a policy for this.

 

 

 

Message 3 of 7 (250 Views)
 
Reply
valentin@telecomcti…
Visitor
valentin@telecomcti.com
Posts: 8
Registered: ‎02-27-2012
0

Re: port forwarding issue (can not access the IP associated to a port from ouside)

Options

‎03-08-2012 07:16 AM

I'm using a Juniper-NS5GT 

Firmware Version:
5.4.0r10.0 (Firewall+VPN)

Step 1 (creat service)

Objects-->Services-->Custom-----service name, protocol tcp, source port (low)9091 to (high)9091, destination port 9091 to 9091

 

Step 2 (creat policies)

sources address = VIP(untrust), destination address = my host to be reach from outside (step 1), serive = my service on step 1, application = IGNORE, Action = permit, Enable = checked

 

Step 3 (add new VIP)

Netwok-->Interface-->Untrust-->Edit-->VIP-->New VIP Service:

virtual IP= my untrust interface, virtual port = my port 9091, map to service = my service (step 1), map IP = internal host IP (step1),server auto detection = enable.

Step 4

telnet into the netscreen:

and then type this command:

set vip multi-port

then type: reset

then type:

y

and again:
y

In reset ...

close the black box.

 

Checked VIP Services status = OK

 

Thank you

Message 4 of 7 (220 Views)
 
Reply
valentin@telecomcti…
Visitor
valentin@telecomcti.com
Posts: 8
Registered: ‎02-27-2012
0

Re: port forwarding issue (can not access the IP associated to a port from ouside)

Options

‎03-08-2012 07:19 AM

Try to open a port to access a DVR from home

Here is what I'm using and what I did:

 

I'm using a Juniper-NS5GT 

Firmware Version:
5.4.0r10.0 (Firewall+VPN)

Step 1 (creat service)

Objects-->Services-->Custom-----service name, protocol tcp, source port (low)9091 to (high)9091, destination port 9091 to 9091

 

Step 2 (creat policies)

sources address = VIP(untrust), destination address = my host to be reach from outside (step 1), serive = my service on step 1, application = IGNORE, Action = permit, Enable = checked

 

Step 3 (add new VIP)

Netwok-->Interface-->Untrust-->Edit-->VIP-->New VIP Service:

virtual IP= my untrust interface, virtual port = my port 9091, map to service = my service (step 1), map IP = internal host IP (step1),server auto detection = enable.

Step 4

telnet into the netscreen:

and then type this command:

set vip multi-port

then type: reset

then type:

y

and again:
y

In reset ...

close the black box.

 

Checked VIP Services status = OK

 

Thank you

Message 5 of 7 (219 Views)
 
Reply
Trusted Contributor
Spud
Posts: 78
Registered: ‎02-08-2008
0

Re: port forwarding issue (can not access the IP associated to a port from ouside)

[ Edited ]
Options

‎03-09-2012 10:48 AM - edited ‎03-09-2012 10:49 AM

The VIP should be the destination address in the policy, not the source. You don't need to add the host's internal IP to the policy, the VIP translation takes care of that automatically. The source IP would normally be 'Any' for a publicly-accessible service (or, you can restrict it to specific source IPs if you want).

 

Also, you might not need to specify source ports when creating the service. Most of the time you would allow from any source port to a specific destination port. It's uncommon to use a specific source port.

Message 6 of 7 (210 Views)
 
Reply
valentin@telecomcti…
Visitor
valentin@telecomcti.com
Posts: 8
Registered: ‎02-27-2012
0

Re: port forwarding issue (can not access the IP associated to a port from ouside)

Options

‎03-13-2012 08:42 AM

Spun you are the BEST

 

Thank you it's working.

 

Message 7 of 7 (195 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.