Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  port forwarding

    Posted 08-15-2011 04:26

    I just configured VIP on a SSG140 to forward SSH from the outside interface, into my trusted network. But for some reason the trafic will not get to my server.

     

    ethernet0/0 is configured as the WAN-link with a static IP.

    The internal network is on ethernet0/4 192.168.0.0/24, with a server on 192.168.0.48.

     

    I've got the following rules that are used to configure this;

    set admin ssh port 2222
    set interface ethernet0/0 vip interface-ip 22 "SSH" 192.168.0.48

    set policy id 3 name "ssh" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "SSH" nat dst ip 192.168.0.48 permit log
    set policy id 3
    set log session-init
    exit

     

    The SSG-140 log of the policy shows there is an attempt being made by the SSG to forward it;

    2011-08-15 13:10:0487.253.131.161:3764xx.xx.xx.xx:2287.253.131.161:3764192.168.0.48:22SSH22 sec.2340Close - AGE OUT
    2011-08-15 13:09:4287.253.131.161:3764xx.xx.xx.xx:2287.253.131.161:3764192.168.0.48:22SSH0 sec.00Creation

    The server on ip 192.168.0.48 is configured with SSH, and verified to work. There is also no firewall enabled for testing purposes on this server.

     

    Thanks in advance,

     

     

    Michael.



  • 2.  RE: port forwarding
    Best Answer

    Posted 08-15-2011 04:57

    Found out it was something somewhat stupid. As can be seen in the log, there is no traffic back. This is because the outgoing gateway was a different router. This made sure that the ssh-connection wasn't build up properly (connecting to ip of ISP A and getting answers back from ip of ISP B is a sure way to loose packages).

     

    So obvious answer; set the correct gatway on the systems and it works fine.