ssg 350m forward port does not work

last person joined: 8 months ago

This is a legacy community with limited Juniper monitoring.

Back to discussions

Expand all | Collapse all

ssg 350m forward port does not work

Jump to Best Answer

1. ssg 350m forward port does not work

0 Recommend
Erdem
Posted 07-09-2015 23:28
I started a simple set-up
I want to access a SQL Server in non-trusted zone to zone Trust
The SQL Server IP is 192.168.0.50.
What I make a mistake?
Because I am Beginners
For me a lot of advice.

Thank you

SSG350M-> get config
Total Config size 4657:
unset key protection enable
set clock
set clock timezone 9
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "ms_sql_1433" protocol tcp src-port 1433-1434 dst-port 1433-1434
set service "ms_sql_1433" + udp src-port 1433-1434 dst-port 1433-1434
unset alg sccp enable
unset alg sip enable
unset alg mgcp enable
set alg appleichat enable
unset alg appleichat re-assembly enable
unset alg h323 enable
set alg sctp
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin user "neo" password "nFfPKNr4IQMLcMJFtsRP/rCtV9Mkcn" privilege "all"
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
unset zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Trust" screen icmp-flood
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust"
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "Null"
set interface ethernet0/0 ip 192.168.0.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/2 ip 125.142.207.118/24
set interface ethernet0/2 nat
unset interface vlan1 b
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 vip interface-ip 1433 "ms_sql_1433" 192.168.0.50
set interface ethernet0/2 dhcp client enable
unset interface ethernet0/2 dhcp client settings update-dhcpserver
set interface ethernet0/0 dhcp server service
set interface ethernet0/0 dhcp server enable
set interface ethernet0/0 dhcp server option lease 1440000
set interface ethernet0/0 dhcp server option dns1 168.126.63.1
set interface ethernet0/0 dhcp server ip 192.168.0.50 to 192.168.0.199
unset interface ethernet0/0 dhcp server config next-server-ip
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 0.0.0.0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set address "Trust" "sqlserver" 192.168.0.50 255.255.255.255
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-e
set url protocol websense
exit
set anti-spam profile ns-profile
set sbl default-server enable
exit
set policy id 3 from "Untrust" to "Trust" "Any" "sqlserver" "ms_sql_1433" permit
log count
set policy id 3
exit
set policy id 2 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 2
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "JN12034C8ADE"
set vrouter "untrust-vr"
set route 0.0.0.0/0 vrouter "trust-vr" preference 20 metric 1
set route source 0.0.0.0/0 vrouter "trust-vr" preference 20 metric 1
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
2. RE: ssg 350m forward port does not work
Best Answer

0 Recommend
spuluka
Posted 07-10-2015 03:30
your policy needs to use the vip instead of the address object for the SQL server.

Change: set policy id 3 from "Untrust" to "Trust" "Any" "sqlserver" "ms_sql_1433" permit log count set policy id 3 exit To: set policy id 3 from "Untrust" to "Trust" "Any" "VIP(ethernet0/2)" "ms_sql_1433" permit log count set policy id 3 exit
3. RE: ssg 350m forward port does not work

0 Recommend
Erdem
Posted 07-10-2015 10:44
@spuluka wrote:
your policy needs to use the vip instead of the address object for the SQL server.

Thank You... ^^; The works It's perfect.

Screen OS

ssg 350m forward port does not work

Erdem07-09-2015 23:28

spuluka07-10-2015 03:30Best Answer

Erdem07-10-2015 10:44

1. ssg 350m forward port does not work

2. RE: ssg 350m forward port does not work Best Answer

3. RE: ssg 350m forward port does not work

2. RE: ssg 350m forward port does not work
Best Answer