Junos
Junos

Juniper SRX220 Port 1723

‎05-15-2017 06:02 AM

Hi,

 

I have the following issue,

 

We have port 1723 open on our Juniper SRX220 however this rule only works some of the time when I telnet from my PC to the Public IP address using this port it shows as open but then every so often the port does not work and shows as closed. However if I then try telnetting from the Juniper to the LAN ip 192.168.35.2 on port 1723 it still works despite failing using the public ip address. Using the public ip address will start working again after sometime or after the Juniper is rebooted but I cannot figure out the reason for this the config has not changed and it cannot be the device 192.168.35.2 as the port still shows as open when telnetting to the LAN IP.

 

rule port-1723 {
match {
destination-address 185.**.***.**/32;
destination-port {
1723;
}
}
then {
destination-nat {
pool {
192-168-35-2-1723;

 

 

admin@FLMD000901> show security flow session nat destination-port 1723
Session ID: 201457, Policy name: server-access2/7, Timeout: 1782, Valid
Resource information : PPTP ALG, 3, 0
In: 81.107.192.147/51800 --> 185.**.***.**1723;tcp, If: ge-0/0/0.0, Pkts: 291, Bytes: 14296
Out: 192.168.35.2/1723 --> 81.107.192.147/51800;tcp, If: ge-0/0/1.0, Pkts: 151, Bytes: 9176

 

 

 

Has anybody come across this before

 

 

 

regards

 

 

 

Ryan Neil

4 REPLIES 4
Junos

Re: Juniper SRX220 Port 1723

‎05-15-2017 07:32 AM

Hello,


@ryanneil123 wrote:

Hi,

 

<skip>

 

We have port 1723 open on our Juniper SRX220


What You see is likely SRX TCP proxy intercepting TCP 3-way HS.

AFAIK, TCP proxy is enabled by default for PPTP Control channel (tcp/1723) and FTP (tcp/21).

Please show us at least the security policies to see in what direction the PPTP ALG is enabled, better the whole sanitized config.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Junos

Re: Juniper SRX220 Port 1723

[ Edited ]
‎05-16-2017 12:35 AM

Hi Alex,

 

The security policies are shown below,

 

address server-access2 192.168.35.2/32;

 

Default policy: deny-all
From zone: trust, To zone: untrust
Policy: allow-all, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit

 

From zone: trust, To zone: untrust-vpn
Policy: trust-untrust-vpn, State: enabled, Index: 8, Scope Policy: 0, Sequence n umber: 1
Source addresses: 192.168.35.0/24
Destination addresses: 192.168.6.0/24
Applications: any
Action: permit

 

From zone: untrust, To zone: trust
Policy: server-access, State: enabled, Index: 5, Scope Policy: 0, Sequence numbe r: 1
Source addresses: any
Destination addresses: 3CX
Applications: any
Action: permit, log

 

Policy: access-from-any, State: enabled, Index: 6, Scope Policy: 0, Sequence num ber: 2
Source addresses: any
Destination addresses: 3CX
Applications: junos-http, junos-https, junos-stun, junos-ymsg, 10000-10049,
5090, 5090udp, 5065, 5065udp, 9256-9500, 5062, 9000-9255, junos-sip
Action: permit

 

Policy: server-access2, State: enabled, Index: 7, Scope Policy: 0, Sequence numb er: 3
Source addresses: any
Destination addresses: server-access2
Applications: junos-pptp, junos-http, junos-https, 4125, 3389, junos-gre
Action: permit

 

From zone: untrust-vpn, To zone: trust
Policy: untrust-trust-vpn, State: enabled, Index: 9, Scope Policy: 0, Sequence n umber: 1
Source addresses: 192.168.6.0/24
Destination addresses: 192.168.35.0/24
Applications: any
Action: permit

 

From zone: ssl-vpn, To zone: trust
Policy: allow-ssl-to-lan, State: enabled, Index: 10, Scope Policy: 0, Sequence n umber: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit

 

From zone: ssl-vpn, To zone: untrust
Policy: ssl-to-wan, State: enabled, Index: 11, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit

 

 

regards

 

 

Ryan Neil

Highlighted
Junos

Re: Juniper SRX220 Port 1723

‎05-16-2017 04:14 AM

Hello,

Thanks for sharing the info.

When You said " telnet from my PC to the Public IP address using this port it shows as open but then every so often the port does not work and shows as closed" - are You trying repeatedly from the same source IP? It may be possible that Your first tcp/1723 session is still in the sessions table (default TCP inactivity timeout is 1800 sec/30 mins) and AFAIK, PPTP ALG does not accept >1 session from same source IP. Please re-test with different src IP and  report back.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Junos

Re: Juniper SRX220 Port 1723

‎05-16-2017 05:35 AM

 Hi Alex,

 

Session ID: 219930, Policy name: server-access2/7, Timeout: 1748, Valid
Resource information : PPTP ALG, 3, 0
In: 81.107.192.147/49190 --> 1**.**.***.**/1723;tcp, If: ge-0/0/0.0, Pkts: 772, Bytes: 37420
Out: 192.168.35.2/1723 --> 81.107.192.147/49190;tcp, If: ge-0/0/1.0, Pkts: 386, Bytes: 23228

 

Session ID: 266693, Policy name: server-access2/7, Timeout: 1742, Valid
Resource information : PPTP ALG, 2, 0
In: 109.153.206.209/49707 --> 185.**.***.**/1723;tcp, If: ge-0/0/0.0, Pkts: 419, Bytes: 2044 0
Out: 192.168.35.2/1723 --> 109.153.206.209/49707;tcp, If: ge-0/0/1.0, Pkts: 211, Bytes: 1277 6

 

Session ID: 421060, Policy name: server-access2/7, Timeout: 1778, Valid
Resource information : PPTP ALG, 1, 0
In: 86.143.124.172/57838 --> 18*.**.***.**/1723;tcp, If: ge-0/0/0.0, Pkts: 190, Bytes: 9460
Out: 192.168.35.2/1723 --> 86.143.124.172/57838;tcp, If: ge-0/0/1.0, Pkts: 101, Bytes: 6152
Total sessions: 3

 

The above three sessions were active and when I tried to telnet from my PC to the public ip address on port 1723 again
it would not allow me as again it stopped working however about an hour later it works again see below.

 

None of the above sessions were using my ip address either which starts 46.***.***.**

 

Session ID: 14315, Policy name: server-access2/7, Timeout: 1796, Valid
In: 46.***.*.**/35437 --> 1**.**.***.**/1723;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 88
Out: 192.168.35.2/1723 --> 46.***.*.**/35437;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 44

 

We have been advised by one of the clients remote users that he is unable to connect remotely via the Windows PPTP VPN or the client VPN they believe that it is a known issue with Juniper devices & Windows VPN's that is why I am trying to figure out why this happens.

 

 

regards

 

 

 

Ryan Neil