SRX

Is there a way to allow jweb access remotely?  I have two srx connected through a route-to-route vpn which has access to each others network.  I can ssh into each other fine but I can't access each other through Jweb, I get the following error when trying to access Jweb through https://10.2.2.8:

Access Error: 401 -- Unauthorized

Interface is not authorized for HTTP access

However it works fines locally.  

Here's my current configuration:

## Last changed: 2015-02-04 02:13:16 UTC
version 12.1X44-D35.5;
system {
    root-authentication {
        encrypted-password "$1$iAmgr82d4yIN3eDBUR93rN0W55555TY"; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
    }
    services {
        ssh;
        web-management {
            https {
                system-generated-certificate;
                interface [ fe-0/0/0.0 vlan.0 ];
            }
        }
        dhcp {
            default-lease-time 3200;
            domain-name srx100;
            name-server {
                8.8.8.8;
                8.8.4.4;
            }
            router {
                10.2.2.8;
            }
            pool 10.2.2.0/24 {
                address-range low 10.2.2.33 high 10.2.2.62;
            }
            propagate-settings vlan.0;
        }
    }
}
interfaces {
    interface-range interface-trust {
        member fe-0/0/3;
        member fe-0/0/4;
        member fe-0/0/5;
        member fe-0/0/6;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-100;
                }
            }
        }
    }
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 10.2.2.254/24;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-100;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-100;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
    pp0 {
        unit 0 {
            ppp-options {
                pap {
                    default-password "$1$iAmgr82d4yIN3eDBUR93rN0W55555TY"; ## SECRET-DATA
                    local-name "capped@verizon.com";
                    local-password "$1$iAmgr82d4yIN3eDBUR93rN0W55555TY; ## SECRET-DATA
                    passive;
                }
            }
            pppoe-options {
                underlying-interface fe-0/0/7.0;
                idle-timeout 0;
                auto-reconnect 3;
                client;
            }
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 10.2.2.8/24;
            }
        }
    }
}
routing-options {
    static {
        route 10.1.1.0/24 next-hop st0.0;
        route 139.130.4.5/32 next-hop pp0.0;
        route 0.0.0.0/0 next-hop st0.0;
    }
}
security {
    ike {
        policy ike-policy-office {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$1$iAmgr82d4yIN3eDBUR93rN0W55555TY"; ## SECRET-DATA
        }
        gateway ike-gate-office {
            ike-policy ike-policy-office;
            address 139.130.4.5;
            dead-peer-detection {
                interval 10;
                threshold 5;
            }
            external-interface pp0.0;
            version v2-only;
        }
    }
    ipsec {
        vpn-monitor-options {
            interval 10;
            threshold 10;
        }
        policy ipsec-policy-office {
            perfect-forward-secrecy {
                keys group5;
            }
            proposal-set standard;
        }
        vpn ipsec-vpn-office {
            bind-interface st0.0;
            vpn-monitor {
                optimized;
            }
            ike {
                gateway ike-gate-office;
                ipsec-policy ipsec-policy-office;
            }
            establish-tunnels immediately;
        }
    }
    address-book {
        global {
            address Network-A 10.1.1.0/24;
            address Network-B 10.2.2.0/24;
        }
    }

    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule untrust-access {
                    match {
                        source-address 10.2.2.0/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy allow-trust-clients {
                match {
                    source-address Network-B;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone VPNzone {
            policy trust-VPNzone-office {
                match {
                    source-address Network-B;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone VPNzone to-zone trust {
            policy VPNzone-trust-office {
                match {
                    source-address Network-A;
                    destination-address Network-B;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                pp0.0;
            }
        }
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                fe-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                fe-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                vlan.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone VPNzone {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-100 {
        vlan-id 100;
        l3-interface vlan.0;
    }
}

Hi Gourami,

I blve you are referring to Jweb and not Jnet.

As per my understanding the setup is as below

In the following setup:

  external (VPN)------[SRX]------ internal

You will see Forbidden-403 error if logging in to internal interface from
external network, if you have web management enabled on internal interface only.

So in your case you should add tunnel interface (st0.unit) to the list of management interfaces

(fe-0/0/0.0 vlan.0 ). Then web management should work with interface list.

        web-management {
            https {
                system-generated-certificate;
                interface [ fe-0/0/0.0 vlan.0 st0.0];
            }

If this doesnt help, please remove all the interfaces from the list and try again.

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too