SRX

Hello,

I'm trying to setup the attached config, the red line is a VPN on the router.

I want to go to http://1.1.1.1:1234/file.ext and get file.ext from http://10.201.22.106:80/file.ext

So far I have done the following:

+    destination {
+        pool VPNChecker {
+            address 10.201.22.106/32 port 80;
+        }
+        rule-set Incoming {
+            from zone Internet;
+            rule VPNChecker {
+                match {
+                    source-address 0.0.0.0/0;
+                    destination-address 1.1.1.1/32;
+                    destination-port 1234;
+                }
+                then {
+                    destination-nat {
+                        pool {
+                            VPNChecker;
+                        }
+                    }
+                }
+            }
+        }
+    }
+    from-zone Internet to-zone colo-vpn {
+        policy VPNChecker {
+            match {
+                source-address any;
+                destination-address net-colovpn_10-201-0-0--16;
+                application junos-http;
+            }
+            then {
+                permit;
+            }
+        }
+    }

But i'm not getting a response.

On the Building A router if I do

telnet 10.201.22.106 port 80

GET /file.ext

Then I get the correct response.

What have I missed here?

Thanks all.

Hi

In your topology your request-host behind Building A? 
Can you give config from Building B? 

SUre,

edit security policies from-zone vpn to-zone Trust

policy http {
    match {
        source-address net-vpn_10-200-0-0--16;
        destination-address net-vpn_10-201-0-0--16;
        application [ junos-http junos-https ];
    }
    then {
        permit;
    }
}

---

@MonaxGT wrote:

Hi

In your topology your request-host behind Building A? 
Can you give config from Building B? 

---

Sorry, I missed your other question:

I'm requesting the page from site C on the internet. So, for the sake of arguement, it's coming from 3.3.3.3 and is requesting http://1.1.1.1:1234 which I want to NAT to 10.201.22.106:80 which is over the VPN.

Other details I've missed off:

Building A:

Zone Internet: Interface ge-0/0/0.0 with IP address 1.1.1.1/30

Zone Internal: Interface vlan.10-20 with IP range 10.200.10.0/24, 10.200.11.0/24....... 10.200.20.0/24

Zone VPN: Interface st0.0 with IP 10.0.0.1/30

Building B:

Zone Internet: Interface ge-0/0/0.0 with IP address 2.2.2.2/30

Zone Internal: Interface vlan.10-40 with IP range 10.201.10.0/24, 10.201.11.0/24....... 10.201.40.0/24

Zone VPN: Interface st0.0 with IP 10.0.0.2/30

From Router A I can telnet to the web server on 10.201.22.106:80

On Router A I have a policy from Internet to VPN for junos-http

On Router B I have a policy from VPN to Internal for junos-http

Is there a way I can debug this better?

Thanks.

Andrew.

To complete the thread, I found the solution in this thread, it turns out I needed to source nat the connection from the Internet to VPN.