SRX Services Gateway
Highlighted
SRX Services Gateway

Remote access setting through SRX100 failed

‎04-13-2015 08:18 PM

Hi,

I want to remote access from internet into internal server 172.16.1.3 by port 3389
the web IP is 15.15.15.15. Juniper box is SRX100.

The following is CLi command I input, it doesn't work, but also make whole internal network lost internet.
Please help me to fix it.

 

===========================================================================

 


root@host# set applications application RDP_3389 protocol tcp destination-port 3389

root@host# set security nat proxy-arp interface fe-0/0/0.0 address 15.15.15.15/32

root@host# set security nat static rule-set Incoming_NAT01 from zone Untrust_Zone

root@host# set security nat static rule-set Incoming_NAT01 rule RDP_rule_3389 match destination-address 15.15.15.15/32

root@host# set security nat static rule-set Incoming_NAT01 rule RDP_rule_3389 then static-nat prefix 172.16.1.3 routing-instance Trust-VR

root@host# set security zones security-zone Trust_Zone address-book address RDP_server_01 172.16.1.3/32

root@host# set security policies from-zone Untrust_Zone to-zone Trust_Zone policy Incoming_POL01 match source-address any destination-address RDP_server_01 application RDP_3389

root@host# set security policies from-zone Untrust_Zone to-zone Trust_Zone policy Incoming_POL01 then permit

root@host# set security policies from-zone Untrust_Zone to-zone Trust_Zone policy Incoming_POL01 then log session-init

root@host# set security policies from-zone Untrust_Zone to-zone Trust_Zone policy Incoming_POL01 then log session-close

root@host# set security policies from-zone Untrust_Zone to-zone Trust_Zone policy Incoming_POL01 then count

 

Thanks lot,

Jim

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: Remote access setting through SRX100 failed

‎04-13-2015 09:31 PM

Please share the complete config and outputs of '>show route' and '>show security alg status'. You might have to disable/enable MS-RPC ALG for this RDP to work. 

 

Do you have proper routing between inet and the virtual-router? If fe-0/0/0 in in a VR, then try to ping from the VR to 172.16.1.3.

 

Regards,

Srinath

Highlighted
SRX Services Gateway

Re: Remote access setting through SRX100 failed

‎04-13-2015 09:37 PM

I see that you are trying to nat into a Routing-instance. is that really needed ? if so please check the following documentation

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB23912&actp=search&viewlocale=en_US&searchid...

 

 

If not needed you can read the pdf for which I have the URL attached below

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

 

This site gives some good config examples about "port forwarding" aka destination nat on the SRX series

 

Destination nat : http://rtoodtoo.net/2012/11/12/port-forwarding-in-srx/

 

Static nat You need to have the right security policies and if needed proxy-arp in place.

 

static {
    rule-set static-nat1 {
        from interface ge-0/0/0.0;
        rule static-nat1 {
            match {
                destination-address 1.1.1.1/32;
                destination-port 80;
            }
            then {
                static-nat {
                    prefix {
                        10.x.x.x/32;
                        mapped-port 80;
                    }
                }
            }
        }
    }
}

 

Let me know if you need some more help

 

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------