SRX Services Gateway
Highlighted
SRX Services Gateway

SRX , SSG - Query

‎09-18-2019 12:47 AM

Hi All ,

 

Just a small query about NATing .

 

In 1st site(SSG5) i have MIP a free usable public ip to a server which is on LAN Network & i can do a SSH to this Server remotely but issue is i can not access the web interface of the same server but i have installed same but different server in another different site(SRX320) but here as i did not have enough public ips so i had to do static NAT i.e. using Firewall ip with ports i.e. for SSH 22 & Webinterface access to this server is on Port 8083 & in this scenario the web interface is accessible with Publicip:8083 but when i mapped one full public ip in first scenario i.e. with SSG5 it did not work , any inputs on this please

 

But when i checked the sessions on the SSG5 i could see there is Creation & Close - TCP RST

 

Regards

Shaan

15 REPLIES 15
Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 01:03 AM

Hello,

 

MIP being a one-to-one MAP and the IP not being that of the firewall, this should work as expected. 

 

Are you having the right services allowed in the security policy. In the logs are you seeing both SSH and HTTP traffic being logged by the security policy?

 

Regards,

 

Nelumbo

Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 01:09 AM

Hi ,

 

I can see icmp traffic , SSH traffic on the logs & ping , SSH both are successful as well & according to the vendor this server reesponds on 8083 , 8081 is API - so when i do a MIP with one entire public ip i should be able to access the webinterface for the server 

 

Regards

shaan

Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 01:19 AM

shaan,

 

"But when i checked the sessions on the SSG5 i could see there is Creation & Close - TCP RST"

 

Is there any device between the SSG and the server that could be dropping the http connection and sending the TCP RST back?

Are you able to confirm if the server is indeed sending the TCP RST? maybe with a packet-capture/port-mirroring on a device sitting between the SSG and the server. In that case this would be a server error.

If the SSG is the one sending the TCP RST then you need to make sure if your policies are configured to permit HTTP over port 8083 and if you have any extra features configured that could inspect that traffic and drop it.

 

Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 01:25 AM

Hello,

 

Considering the logs are not showing the HTTP traffic, it seems either the traffic not hitting the firewall or being dropped by the firewall.

 

You can run a debug to check and share the debug output.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB12208

 

Regards,

 

Vikas

Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 01:46 AM

Hello ,

 

If the SSG is the one sending the TCP RST then you need to make sure if your policies are configured to permit HTTP over port 8083 and if you have any extra features configured that could inspect that traffic and drop it - If i am doing MIP with one public ip then it opens all the ports if i am not wrong i.e for http traffic if its port 80 or 8083 it should be accessible & also now i removed any from under policy rule for this communication & made custom port under TCP source as 0 - 65535 & destination as 8083 - 8083

 

Regards

Shaan

Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 03:12 AM

when i mapped one full public ip in first scenario i.e. with SSG5 it did not work , any inputs on this please

 

Did your static nat configuration include

static nat statement

proxy arp

security policy

 

see the details on page 13 here

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 05:16 AM

Hello ,

 

Its SSG5 so i have done MIP , Proxy ARP i am not sure if this option is available for SSG5 and security policy is in place as pinging , SSH is fine to this server 

 

Regards

Shaan

Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 05:40 AM

Hello Shaan,

 

This is a bit confusing.

 

when i checked the sessions on the SSG5 i could see there is Creation & Close - TCP RST - where are you seeing this? 

 

I can see icmp traffic , SSH traffic on the logs & ping. Does this mean you are not seeing http in the logs?

 

As mentioned earlier a debug would be the easiest and fastest way to root cause the issue. 

 

Regards,

 

Vikas

Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 05:52 AM

Hi Vikas ,

 

when i checked the sessions on the SSG5 i could see there is Creation & Close - TCP RST - on SSG5 Session logs that are created when i try to access the device remotely with publicip:8083

 

I can see icmp traffic , SSH traffic on the logs & ping. Does this mean you are not seeing http in the logs? - I am seeing the traffic for ICMP , SSH and i am able to access with SSH , the web interface of the server comes up when i access with publicip:8083 only 

 

Regards

Shaan

Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 06:11 AM

Hello Shaan,

 

> Session logs show http

> policy had any

 All indications are that the reset was sent by the server. Perhaps host-firewall.

 

Out of curiosity, Are you able to telnet the server:8083 from the firewall?

 

If this works, you can add source NAT to the interface IP on the policy to the server. This would source translate all connections from the internet to the FW internal IP. Connections on the server will appear as though they are coming from the firewall.

 

Regards,

 

Vikas

Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 06:28 AM

Hi ,

 

What i did now was i removed all custom defined ports and accessed the server as publicIP:443 and i am able to get response but this is MIP but when i used to use firewallIP:8083 then web interface used to open so what is the difference here i am bit confused or i am not understanding how it works 

 

Regards

shaan

Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 06:34 AM

Hello Shaan,

 

Yes this is a bit confusing. I thought it was a typo in your earlier post.

 

On SSG

From internet -> MIP:8083 was not working earlier

From internet -> MIP:8083 is working now

 

Is that correct?

 

Regards,

 

Vikas

Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 06:53 AM

Hi ,

 

On SSG

From internet -> MIP:8083 was not working earlier

From internet -> MIP:443 is working now

 

Regards

shaan

Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-18-2019 06:23 PM

Hi Shaan,

 

This seems to indicate server is not listening on 8083.

 

I think from a configuration perspective there is not much here. Setting up the MIP and setting up the policy. I belive you had application any in the policy earlier, right?

 

Regards,

 

Vikas

Highlighted
SRX Services Gateway

Re: SRX , SSG - Query

‎09-19-2019 03:04 AM

I am seeing the traffic for ICMP , SSH and i am able to access with SSH , the web interface of the server comes up when i access with publicip:8083 only 

------

Just want to be sure I understand the failure mode here. So a few questions.

1- do you see logs for the connection attempt at publicip:8083 in the policy logs?  I assume yes.

2-Does this: the web interface of the server comes up when i access with publicip:8083 only 

mean that you see an initial web page but cannot navigate anywhere?

Or some elements are missing from the page?

What is different about the display under 8083 as opposed to 443 that works?

3-Confirm that when using the custom port you are also prefacing the request with https:// and not http://

4-Internal test on custom port

Can you connect from an internal computer using the internal ip address and custom port successfully when the site is configured.  https://privateip:8083

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback