SRX

If I use port 443 for the external interface of the Destination NAT, it works fine directing the connections to the Secure Access internal IP from port 443; but if I use port 8080 on the external interface, destination NAT won't go through.

Dear 

 

Could you post your nat config and security policies ? 

 

Regards

Thanks so much for replying

 

Supposing the internal Secure Access address as 192.168.1.1/32 and external public IP as 1.1.1.1/32, configuration we made is the usual one for destination NAT:
set security nat destination pool SecureAccess address 192.168.1.1/32
set security nat destination pool SecureAccess address port 443
set security nat destination rule-set test-1 rule DestNAT-SA match source-address 0.0.0.0/0
set security nat destination rule-set test-1 rule DestNAT-SA match destination-address 1.1.1.1/32
set security nat destination rule-set test-1 rule DestNAT-SA match destination-port 8080
set security nat destination rule-set test-1 rule DestNAT-SA then destination-nat pool SecureAccess

I make connection attempts from the outside, supposing a public IP 2.2.2.2, and security flow sessions show as follows:

show security flow session source-prefix 2.2.2.2
Session ID: 127, Policy name: 170/4, Timeout: 14, Valid
  In: 2.2.2.2/49270 --> 1.1.1.1/8080;tcp, If: reth1.0, Pkts: 3, Bytes: 152
  Out: 192.168.1.1/443 --> 2.2.2.2/49270;tcp, If: reth0.0, Pkts: 0, Bytes: 0

Session ID: 185, Policy name: 170/4, Timeout: 14, Valid
  In: 2.2.2.2/49271 --> 1.1.1.1/8080;tcp, If: reth1.0, Pkts: 0, Bytes: 0
  Out: 192.168.1.1/443 --> 2.2.2.2/49271;tcp, If: reth0.0, Pkts: 0, Bytes: 0

Policy 170 is an "any any any permit" policy from Untrust security zone (which interface reth1.0 belongs to) to Trust security zone (which interface reth0.0 belongs to).

 

I really hope you may give me some direction on how to possibly resolve this issue. If I set the external NAT port as 443 instead of 8080, connection establishes successfully (set security nat destination rule-set test-1 rule DestNAT-SA match destination-port 443), but we need to set up the external address as 8080 cause 443 is already assigned to another destination NAT.

Sadly, PK is correct (as he usually is) the issue is with the IVE software and more specifically the way http headers work for ssl vpn.  You will NOT be able to change ports using port forwarding.

 

You can see the gory details in this old thread were we desperately tried to make this work in the past.

 

http://forums.juniper.net/t5/SSL-VPN/Change-SSL-port/td-p/22841

 

Yes , I got into the same issue with my SSG , the SSL GW redirect URL remove the external port 8080 and use 443 instead which is the default, so it wont work, I tried to find how to change the port on the SSL GW , but unfrotunately , no way to do that! so using 443 port is the only way to make it work! 

 

Regards

Oh, well. That's such a shame though =(

Hi

 

I think I had the same problem. SSL VPN constantly re-directs your browser to

port 443 so this does not work properly. Initially you connect to 8080 and next

request goes to 443 and dropped by SRX. So this is a problem of SSL VPN, not SRX.

I didn't find the solution at that time.