SRX Services Gateway
SRX Services Gateway

Users can't RDP to servers from outside network. Please help.

‎09-15-2013 08:33 PM

Hello,

I ran into an issue while impementing my SRX100H.Some of the end users on the network need to access thier servers from home or other places on the internet.
Before I implemented the SRX, they were able to RDP into these servers using the IP and the port, but once I put in the SRX it prevented them from doing that.
Long story short, I had to put the network back the way it was so the end users could do their work. I need to find a way for them to get to these servers again with the SRX in place. I believe it has something to do with NAT, but I am not familar with setting this up at all. Could someone help me out with getting this going?
Please take a look at my PDF that I added. It has the Visio diagram of the network (how it needs to be). You will see the IP address of my fe-0/0/0 port which I use to get all of my vlans out to the internet. The devices the end users need to get to are in the red rectangle which have the IPs of 10.10.10.166 and .162 with the port of 1966.
Please let me know if there is any information missing or such. I will get you whatever you need. I appreciate the help on this. Thanks.

Attachments

10 REPLIES 10
Highlighted
SRX Services Gateway

Re: Users can't RDP to servers from outside network. Please help.

‎09-16-2013 06:51 AM

Does any one have any input on my issue? Please let me know if I need to provide any additional information or such. Thanks

Highlighted
SRX Services Gateway

Re: Users can't RDP to servers from outside network. Please help.

‎09-16-2013 07:14 AM

Hi Brent,

 

Post your relevant configuration please so people have a look.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
SRX Services Gateway

Re: Users can't RDP to servers from outside network. Please help.

‎09-16-2013 08:46 AM

Here is my output from show config as well as show interfaces. I can always grab additional information if needed. Thanks

Attachments

Highlighted
SRX Services Gateway

Re: Users can't RDP to servers from outside network. Please help.

‎09-17-2013 06:45 AM

Any ideas on how I can get this to work?

 

Thanks

Highlighted
SRX Services Gateway

Re: Users can't RDP to servers from outside network. Please help.

[ Edited ]
‎09-17-2013 08:53 AM

It looks to me like you're missing the policy from untrust to trust to allow the traffic through.


Take a look at http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf for some solid examples.

 

Out of interest, did you do this through the GUI? I had the same problem from the GUI.

Highlighted
SRX Services Gateway

Re: Users can't RDP to servers from outside network. Please help.

‎09-17-2013 11:12 AM

i setup most of it through the gui, but there was a little bit of stuff that I configured from the command line. I am trying to get comfortable with command line usage though.

I will read through the link you provided and let you know how it goes. Thanks for providing that.

Highlighted
SRX Services Gateway

Re: Users can't RDP to servers from outside network. Please help.

‎09-18-2013 01:22 AM

Hi Brent,

 

1.  Are the users trying to access these IPs from fe-0/0/1 interface?  Or from the external fe-0/0/0 interface?  If it is from the fe-0/0/1.0 then it does not appear to be part of any security zone and thus there is no associated policy.

 

2. If it is from the fe-0/0/0 interface, which I dont think so, then there is no destination nat from what I can see and there is also no security policy from untrust-to-trust for the post NAT traffic.

 

Configuring a flow trace is a great way to establish what is happening your traffic also.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16108

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
SRX Services Gateway

Re: Users can't RDP to servers from outside network. Please help.

‎09-18-2013 07:44 AM

Hello MMcD,

 

The users will be trying to RDP to the internal servers from anywhere on the internet. The internet connection (external) comes into the SRX on port fe-0/0/0. The next 4 ports on the SRX are seperated by vlans, and the vlan that the users need to get onto would be vlan 4, port 4. This will then bring them on the 10.10.10.1/24 network where the servers are that they need to access.

 

I have been reading about NAT on the Juniper (thanks to AndrewS's link) and have light grasp on it. I believe I would need to use destination NAT, from what I read. I believe the destination address that I would need to put in would be my IP address for fe-0/0/0 correct? Here is one line from an example config: 

 

set rule-set rs1 rule r1 match destination-address 1.1.1.100

 

I would replace the 1.1.1.100 with my IP on fe-0/0/0 which would be 180.150.10.45, correct? 

 

I will definitely read through the links you gave me on flow trace. I think that this will be a great tool to track down where it is getting stopped.

 

Thanks

 

Highlighted
SRX Services Gateway

Re: Users can't RDP to servers from outside network. Please help.

[ Edited ]
‎09-18-2013 08:32 AM

Hi Brent,

 

OK, you have a couple of options:

 

1. You can have the users all RDP to a single external IP and increment the port, a "one to many translation".  In the below example, that is hitting port 1966 for Server1 and 1967 for Server2 on 180.150.10.45

 

2.  You could use a seperate IP for each Server, ie 180.150.10.45 for Server_1 and 180.150.10.46 for Server_2.  This is a waste of your external addressing however, but it is an option.

 

Have a look at the attached NAT configuration doc also.

 

You will also need the assoctaed security policies, define the server

[edit security nat destination]

pool Server_1 {
    address 10.10.10.162/32;
    port 1966;
}
pool Server_2 {
    address 10.10.10.166/32;
    port 1966;
}


rule-set untrust-to-trust {
    from zone untrust;
    rule Server_1_Translation {
        match {
            destination-address 180.150.10.54/32;
            destination-port 1966;
        }
        then {
            destination-nat pool Server_1;
        }
    }
    rule Server_2_Translation {
        match {
            destination-address 180.150.10.54/32;
            destination-port 1967;
        }
        then {
            destination-nat pool Server_2;
        }
    
    }
}

 

s in the address book and use the post NAT addressing, the addressing in the diagram you provided.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]

Attachments

Highlighted
SRX Services Gateway

Re: Users can't RDP to servers from outside network. Please help.

‎09-29-2013 05:48 AM

 

I dont know if I am late ... But here goes!

 

This is how I did it..

You then need to assign the UNTRUST interface with 1 IP address

Proxy -ARP the rest of the IP address in (remb to but in order)

 

You then need to configure - Destination-NAT - Click on destination nat, and click on the button for Destination Nat Pool Address.

 

This is where you will need to insert the internatl IP address for the servers or PCs you are trying to connect to, Format to address should be single eg 192.168.1.33/32 and not /29 or 16.

 

Now click on the main tab of destination nat and add the destination nat.

 

from sorce should be ANY ... the bit at the bottom next to port number should have your external address eg 86.89.15.62/32. If you want to RDP to a non default port this is where you set it. (this is the address from proxy arp pool that you inserted earlier on) now on the right click on the bottom radio buttom (source with nat pool) then select the destnation nat server.

 

Not quiet finished.. YET.

 

so we now have to make an address book entry for the server your trying to connect to, then a policy that will let you connect from untrust to that server or computer within the trust zone.

should be source untrust 0.0.0.0/0 to Trust 192.168.6.32.32 (the name of the server wll be listed here. then set application type and permit.

 

Thats it!

 

Smiley Very Happy

 

Message me if your still having issues. More than happy to help you.!

 

 

 

 

Feedback