Hello,

I am trying to set up a webserver.

I need the following:

187.72.138.193 > 10.196.24.31 on port 80

What am I doing wrong?

When I try to access it from outside it keeps loading forever then an error appears (timed out).

I am using SRX220H2 with JUNOS Software Release [12.1X44-D15.5]

I tried the following:

set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/24

set applications application HTTP protocol tcp

set applications application HTTP destination-port 80

set security nat destination pool dnat_10_196_24_31m24 address 10.196.24.31/24 port 80

set security nat destination rule-set DEST-NAT from zone untrust

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-address 187.72.138.193/32

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-port 80

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 then destination-nat pool dnat_10_196_24_31m24

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match source-address any

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match destination-address WebServer

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match application HTTP

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ then permit

set security nat source rule-set DMZ-TO-INTERNET from zone DMZ-trust

set security nat source rule-set DMZ-TO-INTERNET to zone untrust

set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match source-address 10.196.24.31/24
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match destination-address 0.0.0.0/0
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET then source-nat interface

Hi,

The IP 10.196.24.31 is a part of the subnet 10.196.24.0/24. Hence you will be unable to give the address entry as 10.196.24.31/24.

Moreover, you cannot perform a destination nat of a single IP (Interface IP) and port 80 to a whole internal subnet.

Hence, you will have to use a /32 to make it work.

Regards,

Sahil Sharma

Please mark my response as Solution if it Helps, Kudos are Appreciated as well.

hi.

could you PLEASEEEEEEEEEEEEEEE edit my commands in order to make it work?

im new on SRX configuring ... i need it working asap for my company website, i will study about SRX once I get it solved.

set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/24

set applications application HTTP protocol tcp

set applications application HTTP destination-port 80

set security nat destination pool dnat_10_196_24_31m24 address 10.196.24.31/24 port 80

set security nat destination rule-set DEST-NAT from zone untrust

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-address 187.72.138.193/32

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-port 80

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 then destination-nat pool dnat_10_196_24_31m24

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match source-address any

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match destination-address WebServer

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match application HTTP

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ then permit

set security nat source rule-set DMZ-TO-INTERNET from zone DMZ-trust

set security nat source rule-set DMZ-TO-INTERNET to zone untrust

set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match source-address 10.196.24.31/24
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match destination-address 0.0.0.0/0
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET then source-nat interface

THANKS

Hi,

Please change subnet in the following 2 commads to /32 as shown below :-

set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/32
set security nat destination pool dnat_10_196_24_31m24 address 10.196.24.31/32 port 80

This should work.

HTH !

Regards,

Sahil Sharma

Please mark my response as Solution if it Helps, Kudos are Appreciated as well.

What about the line:

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-address 187.72.138.193/32

Should I use /32 after IP?

Kind regards.

Hi,

Yes, but even if you dont explicitly state a /32 after the IP, it will be taken as a single /32 only.

Regards,

Sahil Sharma

Please mark my response as Solution if it Helps, Kudos are Appreciated as well.

Not working. It keeps loading then it gives an error.

Try it by yourself, try to access the IP 187.72.138.193 using your browser.

From your configuration it looks like you are forwarding the same address in use by the actual interface ge-0/0/0 to your web server.

Since the SRX is using port 80 already on this address you cannot forward that port.

Your options are:

use a different address in your /28 for your web server forwarding

remove ge-0/0/0 from web mgmt (recommended because publishing mgmt to the internet is not best practice)

change the web mgmt port used by the SRX

OK I changed the port of web management to 8081 as you can see on my conf below.

Now when I access my external IP (187.72.138.193) from an external network on port 80 I got a timeout error.

When I access my external IP from an external network on port 8081 I see my SRX device web management page.

add the following:

set security nat proxy-arp interface ge-0/0/0.0 address 187.72.138.193/28
set security nat destination rule-set DEST-NAT from interface ge-0/0/0.0
set applications application HTTP application-protocol http

or
why not use application junos-http instead of defining appication HTTP?

As a best practice, instead of adding host-inbound-traffic system-services all, add http and https

on the third command I got the syntax error:

And after trying to commit the first and second command I got the following error:

root@device# commit
[edit security nat proxy-arp interface ge-0/0/0.0]
  'address 187.72.138.193/28'
    Proxy ARP IP address range [187.72.138.193 187.72.138.207] overlaps with interface IP address range [187.72.138.193 187.72.138.193] defined on interface 'ge-0/0/0.0'
error: configuration check-out failed

please help me.

 187.72.138.193/32   < my bad - use /32

 sure why your application does not work

Cannot commit.

please check step by step:

Lets try this one at a time.

deactivate applications application HTTP

delete the proxy-arp statement.

In the security policy, delete the application HTTP and replace it with junos-http

commit and test.

Hi,

I am new on SRX configuration so could you please be more clear?

I don't know junos-http, I think I removed the first configuration we made

why not use application junos-http instead of defining appication HTTP?

}
from-zone untrust to-zone DMZ-trust {
policy INTERNET-TO-DMZ {
match {
source-address any;
destination-address WebServer;
application HTTP; <=====Delete this and use junos-http whichis already created for you as you can see. for the image.

applications {
application HTTP { <======Deactivate this application
protocol tcp;
destination-port 80;

Use these commands to delete HTTP rom the policy and add junos-http:
At the top of the heirarchy, save your configuration
#save rdgcatell_config (use this to restore if you need to0
#deactivate applications application HTTP
#edit security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ
#delete match application HTTP
#set match application junos-http
#set match application junos-https
#delete security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

commit confirmed
Test- if all is well then enter commit within 10 minutes, otherwise the configuration will rollback
BTW you don't have an IP address on interface vlan.0? Is that working okay?

When you try to connect if it fails,

>show security flow session to see the packet flow

If no go, then we set up data-path debug

When I tried to run the following command I got a syntax error on "security-zone" part.

delete security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

set security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http

set security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https

Configure the port forwarding rule for webserver server. Create an address book ewntry for it in the zone where the Webserver resides
set security zones security-zone trust address-book address Webserver
set security nat destination pool Webserver1 address x.x.x.x/32 port 80 <==== translated IP
Configure the port forwarding rule for webserver server.

set security nat destination rule-set Web1 rule rule1 match destination-address public IP
set security nat destination rule-set Web1 rule rule1 match destination-port YY <===port to be used
set security nat destination rule-set Web1 rule rule1 then destination-nat pool Webserver1
Create security policy to allow traffic
set security policies from-zone untrust to-zone trust policy Allow-webserver match source-address any
set security policies from-zone untrust to-zone trust policy Allow-webserver match destination-address Webserver
set security policies from-zone untrust to-zone trust policy Allow-webserver match application junos-http HTTP
then permit

if not working enable traceoptions
when finished, delete or deactivate traceoptions

#deactivate security flow traceoptions

For the Branch Office SRX series packet capture - Using basic-datapath debug
#set security flow traceoptions file trace-debug-basic-dp
#set security flow traceoptions flag basic-datapath
#set security flow traceoptions packet-filter pckt-in source-prefix <prefix/length>
#set security flow traceoptions packet-filter pckt-out destination-prefix <prefix/length>

Worked like a charm...

thank you very much!!! 

Set a specific management url for jweb for e.g. so when you access the public IP it does not bring up the web management. If you need the web management then you would simply add the http://<IP>/jwebmgmt

# set system services web-management management-url jwebmgmt;
# set system services web-management http interface ge-0/0/0.0
# set system services web-management http interface vlan.0 <=== need to add an IP that the vlan clients in trust use as the gateway and that you use for web management

 noticed a config in others which I did not see here and not ally aware. Add this to your configuration

 }
        from-zone untrust to-zone DMZ-trust {
            policy INTERNET-TO-DMZ {
                match {
                    source-address any;
                    destination-address WebServer;
                    application HTTP;
                }
                then {
                    permit destination-address