Screen OS

We have a Juniper SSG140 and I'm having a heck of a time trying to get port forwarding working. Specifically trying to get ports 80 and 443 for a publicly accessible web server. Previously I had configured it with MIP with a Untrust to Trust policy. This isn't working. In the guide it says:

set interface ethernet2 mip 1.1.1.5 host 10.1.1.5 netmask 255.255.255.0 vrouter trust-vr
set policy from untrust to trust any mip(1.1.1.5) http permit

When I do this I can see in the logs that traffic is arriving to the server but either isn't getting to the client or is appearing to be from a different IP (we have a range of IPs and the MIP is not mapped to our default untrust IP). I tried adding a Trust to Untrust policy to allow traffic from the internal server out and messed around with NAT-src but it just doesn't seem to work. Any suggestions?

Can you run de debug?

set ff dst-ip 1.5.5.5.5

debug flow bacic

clear db

try to connect to the mip

undebug all

get db stream

The debug output should show what's happening. You could post it to let us all help you.

Hi,

The command should be:

set interface ethernet2 mip 1.1.1.5 host 10.1.1.5 netmask 255.255.255.255 vrouter trust-vr

or

set interface ethernet2 mip 1.1.1.5 host 10.1.1.5 vrouter trust-vr

The command you have used maps a C-net to another C-net. But I do not think that you have 256 public IPs. Besides, you need an one-to-one mapping for a pair of a private and a public IPs.

Thanks for your help. I had forgot that the server was set with a different gateway than the SSG140. Once I changed that it worked fine. I thought I was going crazy.

EDIT: Also yes I made a typo on the netmask on my post but had 255.255.255.255 as the netmask for the MIP on the SSG.