ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

port forwarding issue (can not access the IP associated to a port from ouside)

02.27.12   |  
‎02-27-2012 08:52 AM

Hello

 

I'm new ti Juniper world and did try to config a service to be access remotely but I miss a step or missunderstood the instructions. Can someone help?

 

Here is what I did:

- create my new service (transport protocol, source port, destination port)

- create the new VIP under interface (untrusted= outside interface), map the port to service and destination IP

- create policy (source address VIP untrust), destination IP for the custom service and the service

- using CLI "set vip multi-port then reset"

- check the status for the new VIP = OK

Try to access the service (http://external IPSmiley Tongueort number)  return message  "Internet Explorer could not connect to...." 

 

Much appreciated your help

 

6 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: port forwarding issue (can not access the IP associated to a port from ouside)

02.28.12   |  
‎02-28-2012 02:49 PM

What kind of device on which software version are you talking about?

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
ScreenOS Firewalls (NOT SRX)

Re: port forwarding issue (can not access the IP associated to a port from ouside)

03.01.12   |  
‎03-01-2012 05:33 AM

Can you explain what you are trying to achieve in more detail!

 

are yo trying to access a website/server using the public IP address from outside? if yes, your step where you create a policy is wrong. your policy should look like this

 

Untrust >trust

Any > VIP (PUBLIC IP)   Service

 

assuming that your Trust >untrust is open. otherwise you must also create a policy for this.

 

 

 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: port forwarding issue (can not access the IP associated to a port from ouside)

03.08.12   |  
‎03-08-2012 07:16 AM

I'm using a Juniper-NS5GT 

Firmware Version:
5.4.0r10.0 (Firewall+VPN)

Step 1 (creat service)

Objects-->Services-->Custom-----service name, protocol tcp, source port (low)9091 to (high)9091, destination port 9091 to 9091

 

Step 2 (creat policies)

sources address = VIP(untrust), destination address = my host to be reach from outside (step 1), serive = my service on step 1, application = IGNORE, Action = permit, Enable = checked

 

Step 3 (add new VIP)

Netwok-->Interface-->Untrust-->Edit-->VIP-->New VIP Service:

virtual IP= my untrust interface, virtual port = my port 9091, map to service = my service (step 1), map IP = internal host IP (step1),server auto detection = enable.

Step 4

telnet into the netscreen:

and then type this command:

set vip multi-port

then type: reset

then type:

y

and again:
y

In reset ...

close the black box.

 

Checked VIP Services status = OK

 

Thank you

ScreenOS Firewalls (NOT SRX)

Re: port forwarding issue (can not access the IP associated to a port from ouside)

03.08.12   |  
‎03-08-2012 07:19 AM

Try to open a port to access a DVR from home

Here is what I'm using and what I did:

 

I'm using a Juniper-NS5GT 

Firmware Version:
5.4.0r10.0 (Firewall+VPN)

Step 1 (creat service)

Objects-->Services-->Custom-----service name, protocol tcp, source port (low)9091 to (high)9091, destination port 9091 to 9091

 

Step 2 (creat policies)

sources address = VIP(untrust), destination address = my host to be reach from outside (step 1), serive = my service on step 1, application = IGNORE, Action = permit, Enable = checked

 

Step 3 (add new VIP)

Netwok-->Interface-->Untrust-->Edit-->VIP-->New VIP Service:

virtual IP= my untrust interface, virtual port = my port 9091, map to service = my service (step 1), map IP = internal host IP (step1),server auto detection = enable.

Step 4

telnet into the netscreen:

and then type this command:

set vip multi-port

then type: reset

then type:

y

and again:
y

In reset ...

close the black box.

 

Checked VIP Services status = OK

 

Thank you

ScreenOS Firewalls (NOT SRX)

Re: port forwarding issue (can not access the IP associated to a port from ouside)

[ Edited ]
03.09.12   |  
‎03-09-2012 10:48 AM

The VIP should be the destination address in the policy, not the source. You don't need to add the host's internal IP to the policy, the VIP translation takes care of that automatically. The source IP would normally be 'Any' for a publicly-accessible service (or, you can restrict it to specific source IPs if you want).

 

Also, you might not need to specify source ports when creating the service. Most of the time you would allow from any source port to a specific destination port. It's uncommon to use a specific source port.

ScreenOS Firewalls (NOT SRX)

Re: port forwarding issue (can not access the IP associated to a port from ouside)

03.13.12   |  
‎03-13-2012 08:42 AM

Spun you are the BEST

 

Thank you it's working.