Greetings!
I am having issues when trying to set up my reverse proxy with a load balancer. I can see that I'm getting hit counts on my destination nat but I'm not showing any traffic being sent across my firewall zones to the vlb. I've looked at this for awhile and I can't seem to find what's blocking the traffic, I have more experience on an ASA where I can run a packet tracer to figure where I'm getting stuck. Any help would be much appreciated!
mike@VFW> show security nat destination pool HTTPS
Pool name : HTTPS
Pool id : 2
Total address : 1
Translation hits: 66
Address range Port
192.168.115.200 - 192.168.115.200 443
mike@VFW> ...from-zone untrust to-zone Production detail
Policy: allow-https, action-type: permit, State: enabled, Index: 13, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: untrust, To zone: Production
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
test(global): PublicIP/32
VLB01-VIP1(global): 192.168.115.200/32
Application: junos-https
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [443-443]
Application: HTTPS
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [443-443]
Per policy TCP Options: SYN check: No, SEQ check: No
Session log: at-create, at-close
mike@VFW> show configuration security
address-book {
global {
address VLB01 192.168.115.5/32;
address VLB01-VIP1 192.168.115.200/32;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone [ Lab Production trust ];
to zone [ untrust untrust-4g ];
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool HTTPS {
address 192.168.115.200/32 port 443;
}
rule-set HTTPS-to-VLB01 {
from zone untrust;
rule HTTPS-Match {
match {
source-address 0.0.0.0/0;
destination-address PublicIP/32;
destination-port 443;
}
then {
destination-nat pool HTTPS;
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Production to-zone untrust {
policy Production-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone Production {
policy allow-https {
match {
source-address any;
destination-address [ VLB01-VIP1 ];
application [ junos-https HTTPS ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/7.0;
ge-0/0/6.0;
vlan.125;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
tftp;
dhcp;
}
}
}
}
}
security-zone Production {
host-inbound-traffic {
system-services {
dns;
}
}
interfaces {
vlan.115 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
security-zone untrust-4g {
screen untrust-screen;
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
}
------------------------------
MIKE VOIGTS
------------------------------