SRX

Expand all | Collapse all

Service available outside (SRX Juniper Device)

Jump to Best Answer
  • 1.  Service available outside (SRX Juniper Device)

    Posted 02-12-2019 02:42

    Dear all,

     

    Before I start my explanation here go some information:

     

    - My external IP is 187.72.138.193

    - My internal network goes under 10.196.X.X

    - I am using Juniper SRX220

     

    Now my question is about accessing a service I run at http://10.196.24.178:8086 (internal network) from outside.

    as you will see below I have others services running outside already, but I do not know how to configure it considering I am pretty new in SRX devices.

     

    My point is that I need that if someone from anywhere in the world types  187.72.138.193:8086 in browser it redirects to my internal network and shows the content of the service running on 10.196.24.178:8086.

     

    If possible please tell me the commands I have to run in order to make it available from outside.

     

    Kind regards.

     



  • 2.  RE: Service available outside (SRX Juniper Device)

    Posted 02-12-2019 03:27

    set security nat destination pool WebServer3 address 10.196.24.178 port 8086
    set security nat destination rule-set WebServer3 from zone untrust
    set security nat destination rule-set WebServer3 rule Web3 match destination-address 187.72.138.193/32
    set security nat destination rule-set WebServer3 rule Web3 match destination-port 8086
    set security nat destination rule-set WebServer3 rule Web3 then destination-nat pool WebServer3

     

    set security zones security-zone trust address-book address WebServer3 10.196.24.178/32
    set applications application My-HTTP protocol tcp destination-port 8086
    set security policies from-zone untrust to-zone trust policy Allow-WebServer3 match source-address any
    set security policies from-zone untrust to-zone trust policy Allow-WebServer3 match destination-address WebServer3
    set security policies from-zone untrust to-zone trust policy Allow-WebServer3 match application My-HTTP
    set security policies from-zone untrust to-zone trust policy Allow-WebServer3 then permit

    show | compare
    commit

     



  • 3.  RE: Service available outside (SRX Juniper Device)

    Posted 02-12-2019 03:34

    When I ran commit I got the error below:

     

    [edit security nat destination]
    'rule-set WebServer3'
    rule-set WebServer3 and rule-set Webserver1 have same context.
    error: configuration check-out failed

    Kind regards.



  • 4.  RE: Service available outside (SRX Juniper Device)
    Best Answer

    Posted 02-12-2019 03:38

    Try this:

    set security nat destination pool WebServer3 address 10.196.24.178 port 8086

    set security nat destination rule-set Webserver1 rule Web3 match destination-address 187.72.138.193/32
    set security nat destination rule-set Webserver1 rule Web3 match destination-port 8086
    set security nat destination rule-set Webserver1 rule Web3 then destination-nat pool WebServer3

    set security zones security-zone trust address-book address WebServer3 10.196.24.178/32
    set applications application My-HTTP protocol tcp destination-port 8086
    set security policies from-zone untrust to-zone trust policy Allow-WebServer3 match source-address any
    set security policies from-zone untrust to-zone trust policy Allow-WebServer3 match destination-address WebServer3
    set security policies from-zone untrust to-zone trust policy Allow-WebServer3 match application My-HTTP
    set security policies from-zone untrust to-zone trust policy Allow-WebServer3 then permit

     



  • 5.  RE: Service available outside (SRX Juniper Device)

    Posted 02-12-2019 04:42

    Now I got it working. thank you very much.



  • 6.  RE: Service available outside (SRX Juniper Device)

    Posted 02-12-2019 04:47

    Did you rollback the previous configuration? If not, just enter "rollback" from config mode and paste and commit new configuration.

     

     



  • 7.  RE: Service available outside (SRX Juniper Device)

    Posted 02-12-2019 04:48

    I noticed it right after I posted that I got the same error Smiley LOL

     

    Thanks