Screen OS

 View Only
last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Port forwarding on SSG 5

    Posted 01-07-2010 19:45

    I'm new to using the SSG 5, and Juniper stuff in general, and I'm trying to get a port to forward from Untrust to Trust so that we can access our IP cameras externally. I've looked through everything a Google search found, and it's driving me crazy. I've set up a Custom Service for the cameras, a VIP on the Untrust IP, and set my POlicy to be temporarily as lenient as possible. I still just can't get it.

     

    I want to forward port 1024 from the Untrust IP through to 1024 on an internal address (I also need to forward 6 or 7 others, but all in the 1024-1036 range). Please help me figure out what I'm missing.



  • 2.  RE: Port forwarding on SSG 5

    Posted 01-08-2010 05:56

    Hi,

     

    There are plenty of examples in the documentation (Concepts & Examples).  However, if you post your VIP config and policy we can take a look.

     

    -John



  • 3.  RE: Port forwarding on SSG 5

    Posted 01-11-2010 06:32

    I've looked through that documentation a few times but haven't uncovered what I'm missing. This is my first Juniper device, so I'm kind of learning as I go. Here is the config for the service:

     

    set service "Cameras" protocol tcp src-port 1023-1036 dst-port 1023-1036

    set service "Cameras" + udp src-port 1023-1036 dst-port 1023-1036 

    set service "Cameras" timeout never

     

    Here is the config for the policies (currently wide open for testing):

     

    set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit

    set policy id 1

    set policy id 2 from "Untrust" to "Trust" "Any" "Any" "ANY" permit

    set policy id 2

     

    Here is the webUI config for the VIP service

     



  • 4.  RE: Port forwarding on SSG 5

    Posted 01-13-2010 09:54

    Anyone?



  • 5.  RE: Port forwarding on SSG 5

    Posted 01-14-2010 06:44

    set policy id 2 from "Untrust" to "Trust" "Any" "Any" "ANY" permit

    set policy id 2

     

    shoulb be 

     

    set policy id 2 from "Untrust" to "Trust" "Any" "VIP(X.X.X.X)" "ANY" permit

    set policy id 2

     



  • 6.  RE: Port forwarding on SSG 5

    Posted 01-15-2010 08:51

    I set that as you suggested, but the port forward still isn't functioning. Within the LAN, when I go to the private address of the camera on port 1024, it gives me the login screen with no problem. I know there's not to be something I'm missing here, as I can rule out the camera. It's driving me nuts.



  • 7.  RE: Port forwarding on SSG 5
    Best Answer

    Posted 01-15-2010 12:37

    If you are trying to forward port 1024 why am I seeing 1023? 

    If you have multiple cameras and only one external IP, you can then create mutiple services like;

    1021

    1022

    1023

    1024

    Then in the VIP area Map each port to the internal IP

     

    1.1.1.1(externa IP) to 192.168.1.11(1021)

    1.1.1.1(externa IP) to 192.168.1.12(1022)

    1.1.1.1(externa IP) to 192.168.1.13(1023)

    1.1.1.1(externa IP) to 192.168.1.14(1024)

     

    Now create a policy to allow traffic from "Any where" to "VIP1.1.1.1" And under "Service" make sure you pick the custom services you created.