Screen OS

So I've been trying for over a week now to allow access to servers behind my SSG 20... and I have no clue why it won't work.

 

I've tried both MIP and VIP, neither work. I've put in the addresses correctly and I've set the policies and it still won't work. What in the name of everything that is holy am I doing wrong? haha

 

All servers work fine throughout the LAN, but not from outside the LAN.

 

 

We would need more info....

 

config and IP addresse of server and service you're trying to pass through the firewall would be helpful.

 

Regards,

99.x.x.48/29     = global IPs on ADSL interface in untrust zone

192.x.x.200      = SA 2500  (tried with web server too)

 

 

When I tried MIP

 ---------------------

MIP:   I set Host IP to 192.x.x.200  and mapped IP to 99.x.x.50 (tried the full range one at a time) netmask 255.255.255.255

          both are in trust-vr

 

 

When I tried VIP

 --------------------

VIP:

               Mapped IP: 99.x.x.48

                        Host: 192.x.x.200

             Virtual Host and service :  443 HTTPS (443)

 

 

 

 

Policies:

------------

 

Tried both Any to Any from untrust to trust and trust to untrust for any IP addresses and tried doing the specific addresses. I tried using the specific services. Just basicly tried allowing anything this side of the milky way.

 

The status says OK on the VIP. When I tried using the basic web server (not SA 2500) I made the service HTTP and port 80 etc etc.

 

 

 

 

 

oh, I also tried using all the global IPs avialable in that /29 range one at a time and configuring everything from scratch each time etc etc. I'm really lost lol. this should be working. all the help files and configures and other threads all say this should work...

and I'm using OSPF to make sure everything can be found in the local networks. I can connect from the local networks just find. all pings work etc. but I just can't connect to the outside addresses =(

Hi there

 

I guess you want to access the SA box via HTTPS right, here are the CLI commands to to create a VIP to access the Server from the Internet:

 

(1) set ssl port 5050 (Relocate the SSL port as this service is part of the VIP, you dont need this if you are doing HTTP)

(2) set interface ethernet0/0 vip 172.24.28.168 + 443 "HTTPS" 172.16.50.20

(3) set policy top from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "HTTPS" permit

 

I guess one of the problems you may have had is that the VIP does not get configured for the 443 port if you have not reallocated the managment port (if you are using the interface IP of the FW as part of the VIP configuration. 

 

No (2) essentially gives the interface IP address to the VIP. You should be able to access the server via the interface IP address of the FW on port 443 or any other port you prefer.

 

Lokks like you may not have added the VIP to the policy?

 

Hope this helps

YOU DID IT!    thank you so much! ❤️ 😃   Kudos and all that jazz 😃