SRX

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

Hello. Thank you for answering! Here is my configuration for the security policy:

Where destination address is port-83, which is the global address that I created - 46.10.161.40

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

Ok - so 

Your original dNAT needs correction. 

Your dest port for rule "r1" should be 83 and then the POOL address entry "r2" should have port 80 as the re-write. 

Then you can back off the security policy to just allow address: any-> address: any;  to get it working... (keep it simple and then build the rule to be more restrictive)

AND THEN tighen it up with either address limits or port limits. 

Cheers,

Hello. Thank you for answering! Here is my configuration for the security policy:

Where destination address is port-83, which is the global address that I created - 46.10.161.40

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

Thank you for answering!

So here is my configuration so far:

destination {
    pool port-83 {
        address 192.168.2.2/32 port 80;
    }
    rule-set rs1 {
        from zone untrust;
        rule Forwarding {
            match {
                destination-address 46.10.161.40/32;
                destination-port {
                    83;
                }
                protocol [ tcp udp ];
            }
            then {
                destination-nat {
                    pool {
                        port-83;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            46.10.161.40/32;
        }
    }
}
address-book {
    global {
        address office 192.168.0.0/26;
        address innov 192.168.2.0/28;
        address port-83 192.168.2.2/32;
    }
}
 from-zone untrust to-zone trust {
        policy server-access {
            match {
                source-address any;
                destination-address any-ipv4;
                application junos-http;
                dynamic-application any;
            }
            then {
                permit;
            }
        }
    }

I think that is everything needed to edit to make it work. So far I made the changes that you mentioned, but there is no success. I noticed that on the nat hierarchy there are two rule sets that I created for our VPN:

nat {
    source {
        rule-set trust-to-untrust {
            from zone trust;
            to zone untrust;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
        rule-set NatToUntrust {
            from zone VPN;
            to zone untrust;
            rule r1 {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }

Maybe they are the reason?

Thank you,

Ok - so 

Your original dNAT needs correction. 

Your dest port for rule "r1" should be 83 and then the POOL address entry "r2" should have port 80 as the re-write. 

Then you can back off the security policy to just allow address: any-> address: any;  to get it working... (keep it simple and then build the rule to be more restrictive)

AND THEN tighen it up with either address limits or port limits. 

Cheers,

Hello. Thank you for answering! Here is my configuration for the security policy:

Where destination address is port-83, which is the global address that I created - 46.10.161.40

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

Hello Georgi,

Did we confirm if the traffic is reaching the SRX in first place?

Please see if sessions are getting created when trying to access the server:

> show security flow session destination-prefix 46.10.161.40 destination-port 83

Also, you can setup a trace file and see if any drops happening. 

https://supportportal.juniper.net/s/article/Archive-SRX-Getting-Started-Configuring-Traceoptions-for-Debugging-and-Trimming-Output?language=en_US 

set security flow traceoptions file FLOWTRACE
set security flow traceoptions file size 30m
set security flow traceoptions file files 2
set security flow traceoptions file world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter IN destination-prefix 46.10.161.40/32
set security flow traceoptions packet-filter IN destination-port 83

commit and-quit

You can either check the logs or attach it here, I can help check it for you. 

Regards,

Brijil 

Thank you for answering!

So here is my configuration so far:

destination {
    pool port-83 {
        address 192.168.2.2/32 port 80;
    }
    rule-set rs1 {
        from zone untrust;
        rule Forwarding {
            match {
                destination-address 46.10.161.40/32;
                destination-port {
                    83;
                }
                protocol [ tcp udp ];
            }
            then {
                destination-nat {
                    pool {
                        port-83;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            46.10.161.40/32;
        }
    }
}
address-book {
    global {
        address office 192.168.0.0/26;
        address innov 192.168.2.0/28;
        address port-83 192.168.2.2/32;
    }
}
 from-zone untrust to-zone trust {
        policy server-access {
            match {
                source-address any;
                destination-address any-ipv4;
                application junos-http;
                dynamic-application any;
            }
            then {
                permit;
            }
        }
    }

I think that is everything needed to edit to make it work. So far I made the changes that you mentioned, but there is no success. I noticed that on the nat hierarchy there are two rule sets that I created for our VPN:

nat {
    source {
        rule-set trust-to-untrust {
            from zone trust;
            to zone untrust;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
        rule-set NatToUntrust {
            from zone VPN;
            to zone untrust;
            rule r1 {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }

Maybe they are the reason?

Thank you,

Ok - so 

Your original dNAT needs correction. 

Your dest port for rule "r1" should be 83 and then the POOL address entry "r2" should have port 80 as the re-write. 

Then you can back off the security policy to just allow address: any-> address: any;  to get it working... (keep it simple and then build the rule to be more restrictive)

AND THEN tighen it up with either address limits or port limits. 

Cheers,

Hello. Thank you for answering! Here is my configuration for the security policy:

Where destination address is port-83, which is the global address that I created - 46.10.161.40

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

Hello, Brijil.

The command
> show security flow session destination-prefix 46.10.161.40 destination-port 83
shows that there is no traffic reaching the SRX. There are 0 sessions created when trying to access the server.

Hello Georgi,

Did we confirm if the traffic is reaching the SRX in first place?

Please see if sessions are getting created when trying to access the server:

> show security flow session destination-prefix 46.10.161.40 destination-port 83

Also, you can setup a trace file and see if any drops happening. 

https://supportportal.juniper.net/s/article/Archive-SRX-Getting-Started-Configuring-Traceoptions-for-Debugging-and-Trimming-Output?language=en_US 

set security flow traceoptions file FLOWTRACE
set security flow traceoptions file size 30m
set security flow traceoptions file files 2
set security flow traceoptions file world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter IN destination-prefix 46.10.161.40/32
set security flow traceoptions packet-filter IN destination-port 83

commit and-quit

You can either check the logs or attach it here, I can help check it for you. 

Regards,

Brijil 

Thank you for answering!

So here is my configuration so far:

destination {
    pool port-83 {
        address 192.168.2.2/32 port 80;
    }
    rule-set rs1 {
        from zone untrust;
        rule Forwarding {
            match {
                destination-address 46.10.161.40/32;
                destination-port {
                    83;
                }
                protocol [ tcp udp ];
            }
            then {
                destination-nat {
                    pool {
                        port-83;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            46.10.161.40/32;
        }
    }
}
address-book {
    global {
        address office 192.168.0.0/26;
        address innov 192.168.2.0/28;
        address port-83 192.168.2.2/32;
    }
}
 from-zone untrust to-zone trust {
        policy server-access {
            match {
                source-address any;
                destination-address any-ipv4;
                application junos-http;
                dynamic-application any;
            }
            then {
                permit;
            }
        }
    }

I think that is everything needed to edit to make it work. So far I made the changes that you mentioned, but there is no success. I noticed that on the nat hierarchy there are two rule sets that I created for our VPN:

nat {
    source {
        rule-set trust-to-untrust {
            from zone trust;
            to zone untrust;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
        rule-set NatToUntrust {
            from zone VPN;
            to zone untrust;
            rule r1 {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }

Maybe they are the reason?

Thank you,

Ok - so 

Your original dNAT needs correction. 

Your dest port for rule "r1" should be 83 and then the POOL address entry "r2" should have port 80 as the re-write. 

Then you can back off the security policy to just allow address: any-> address: any;  to get it working... (keep it simple and then build the rule to be more restrictive)

AND THEN tighen it up with either address limits or port limits. 

Cheers,

Hello. Thank you for answering! Here is my configuration for the security policy:

Where destination address is port-83, which is the global address that I created - 46.10.161.40

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

Can you get me the traces please ? lets have a look in that as well. 

Hello, Brijil.

The command
> show security flow session destination-prefix 46.10.161.40 destination-port 83
shows that there is no traffic reaching the SRX. There are 0 sessions created when trying to access the server.

Hello Georgi,

Did we confirm if the traffic is reaching the SRX in first place?

Please see if sessions are getting created when trying to access the server:

> show security flow session destination-prefix 46.10.161.40 destination-port 83

Also, you can setup a trace file and see if any drops happening. 

https://supportportal.juniper.net/s/article/Archive-SRX-Getting-Started-Configuring-Traceoptions-for-Debugging-and-Trimming-Output?language=en_US 

set security flow traceoptions file FLOWTRACE
set security flow traceoptions file size 30m
set security flow traceoptions file files 2
set security flow traceoptions file world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter IN destination-prefix 46.10.161.40/32
set security flow traceoptions packet-filter IN destination-port 83

commit and-quit

You can either check the logs or attach it here, I can help check it for you. 

Regards,

Brijil 

Thank you for answering!

So here is my configuration so far:

destination {
    pool port-83 {
        address 192.168.2.2/32 port 80;
    }
    rule-set rs1 {
        from zone untrust;
        rule Forwarding {
            match {
                destination-address 46.10.161.40/32;
                destination-port {
                    83;
                }
                protocol [ tcp udp ];
            }
            then {
                destination-nat {
                    pool {
                        port-83;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            46.10.161.40/32;
        }
    }
}
address-book {
    global {
        address office 192.168.0.0/26;
        address innov 192.168.2.0/28;
        address port-83 192.168.2.2/32;
    }
}
 from-zone untrust to-zone trust {
        policy server-access {
            match {
                source-address any;
                destination-address any-ipv4;
                application junos-http;
                dynamic-application any;
            }
            then {
                permit;
            }
        }
    }

I think that is everything needed to edit to make it work. So far I made the changes that you mentioned, but there is no success. I noticed that on the nat hierarchy there are two rule sets that I created for our VPN:

nat {
    source {
        rule-set trust-to-untrust {
            from zone trust;
            to zone untrust;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
        rule-set NatToUntrust {
            from zone VPN;
            to zone untrust;
            rule r1 {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }

Maybe they are the reason?

Thank you,

Ok - so 

Your original dNAT needs correction. 

Your dest port for rule "r1" should be 83 and then the POOL address entry "r2" should have port 80 as the re-write. 

Then you can back off the security policy to just allow address: any-> address: any;  to get it working... (keep it simple and then build the rule to be more restrictive)

AND THEN tighen it up with either address limits or port limits. 

Cheers,

Hello. Thank you for answering! Here is my configuration for the security policy:

Where destination address is port-83, which is the global address that I created - 46.10.161.40

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

Hello,
Brijil.

Here you are the traces. Thank you in advance!

Can you get me the traces please ? lets have a look in that as well. 

Hello, Brijil.

The command
> show security flow session destination-prefix 46.10.161.40 destination-port 83
shows that there is no traffic reaching the SRX. There are 0 sessions created when trying to access the server.

Hello Georgi,

Did we confirm if the traffic is reaching the SRX in first place?

Please see if sessions are getting created when trying to access the server:

> show security flow session destination-prefix 46.10.161.40 destination-port 83

Also, you can setup a trace file and see if any drops happening. 

https://supportportal.juniper.net/s/article/Archive-SRX-Getting-Started-Configuring-Traceoptions-for-Debugging-and-Trimming-Output?language=en_US 

set security flow traceoptions file FLOWTRACE
set security flow traceoptions file size 30m
set security flow traceoptions file files 2
set security flow traceoptions file world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter IN destination-prefix 46.10.161.40/32
set security flow traceoptions packet-filter IN destination-port 83

commit and-quit

You can either check the logs or attach it here, I can help check it for you. 

Regards,

Brijil 

Thank you for answering!

So here is my configuration so far:

destination {
    pool port-83 {
        address 192.168.2.2/32 port 80;
    }
    rule-set rs1 {
        from zone untrust;
        rule Forwarding {
            match {
                destination-address 46.10.161.40/32;
                destination-port {
                    83;
                }
                protocol [ tcp udp ];
            }
            then {
                destination-nat {
                    pool {
                        port-83;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            46.10.161.40/32;
        }
    }
}
address-book {
    global {
        address office 192.168.0.0/26;
        address innov 192.168.2.0/28;
        address port-83 192.168.2.2/32;
    }
}
 from-zone untrust to-zone trust {
        policy server-access {
            match {
                source-address any;
                destination-address any-ipv4;
                application junos-http;
                dynamic-application any;
            }
            then {
                permit;
            }
        }
    }

I think that is everything needed to edit to make it work. So far I made the changes that you mentioned, but there is no success. I noticed that on the nat hierarchy there are two rule sets that I created for our VPN:

nat {
    source {
        rule-set trust-to-untrust {
            from zone trust;
            to zone untrust;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
        rule-set NatToUntrust {
            from zone VPN;
            to zone untrust;
            rule r1 {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }

Maybe they are the reason?

Thank you,

Ok - so 

Your original dNAT needs correction. 

Your dest port for rule "r1" should be 83 and then the POOL address entry "r2" should have port 80 as the re-write. 

Then you can back off the security policy to just allow address: any-> address: any;  to get it working... (keep it simple and then build the rule to be more restrictive)

AND THEN tighen it up with either address limits or port limits. 

Cheers,

Hello. Thank you for answering! Here is my configuration for the security policy:

Where destination address is port-83, which is the global address that I created - 46.10.161.40

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

Looks like the device is not identifying the Dnat and hence its dropping packet. 

Sep 26 12:24:31 12:24:31.270481:CID-0:RT:check self-traffic on ge-0/0/0.0, in_tunnel 0x0 dp 83Sep 26 12:24:31 12:24:31.270481:CID-0:RT:pak_for_self: No handler function found for proto:6, dst-port:83, drop pktSep 26 12:24:31 12:24:31.270481:CID-0:RT:retcode: 0x1Sep 26 12:24:31 12:24:31.270481:CID-0:RT:pak_for_self : proto 6, dst port 83, action no action found, drop packet

can you remove the config, from zone untrust and make it as  "from interface ge-0/0/0.0" and give it a try?

Regards,

Hello,
Brijil.

Here you are the traces. Thank you in advance!

Can you get me the traces please ? lets have a look in that as well. 

Hello, Brijil.

The command
> show security flow session destination-prefix 46.10.161.40 destination-port 83
shows that there is no traffic reaching the SRX. There are 0 sessions created when trying to access the server.

Hello Georgi,

Did we confirm if the traffic is reaching the SRX in first place?

Please see if sessions are getting created when trying to access the server:

> show security flow session destination-prefix 46.10.161.40 destination-port 83

Also, you can setup a trace file and see if any drops happening. 

https://supportportal.juniper.net/s/article/Archive-SRX-Getting-Started-Configuring-Traceoptions-for-Debugging-and-Trimming-Output?language=en_US 

set security flow traceoptions file FLOWTRACE
set security flow traceoptions file size 30m
set security flow traceoptions file files 2
set security flow traceoptions file world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter IN destination-prefix 46.10.161.40/32
set security flow traceoptions packet-filter IN destination-port 83

commit and-quit

You can either check the logs or attach it here, I can help check it for you. 

Regards,

Brijil 

Thank you for answering!

So here is my configuration so far:

destination {
    pool port-83 {
        address 192.168.2.2/32 port 80;
    }
    rule-set rs1 {
        from zone untrust;
        rule Forwarding {
            match {
                destination-address 46.10.161.40/32;
                destination-port {
                    83;
                }
                protocol [ tcp udp ];
            }
            then {
                destination-nat {
                    pool {
                        port-83;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            46.10.161.40/32;
        }
    }
}
address-book {
    global {
        address office 192.168.0.0/26;
        address innov 192.168.2.0/28;
        address port-83 192.168.2.2/32;
    }
}
 from-zone untrust to-zone trust {
        policy server-access {
            match {
                source-address any;
                destination-address any-ipv4;
                application junos-http;
                dynamic-application any;
            }
            then {
                permit;
            }
        }
    }

I think that is everything needed to edit to make it work. So far I made the changes that you mentioned, but there is no success. I noticed that on the nat hierarchy there are two rule sets that I created for our VPN:

nat {
    source {
        rule-set trust-to-untrust {
            from zone trust;
            to zone untrust;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
        rule-set NatToUntrust {
            from zone VPN;
            to zone untrust;
            rule r1 {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }

Maybe they are the reason?

Thank you,

Ok - so 

Your original dNAT needs correction. 

Your dest port for rule "r1" should be 83 and then the POOL address entry "r2" should have port 80 as the re-write. 

Then you can back off the security policy to just allow address: any-> address: any;  to get it working... (keep it simple and then build the rule to be more restrictive)

AND THEN tighen it up with either address limits or port limits. 

Cheers,

Hello. Thank you for answering! Here is my configuration for the security policy:

Where destination address is port-83, which is the global address that I created - 46.10.161.40

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

Sorry, I am not sure what you mean. But right now I checked the logs again and found some other things:

Looks like the device is not identifying the Dnat and hence its dropping packet. 

Sep 26 12:24:31 12:24:31.270481:CID-0:RT:check self-traffic on ge-0/0/0.0, in_tunnel 0x0 dp 83Sep 26 12:24:31 12:24:31.270481:CID-0:RT:pak_for_self: No handler function found for proto:6, dst-port:83, drop pktSep 26 12:24:31 12:24:31.270481:CID-0:RT:retcode: 0x1Sep 26 12:24:31 12:24:31.270481:CID-0:RT:pak_for_self : proto 6, dst port 83, action no action found, drop packet

can you remove the config, from zone untrust and make it as  "from interface ge-0/0/0.0" and give it a try?

Regards,

Hello,
Brijil.

Here you are the traces. Thank you in advance!

Can you get me the traces please ? lets have a look in that as well. 

Hello, Brijil.

The command
> show security flow session destination-prefix 46.10.161.40 destination-port 83
shows that there is no traffic reaching the SRX. There are 0 sessions created when trying to access the server.

Hello Georgi,

Did we confirm if the traffic is reaching the SRX in first place?

Please see if sessions are getting created when trying to access the server:

> show security flow session destination-prefix 46.10.161.40 destination-port 83

Also, you can setup a trace file and see if any drops happening. 

https://supportportal.juniper.net/s/article/Archive-SRX-Getting-Started-Configuring-Traceoptions-for-Debugging-and-Trimming-Output?language=en_US 

set security flow traceoptions file FLOWTRACE
set security flow traceoptions file size 30m
set security flow traceoptions file files 2
set security flow traceoptions file world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter IN destination-prefix 46.10.161.40/32
set security flow traceoptions packet-filter IN destination-port 83

commit and-quit

You can either check the logs or attach it here, I can help check it for you. 

Regards,

Brijil 

Thank you for answering!

So here is my configuration so far:

destination {
    pool port-83 {
        address 192.168.2.2/32 port 80;
    }
    rule-set rs1 {
        from zone untrust;
        rule Forwarding {
            match {
                destination-address 46.10.161.40/32;
                destination-port {
                    83;
                }
                protocol [ tcp udp ];
            }
            then {
                destination-nat {
                    pool {
                        port-83;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            46.10.161.40/32;
        }
    }
}
address-book {
    global {
        address office 192.168.0.0/26;
        address innov 192.168.2.0/28;
        address port-83 192.168.2.2/32;
    }
}
 from-zone untrust to-zone trust {
        policy server-access {
            match {
                source-address any;
                destination-address any-ipv4;
                application junos-http;
                dynamic-application any;
            }
            then {
                permit;
            }
        }
    }

I think that is everything needed to edit to make it work. So far I made the changes that you mentioned, but there is no success. I noticed that on the nat hierarchy there are two rule sets that I created for our VPN:

nat {
    source {
        rule-set trust-to-untrust {
            from zone trust;
            to zone untrust;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
        rule-set NatToUntrust {
            from zone VPN;
            to zone untrust;
            rule r1 {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }

Maybe they are the reason?

Thank you,

Ok - so 

Your original dNAT needs correction. 

Your dest port for rule "r1" should be 83 and then the POOL address entry "r2" should have port 80 as the re-write. 

Then you can back off the security policy to just allow address: any-> address: any;  to get it working... (keep it simple and then build the rule to be more restrictive)

AND THEN tighen it up with either address limits or port limits. 

Cheers,

Hello. Thank you for answering! Here is my configuration for the security policy:

Where destination address is port-83, which is the global address that I created - 46.10.161.40

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

I checked the new logs too and it seems the same for me. 

Can you specify what you saw different ?

can you try below config:

delete security nat destination rule-set rs1 from from zone untrust 

set security nat destination rule-set rs1 from interface ge-0/0/0.0

Regards,

------------------------------
Brijil R

Original Message:
Sent: 09-26-2023 06:46
From: GEORGI DONKOV
Subject: Web server not working

Sorry, I am not sure what you mean. But right now I checked the logs again and found some other things:

Looks like the device is not identifying the Dnat and hence its dropping packet. 

Sep 26 12:24:31 12:24:31.270481:CID-0:RT:check self-traffic on ge-0/0/0.0, in_tunnel 0x0 dp 83Sep 26 12:24:31 12:24:31.270481:CID-0:RT:pak_for_self: No handler function found for proto:6, dst-port:83, drop pktSep 26 12:24:31 12:24:31.270481:CID-0:RT:retcode: 0x1Sep 26 12:24:31 12:24:31.270481:CID-0:RT:pak_for_self : proto 6, dst port 83, action no action found, drop packet

can you remove the config, from zone untrust and make it as  "from interface ge-0/0/0.0" and give it a try?

Regards,

------------------------------
Brijil R

Original Message:
Sent: 09-26-2023 05:27
From: GEORGI DONKOV
Subject: Web server not working

Hello,
Brijil.

Here you are the traces. Thank you in advance!

Can you get me the traces please ? lets have a look in that as well. 

Hello, Brijil.

The command
> show security flow session destination-prefix 46.10.161.40 destination-port 83
shows that there is no traffic reaching the SRX. There are 0 sessions created when trying to access the server.

Hello Georgi,

Did we confirm if the traffic is reaching the SRX in first place?

Please see if sessions are getting created when trying to access the server:

> show security flow session destination-prefix 46.10.161.40 destination-port 83

Also, you can setup a trace file and see if any drops happening. 

https://supportportal.juniper.net/s/article/Archive-SRX-Getting-Started-Configuring-Traceoptions-for-Debugging-and-Trimming-Output?language=en_US 

set security flow traceoptions file FLOWTRACE
set security flow traceoptions file size 30m
set security flow traceoptions file files 2
set security flow traceoptions file world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter IN destination-prefix 46.10.161.40/32
set security flow traceoptions packet-filter IN destination-port 83

commit and-quit

You can either check the logs or attach it here, I can help check it for you. 

Regards,

Brijil 

Thank you for answering!

So here is my configuration so far:

destination {
    pool port-83 {
        address 192.168.2.2/32 port 80;
    }
    rule-set rs1 {
        from zone untrust;
        rule Forwarding {
            match {
                destination-address 46.10.161.40/32;
                destination-port {
                    83;
                }
                protocol [ tcp udp ];
            }
            then {
                destination-nat {
                    pool {
                        port-83;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            46.10.161.40/32;
        }
    }
}
address-book {
    global {
        address office 192.168.0.0/26;
        address innov 192.168.2.0/28;
        address port-83 192.168.2.2/32;
    }
}
 from-zone untrust to-zone trust {
        policy server-access {
            match {
                source-address any;
                destination-address any-ipv4;
                application junos-http;
                dynamic-application any;
            }
            then {
                permit;
            }
        }
    }

I think that is everything needed to edit to make it work. So far I made the changes that you mentioned, but there is no success. I noticed that on the nat hierarchy there are two rule sets that I created for our VPN:

nat {
    source {
        rule-set trust-to-untrust {
            from zone trust;
            to zone untrust;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
        rule-set NatToUntrust {
            from zone VPN;
            to zone untrust;
            rule r1 {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }

Maybe they are the reason?

Thank you,

Ok - so 

Your original dNAT needs correction. 

Your dest port for rule "r1" should be 83 and then the POOL address entry "r2" should have port 80 as the re-write. 

Then you can back off the security policy to just allow address: any-> address: any;  to get it working... (keep it simple and then build the rule to be more restrictive)

AND THEN tighen it up with either address limits or port limits. 

Cheers,

Hello. Thank you for answering! Here is my configuration for the security policy:

Where destination address is port-83, which is the global address that I created - 46.10.161.40

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

Thank you for answering!

So here is my configuration so far:

destination {
    pool port-83 {
        address 192.168.2.2/32 port 80;
    }
    rule-set rs1 {
        from zone untrust;
        rule Forwarding {
            match {
                destination-address 46.10.161.40/32;
                destination-port {
                    83;
                }
                protocol [ tcp udp ];
            }
            then {
                destination-nat {
                    pool {
                        port-83;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            46.10.161.40/32;
        }
    }
}
address-book {
    global {
        address office 192.168.0.0/26;
        address innov 192.168.2.0/28;
        address port-83 192.168.2.2/32;
    }
}
 from-zone untrust to-zone trust {
        policy server-access {
            match {
                source-address any;
                destination-address any-ipv4;
                application junos-http;
                dynamic-application any;
            }
            then {
                permit;
            }
        }
    }

I think that is everything needed to edit to make it work. So far I made the changes that you mentioned, but there is no success. I noticed that on the nat hierarchy there are two rule sets that I created for our VPN:

nat {
    source {
        rule-set trust-to-untrust {
            from zone trust;
            to zone untrust;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
        rule-set NatToUntrust {
            from zone VPN;
            to zone untrust;
            rule r1 {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }

Maybe they are the reason?

Thank you,

Ok - so 

Your original dNAT needs correction. 

Your dest port for rule "r1" should be 83 and then the POOL address entry "r2" should have port 80 as the re-write. 

Then you can back off the security policy to just allow address: any-> address: any;  to get it working... (keep it simple and then build the rule to be more restrictive)

AND THEN tighen it up with either address limits or port limits. 

Cheers,

Hello. Thank you for answering! Here is my configuration for the security policy:

Where destination address is port-83, which is the global address that I created - 46.10.161.40

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

Close -- but try this and let us know. 

 from-zone untrust to-zone trust {        policy server-access {            match {                source-address any;                destination-address port-83;            }            then {                permit;            }        }

Thank you for answering!

So here is my configuration so far:

destination {
    pool port-83 {
        address 192.168.2.2/32 port 80;
    }
    rule-set rs1 {
        from zone untrust;
        rule Forwarding {
            match {
                destination-address 46.10.161.40/32;
                destination-port {
                    83;
                }
                protocol [ tcp udp ];
            }
            then {
                destination-nat {
                    pool {
                        port-83;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            46.10.161.40/32;
        }
    }
}
address-book {
    global {
        address office 192.168.0.0/26;
        address innov 192.168.2.0/28;
        address port-83 192.168.2.2/32;
    }
}
 from-zone untrust to-zone trust {
        policy server-access {
            match {
                source-address any;
                destination-address any-ipv4;
                application junos-http;
                dynamic-application any;
            }
            then {
                permit;
            }
        }
    }

I think that is everything needed to edit to make it work. So far I made the changes that you mentioned, but there is no success. I noticed that on the nat hierarchy there are two rule sets that I created for our VPN:

nat {
    source {
        rule-set trust-to-untrust {
            from zone trust;
            to zone untrust;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
        rule-set NatToUntrust {
            from zone VPN;
            to zone untrust;
            rule r1 {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }

Maybe they are the reason?

Thank you,

Ok - so 

Your original dNAT needs correction. 

Your dest port for rule "r1" should be 83 and then the POOL address entry "r2" should have port 80 as the re-write. 

Then you can back off the security policy to just allow address: any-> address: any;  to get it working... (keep it simple and then build the rule to be more restrictive)

AND THEN tighen it up with either address limits or port limits. 

Cheers,

Hello. Thank you for answering! Here is my configuration for the security policy:

Where destination address is port-83, which is the global address that I created - 46.10.161.40

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

Hello, Ben! I updated the security policy, just left the dynamic-application: any, because it said that either dynamic application or application should be defined in a policy. 

Now the security policy looks like this:

from-zone untrust to-zone trust {

   policy server-access {

      match {

         source-address any;

         destination-address port-83;

         dynamic-application any;

      }

   then {

      permit;

   }

 }

And there is still no success.

------------------------------
GEORGI DONKOV

Original Message:
Sent: 09-26-2023 03:39
From: bkamen
Subject: Web server not working

Close -- but try this and let us know. 

 from-zone untrust to-zone trust {        policy server-access {            match {                source-address any;                destination-address port-83;            }            then {                permit;            }        }

------------------------------
Ben Kamen

Original Message:
Sent: 09-26-2023 03:04
From: GEORGI DONKOV
Subject: Web server not working

Thank you for answering!

So here is my configuration so far:

destination {
    pool port-83 {
        address 192.168.2.2/32 port 80;
    }
    rule-set rs1 {
        from zone untrust;
        rule Forwarding {
            match {
                destination-address 46.10.161.40/32;
                destination-port {
                    83;
                }
                protocol [ tcp udp ];
            }
            then {
                destination-nat {
                    pool {
                        port-83;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            46.10.161.40/32;
        }
    }
}
address-book {
    global {
        address office 192.168.0.0/26;
        address innov 192.168.2.0/28;
        address port-83 192.168.2.2/32;
    }
}
 from-zone untrust to-zone trust {
        policy server-access {
            match {
                source-address any;
                destination-address any-ipv4;
                application junos-http;
                dynamic-application any;
            }
            then {
                permit;
            }
        }
    }

I think that is everything needed to edit to make it work. So far I made the changes that you mentioned, but there is no success. I noticed that on the nat hierarchy there are two rule sets that I created for our VPN:

nat {
    source {
        rule-set trust-to-untrust {
            from zone trust;
            to zone untrust;
            rule source-nat-rule {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
        rule-set NatToUntrust {
            from zone VPN;
            to zone untrust;
            rule r1 {
                match {
                    source-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }

Maybe they are the reason?

Thank you,

------------------------------
GEORGI DONKOV

Original Message:
Sent: 09-25-2023 13:42
From: bkamen
Subject: Web server not working

Ok - so 

Your original dNAT needs correction. 

Your dest port for rule "r1" should be 83 and then the POOL address entry "r2" should have port 80 as the re-write. 

Then you can back off the security policy to just allow address: any-> address: any;  to get it working... (keep it simple and then build the rule to be more restrictive)

AND THEN tighen it up with either address limits or port limits. 

Cheers,

------------------------------
Ben Kamen

Original Message:
Sent: 09-25-2023 12:23
From: GEORGI DONKOV
Subject: Web server not working

Hello. Thank you for answering! Here is my configuration for the security policy:

Where destination address is port-83, which is the global address that I created - 46.10.161.40

------------------------------
GEORGI DONKOV

Original Message:
Sent: 09-25-2023 11:37
From: bkamen
Subject: Web server not working

Hey Georgi, 

After setting up Destination NAT, 

You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)

Cheers,

------------------------------
Ben Kamen

Original Message:
Sent: 09-25-2023 10:03
From: GEORGI DONKOV
Subject: Web server not working

Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80

When I am entering http://46.10.161.40/ in my browser it gives timed out error.

I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.

------------------------------
GEORGI DONKOV
------------------------------