Original Message:
Sent: 09-26-2023 07:07
From: Brijil
Subject: Web server not working
I checked the new logs too and it seems the same for me.
Can you specify what you saw different ?
can you try below config:
delete security nat destination rule-set rs1 from from zone untrust
set security nat destination rule-set rs1 from interface ge-0/0/0.0
Regards,
------------------------------
Brijil R
Original Message:
Sent: 09-26-2023 06:46
From: GEORGI DONKOV
Subject: Web server not working
Sorry, I am not sure what you mean. But right now I checked the logs again and found some other things:
------------------------------
GEORGI DONKOV
Original Message:
Sent: 09-26-2023 06:33
From: Brijil
Subject: Web server not working
Looks like the device is not identifying the Dnat and hence its dropping packet.
Sep 26 12:24:31 12:24:31.270481:CID-0:RT:check self-traffic on ge-0/0/0.0, in_tunnel 0x0 dp 83Sep 26 12:24:31 12:24:31.270481:CID-0:RT:pak_for_self: No handler function found for proto:6, dst-port:83, drop pktSep 26 12:24:31 12:24:31.270481:CID-0:RT:retcode: 0x1Sep 26 12:24:31 12:24:31.270481:CID-0:RT:pak_for_self : proto 6, dst port 83, action no action found, drop packet
can you remove the config, from zone untrust and make it as "from interface ge-0/0/0.0" and give it a try?
Regards,
------------------------------
Brijil R
Original Message:
Sent: 09-26-2023 05:27
From: GEORGI DONKOV
Subject: Web server not working
Hello,
Brijil.
Here you are the traces. Thank you in advance!
------------------------------
GEORGI DONKOV
Original Message:
Sent: 09-26-2023 04:28
From: Brijil
Subject: Web server not working
Can you get me the traces please ? lets have a look in that as well.
------------------------------
Brijil R
Original Message:
Sent: 09-26-2023 04:02
From: GEORGI DONKOV
Subject: Web server not working
Hello, Brijil.
The command
> show security flow session destination-prefix 46.10.161.40 destination-port 83
shows that there is no traffic reaching the SRX. There are 0 sessions created when trying to access the server.
------------------------------
GEORGI DONKOV
Original Message:
Sent: 09-26-2023 03:23
From: Brijil
Subject: Web server not working
Hello Georgi,
Did we confirm if the traffic is reaching the SRX in first place?
Please see if sessions are getting created when trying to access the server:
> show security flow session destination-prefix 46.10.161.40 destination-port 83
Also, you can setup a trace file and see if any drops happening.
https://supportportal.juniper.net/s/article/Archive-SRX-Getting-Started-Configuring-Traceoptions-for-Debugging-and-Trimming-Output?language=en_US
set security flow traceoptions file FLOWTRACE
set security flow traceoptions file size 30m
set security flow traceoptions file files 2
set security flow traceoptions file world-readable
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter IN destination-prefix 46.10.161.40/32
set security flow traceoptions packet-filter IN destination-port 83
commit and-quit
You can either check the logs or attach it here, I can help check it for you.
Regards,
Brijil
------------------------------
Brijil R
Original Message:
Sent: 09-26-2023 03:04
From: GEORGI DONKOV
Subject: Web server not working
Thank you for answering!
So here is my configuration so far:
destination {
pool port-83 {
address 192.168.2.2/32 port 80;
}
rule-set rs1 {
from zone untrust;
rule Forwarding {
match {
destination-address 46.10.161.40/32;
destination-port {
83;
}
protocol [ tcp udp ];
}
then {
destination-nat {
pool {
port-83;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
46.10.161.40/32;
}
}
}
address-book {
global {
address office 192.168.0.0/26;
address innov 192.168.2.0/28;
address port-83 192.168.2.2/32;
}
}
from-zone untrust to-zone trust {
policy server-access {
match {
source-address any;
destination-address any-ipv4;
application junos-http;
dynamic-application any;
}
then {
permit;
}
}
}
I think that is everything needed to edit to make it work. So far I made the changes that you mentioned, but there is no success. I noticed that on the nat hierarchy there are two rule sets that I created for our VPN:
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set NatToUntrust {
from zone VPN;
to zone untrust;
rule r1 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
Maybe they are the reason?
Thank you,
------------------------------
GEORGI DONKOV
Original Message:
Sent: 09-25-2023 13:42
From: bkamen
Subject: Web server not working
Ok - so
Your original dNAT needs correction.
Your dest port for rule "r1" should be 83 and then the POOL address entry "r2" should have port 80 as the re-write.
Then you can back off the security policy to just allow address: any-> address: any; to get it working... (keep it simple and then build the rule to be more restrictive)
AND THEN tighen it up with either address limits or port limits.
Cheers,
------------------------------
Ben Kamen
Original Message:
Sent: 09-25-2023 12:23
From: GEORGI DONKOV
Subject: Web server not working
Hello. Thank you for answering! Here is my configuration for the security policy:
------------------------------
GEORGI DONKOV
Original Message:
Sent: 09-25-2023 11:37
From: bkamen
Subject: Web server not working
Hey Georgi,
After setting up Destination NAT,
You also need a security policy rule that allows the traffic to pass from one zone to the other (assuming something like "Internet" to "Internal" or "Untrusted" to "Trusted)
Cheers,
------------------------------
Ben Kamen
Original Message:
Sent: 09-25-2023 10:03
From: GEORGI DONKOV
Subject: Web server not working
Hello, I am trying to setup a webserver. I need this:
46.10.161.40 -> 192.168.2.2 on port 80
When I am entering http://46.10.161.40/ in my browser it gives timed out error.
I am uploading my NAT Destination config as screenshots from J-Web. Maybe I am doing something wrong? Thank you in advance for your help.
------------------------------
GEORGI DONKOV
------------------------------