Author Topic: Port forward 443, 80, 4343, 3389 to internal hosts using one VIP  (Read 3076 times)

nesa0210

  • Newbie
  • *
  • Posts: 0
  • Karma: +0/-0
    • View Profile
Hello,
 
I am using Netscreen/Juniper ns500 with 5.4.0r27.0 firmware version. I am trying to setup TCP port forwarding from VIP: 38.122.67.xx to internal hosts. Mappings should be:
38.122.67.xx:80 to 10.15.20.20:80
38.122.67.xx:3389 to 10.15.20.11:3389
38.122.67.xx:443 to 10.15.20.19:443
38.122.67.xx:4343 to 10.15.20.11:4343
 
Here is my config. Any help will be appreciated. This is my first time working with Juniper product. Thank you:
 
set clock ntp
set clock timezone -5
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "4343" protocol tcp src-port 0-6553 dst-port 4343-4343 timeout 30
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nCURLwrRP9XBcK7B9s3PqkMtowLjPn"
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface ethernet1/2 phy full 10mb
set interface "ethernet1/1" zone "Untrust"
set interface "ethernet1/2" zone "Null"
set interface "ethernet3/2" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface ethernet1/1 ip 38.122.67.xx/29
set interface ethernet1/1 route
set interface ethernet3/2 ip 10.15.20.1/24
set interface ethernet3/2 nat
unset interface vlan1 ip
set interface mgt ip 10.10.10.254/24
set interface tunnel.1 ip unnumbered interface ethernet1/1
set interface ethernet1/1 gateway 38.122.67.xx
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1/1 ip manageable
set interface ethernet3/2 ip manageable
set interface ethernet1/1 manage ssh
set interface ethernet1/1 manage telnet
set interface ethernet1/1 manage ssl
set interface ethernet1/1 manage web
set interface ethernet1/1 vip 38.122.67.xx 80 "HTTP" 10.15.20.20
set interface ethernet1/1 vip 38.122.67.xx + 443 "HTTPS" 10.15.20.19
set interface ethernet1/1 vip 38.122.67.xx + 4343 "4343" 10.15.20.11
set interface ethernet1/1 vip 38.122.67.xx + 3389 "RDP" 10.15.20.11
set interface ethernet1/1 dip interface-ip incoming
unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 8.8.8.8
set dns host dns2 8.8.4.4
set dns host dns3 0.0.0.0
set address "Trust" "ADC-2" 10.15.20.11 255.255.255.255
set address "Trust" "Core_Switch" 10.20.15.20 255.255.255.255
set address "Trust" "Data_Center" 10.15.20.0 255.255.255.0
set address "Trust" "SSL_VPN" 10.15.20.19 255.255.255.255
set address "Untrust" "Arlington_Office" 10.1.10.0 255.255.255.0
set ike gateway "Arlington_Gateway" address 162.17.205.xxxMain outgoing-interface "ethernet1/1" preshare "UQ8QTvs0NggC8tsrsrCF0ZIj9+nX0rXWYQ==" proposal "pre-g2-3des-sha" "pre-g2-aes128-sha"
set ike gateway "Arlington_Gateway" cert peer-ca all
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "ARLINGTON_VPN" gateway "Arlington_Gateway" no-replay tunnel idletime 0 sec-level standard
set vpn "ARLINGTON_VPN" monitor
set vpn "ARLINGTON_VPN" id 2 bind interface tunnel.1
set url protocol websense
exit
set vpn "ARLINGTON_VPN" proxy-id local-ip 10.15.20.0/24 remote-ip 10.1.10.0/24 "ANY"
set policy id 7 name "VPN_ALLOW" from "Trust" to "Untrust"  "Data_Center" "Arlington_Office" "ANY" permit log
set policy id 7
exit
set policy id 1 name "SSL_VPN_HTTPS" from "Untrust" to "Trust"  "Any" "VIP(38.122.67.xx)" "HTTPS" permit log
set policy id 1
exit
set policy id 2 name "RDP_ADC-2" from "Untrust" to "Trust"  "Any" "VIP(38.122.67.xx)" "RDP" permit log
set policy id 2
exit
set policy id 4 name "RDP_ADC-3" from "Untrust" to "Trust"  "Any" "VIP(38.122.67.xx)" "HTTP" permit
set policy id 4 application "HTTP"
set policy id 4
exit
set policy id 5 name "PERMIT_OUTBOUND" from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 5
exit
set policy id 6 name "Spiceworks" from "Untrust" to "Trust"  "Any" "VIP(38.122.67.xx)" "4343" permit
set policy id 6
exit
set policy id 8 name "VPN_Outside" from "Untrust" to "Trust"  "Arlington_Office" "Data_Center" "ANY" permit
set policy id 8
exit
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set config lock timeout 5
set license-key auto-update
set ssl port 4443
set ntp server "96.47.67.105"
set ntp server src-interface "ethernet1/1"
set ntp server backup1 "216.171.112.36"
set ntp server backup1 src-interface "ethernet1/1"
set ntp server backup2 "206.246.122.250"
set ntp server backup2 src-interface "ethernet1/1"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 10.1.10.0/24 interface tunnel.1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

marty

  • Sr. Member
  • ****
  • Posts: 337
  • Karma: +1/-0
    • View Profile
Re: Port forward 443, 80, 4343, 3389 to internal hosts using one VIP
« Reply #1 on: December 19, 2013, 10:37:40 pm »
Config seems fine is that not working? What is the issue you are facing ?
Marty