Author Topic: Port 80 Routing - Help  (Read 1351 times)

chokdii

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Port 80 Routing - Help
« on: December 09, 2010, 11:36:27 pm »
Hi everyone,

I am really hoping someone here can help me. I don't really have any experience with Juniper routers but am now having issues with forwarding port 80 to an internal web server. As far as I can tell, the Web management IP is set to 8080, but still I cannot get the forwarding to work. I have tried many things with no success. Would someone be able to look at my config below and tell me how I might make changes in the GUI to fix this.

Thanks in advance

set clock ntp
set clock timezone -7
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "MS-RPC-EPM" timeout 60
set service "MS-RPC-ANY" timeout 30
set service "MS-EXCHANGE-DATABASE" timeout 60
set service "MS-EXCHANGE-DIRECTORY" timeout 60
set service "MS-EXCHANGE-INFO-STORE" timeout 60
set service "MS-EXCHANGE-MTA" timeout 60
set service "MS-EXCHANGE-STORE" timeout 60
set service "MS-EXCHANGE-SYSATD" timeout 60
set service "RDP" protocol tcp src-port 0-65535 dst-port 5510-5510
set service "Lights-Out" protocol tcp src-port 0-65535 dst-port 444-444
set service "Lights-Out2" protocol tcp src-port 0-65535 dst-port 8880-8880
set service "AltMail" protocol tcp src-port 0-65535 dst-port 232-232
set service "NetworkConnect" protocol udp src-port 0-65535 dst-port 4500-4500
set service "Networkconnect2" protocol tcp src-port 0-65535 dst-port 4500-4500
set service "Polycom" protocol tcp src-port 3230-3231 dst-port 3230-3231
set service "Polycom" + udp src-port 3230-3237 dst-port 3230-3237
set service "Polycom" + tcp src-port 5060-5060 dst-port 5060-5060
set service "Polycom" + udp src-port 5060-5067 dst-port 5060-5067
set service "AFEWeb" protocol tcp src-port 0-65535 dst-port 80-80
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "loonadmin"
set admin password "nHeWFRrmCY0BcrHJmscHJsJtz0FuDn"
set admin port 8080
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin auth banner telnet login "Loon Energy Remote Management Console"
set admin auth banner console login "Loon Energy Management Console"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "External 2"
set zone id 101 "vpn"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "External 2" tcp-rst
unset zone "vpn" tcp-rst
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen icmp-id
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Null"
set interface "bgroup0" zone "Trust"
set interface "bgroup1" zone "DMZ"
set interface bgroup1 port ethernet0/1
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup1 port ethernet0/4
unset interface vlan1 ip
set interface ethernet0/0 ip 68.145.98.130/22
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.1.254/24
set interface bgroup0 route
set interface bgroup1 ip 192.168.2.1/24
set interface bgroup1 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
unset interface bgroup1 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssl
set interface ethernet0/0 vip interface-ip 5510 "RDP" 192.168.1.10 manual
set interface ethernet0/0 vip interface-ip 25 "MAIL" 192.168.1.10 manual
set interface ethernet0/0 vip interface-ip 110 "POP3" 192.168.1.10 manual
set interface ethernet0/0 vip interface-ip 443 "HTTPS" 192.168.2.2 manual
set interface ethernet0/0 vip interface-ip 444 "Lights-Out" 192.168.1.7
set interface ethernet0/0 vip interface-ip 21 "FTP" 192.168.1.11
set interface ethernet0/0 vip interface-ip 8880 "Lights-Out2" 192.168.1.7
set interface ethernet0/0 vip interface-ip 232 "AltMail" 192.168.1.11
set interface ethernet0/0 vip interface-ip 4500 "Networkconnect2" 192.168.2.2 manual
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 64.59.135.133 src-interface ethernet0/0
set dns host dns2 64.59.135.135 src-interface ethernet0/0
set dns host dns3 0.0.0.0
set dns host schedule 06:28
set address "Trust" "192.168.1.10/24" 192.168.1.10 255.255.255.0
set address "Trust" "192.168.1.126/24" 192.168.1.126 255.255.255.0
set address "Trust" "192.168.1.18/24" 192.168.1.18 255.255.255.0
set address "DMZ" "192.168.2.201" 192.168.2.201 255.255.255.255
set address "DMZ" "192.168.2.202" 192.168.2.202 255.255.255.255
set address "DMZ" "192.168.2.203" 192.168.2.203 255.255.255.255
set address "DMZ" "192.168.2.204" 192.168.2.204 255.255.255.255
set address "DMZ" "192.168.2.205" 192.168.2.205 255.255.255.255
set address "DMZ" "192.168.2.206" 192.168.2.206 255.255.255.255
set address "DMZ" "192.168.2.207" 192.168.2.207 255.255.255.255
set address "DMZ" "192.168.2.208" 192.168.2.208 255.255.255.255
set address "DMZ" "192.168.2.209" 192.168.2.209 255.255.255.255
set address "DMZ" "192.168.2.210" 192.168.2.210 255.255.255.255
set address "DMZ" "192.168.2.211" 192.168.2.211 255.255.255.255
set address "DMZ" "192.168.2.212" 192.168.2.212 255.255.255.255
set address "DMZ" "192.168.2.213" 192.168.2.213 255.255.255.255
set address "DMZ" "192.168.2.214" 192.168.2.214 255.255.255.255
set address "DMZ" "192.168.2.215" 192.168.2.215 255.255.255.255
set address "DMZ" "IronPort - DMZ - Incoming" 192.168.2.3 255.255.255.255
set address "DMZ" "IronPort - DMZ - Outgoing" 192.168.2.4 255.255.255.0
set address "DMZ" "SSL VPN - Network Connect" 192.168.2.2 255.255.255.255
set group address "DMZ" "SA Network Connect"
set group address "DMZ" "SA Network Connect" add "192.168.2.201"
set group address "DMZ" "SA Network Connect" add "192.168.2.202"
set group address "DMZ" "SA Network Connect" add "192.168.2.203"
set group address "DMZ" "SA Network Connect" add "192.168.2.204"
set group address "DMZ" "SA Network Connect" add "192.168.2.205"
set group address "DMZ" "SA Network Connect" add "192.168.2.206"
set group address "DMZ" "SA Network Connect" add "192.168.2.207"
set group address "DMZ" "SA Network Connect" add "192.168.2.208"
set group address "DMZ" "SA Network Connect" add "192.168.2.209"
set group address "DMZ" "SA Network Connect" add "192.168.2.210"
set group address "DMZ" "SA Network Connect" add "192.168.2.211"
set group address "DMZ" "SA Network Connect" add "192.168.2.212"
set group address "DMZ" "SA Network Connect" add "192.168.2.213"
set group address "DMZ" "SA Network Connect" add "192.168.2.214"
set group address "DMZ" "SA Network Connect" add "192.168.2.215"
set group address "DMZ" "SA Network Connect" add "SSL VPN - Network Connect"
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set di service SMTP multipart_depth 8
set url protocol websense
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set policy id 113 from "Untrust" to "Trust"  "Any" "192.168.1.126/24" "HTTP" permit
set policy id 113
exit
set policy id 100 name "EMAIL" from "Trust" to "Untrust"  "Any" "Any" "MS-RPC-EPM" nat src permit
set policy id 100
set service "POP3"
set service "MS-EXCHANGE"
exit
set policy id 110 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit log
set policy id 110
exit
set policy id 2 name "External_SMTP" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "AltMail" permit log
set policy id 2
set service "FTP"
set service "HTTP"
set service "HTTPS"
set service "Lights-Out"
set service "Lights-Out2"
set service "MAIL"
set service "NetworkConnect"
set service "Networkconnect2"
set service "POP3"
set service "RDP"
set log session-init
exit
set policy id 4 from "Untrust" to "DMZ"  "Any" "SSL VPN - Network Connect" "HTTPS" permit log
set policy id 4
set log session-init
exit
set policy id 5 from "Trust" to "DMZ"  "Any" "SSL VPN - Network Connect" "ANY" permit log
set policy id 5
set log session-init
exit
set policy id 6 from "DMZ" to "Trust"  "SA Network Connect" "Any" "ANY" permit log
set policy id 6
set log session-init
exit
set policy id 103 from "Untrust" to "DMZ"  "Any" "IronPort - DMZ - Incoming" "MAIL" permit log
set policy id 103 application "SMTP"
set policy id 103
exit
set policy id 104 from "DMZ" to "Trust"  "IronPort - DMZ - Incoming" "Any" "DNS" permit log
set policy id 104 disable
set policy id 104
set service "LDAP"
set service "MAIL"
exit
set policy id 101 from "DMZ" to "Trust"  "Any" "Any" "ANY" deny log
set policy id 101
exit
set policy id 105 from "Trust" to "DMZ"  "Any" "IronPort - DMZ - Incoming" "LDAP" permit log
set policy id 105 disable
set policy id 105
set service "MAIL"
exit
set policy id 107 from "DMZ" to "Untrust"  "SSL VPN - Network Connect" "Any" "ANY" nat src permit log
set policy id 107
set log session-init
exit
set policy id 108 from "Trust" to "DMZ"  "Any" "IronPort - DMZ - Outgoing" "MAIL" permit
set policy id 108 disable
set policy id 108
exit
set policy id 111 name "PolyCom Forward" from "Untrust" to "Trust"  "Any" "192.168.1.18/24" "Polycom" permit
set policy id 111
exit
set policy id 112 name "Polycom H323" from "Untrust" to "Trust"  "Any" "192.168.1.18/24" "H.323" permit
set policy id 112
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set ntp server "64.5.1.130"
set ntp server src-interface "ethernet0/0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set ntp interval 5
set snmp community "public" Read-Only Trap-off version v1 
set snmp community "Public" Read-Write Trap-on traffic version any 
set snmp name "ssg5-serial"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway 68.145.96.1 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit


deanb

  • Full Member
  • ***
  • Posts: 128
  • Karma: +0/-0
    • View Profile
Re: Port 80 Routing - Help
« Reply #1 on: December 10, 2010, 03:34:07 am »
1. Create new VIP entry:
set interface ethernet0/0 vip interface-ip 80 "HTTP" --your-server-ip manual

2. Create new policy
set policy id 114 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "HTTP" permit
set policy id 114

You need to configure destination as VIP, so the FW can trigger address translation.