Quantcast
Channel: SRX Services Gateway topics
Viewing all articles
Browse latest Browse all 3959

Webserver not working

$
0
0

Hello,

 

I am trying to set up a webserver.

I need the following:

 

187.72.138.193> 10.196.24.31 on port 80

 

What am I doing wrong?

When I try to access it from outside it keeps loading forever then an error appears (timed out).

 

I am using SRX220H2 with JUNOS Software Release [12.1X44-D15.5]

 

I tried the following:

 

set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/24

set applications application HTTP protocol tcp

set applications application HTTP destination-port 80

set security nat destination pool dnat_10_196_24_31m24 address 10.196.24.31/24 port 80

set security nat destination rule-set DEST-NAT from zone untrust

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-address 187.72.138.193/32

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-port 80

set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 then destination-nat pool dnat_10_196_24_31m24

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match source-address any

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match destination-address WebServer

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match application HTTP

set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ then permit

set security nat source rule-set DMZ-TO-INTERNET from zone DMZ-trust

set security nat source rule-set DMZ-TO-INTERNET to zone untrust

set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match source-address 10.196.24.31/24
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match destination-address 0.0.0.0/0
 
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET then source-nat interface

You can check below my conf file:

 

## Last changed: 2017-05-19 21:30:15 UTC
version 12.1X44.5;
system {
    host-name rotem_brazil_aqa;
    authentication-order password;
    root-authentication {
        encrypted-password "$1$n8cjdRxy$egOP32tYsiL.x4qMR71050";
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user admin {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$vo1HUMSt$GYLlMi6geHv9zTEg0OFAG.";
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                port 80;
            }
            https {
                system-generated-certificate;
            }
        }
        dhcp {
            name-server {
                10.196.24.31;
            }
            router {
                10.196.24.1;
            }
            pool 10.196.24.0/24 {
                address-range low 10.196.24.51 high 10.196.24.210;
                exclude-address {
                    10.196.24.177;
                    10.196.24.178;
                    10.196.24.74;
                }
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 187.72.138.193/28;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.196.25.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-1/0/0 {
        description "##Backbone##";
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "##Backbone##";
            family inet {
                address 10.196.24.1/24 {
                    primary;
                }
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
            family inet6;
        }
    }
    vlan {
        unit 0;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 187.72.138.206;
        route 10.0.0.0/8 next-hop st0.0;
        route 58.87.44.105/32 next-hop st0.0;
        route 58.87.44.106/32 next-hop st0.0;
        route 58.87.44.107/32 next-hop st0.0;
        route 58.87.44.93/32 next-hop st0.0;
    }
}
protocols {
    stp;
}
security {
    ike {
        proposal pre-g2-3des-sha {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy Rotem {
            mode aggressive;
            proposals pre-g2-3des-sha;
            pre-shared-key ascii-text "$9$kmQnhclWX-tueW8LbwjHqmz6ApB";
        }
        gateway Rotem {
            ike-policy Rotem;
            address 58.87.57.67;
            local-identity hostname rotem_brazil_newararaquara;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        proposal esp-3des-sha {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy Rotem {
            proposals esp-3des-sha;
        }
        vpn Rotem {
            bind-interface st0.0;
            ike {
                gateway Rotem;
                no-anti-replay;
                ipsec-policy Rotem;
            }
            establish-tunnels immediately;
        }
    }
    utm {
        feature-profile {
            web-filtering {
                type surf-control-integrated;
                surf-control-integrated {
                    server;
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set DMZ-TO-INTERNET {
                from zone DMZ-trust;
                to zone untrust;
                rule DMZ-TO-INTERNET {
                    match {
                        source-address 10.196.24.31/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool dnat_10_196_24_31m24 {
                address 10.196.24.31/24 port 80;
            }
            rule-set DEST-NAT {
                from zone untrust;
                rule WEB-SERVER-TCP-80 {
                    match {
                        destination-address 187.72.138.193/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool dnat_10_196_24_31m24;
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy catia-alc-license {
                description catia-alc-license;
                match {
                    source-address trust;
                    destination-address [ catia catia2 catia3 ];
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy RotemVPN {
                match {
                    source-address 10.0.0.0/8;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }
        from-zone untrust to-zone DMZ-trust {
            policy INTERNET-TO-DMZ {
                match {
                    source-address any;
                    destination-address WebServer;
                    application HTTP;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address trust 10.196.24.0/32;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                ge-1/0/0.0;
            }
        }
        security-zone untrust {
            address-book {
                address 10.0.0.0/8 10.0.0.0/8;
                address catia 10.196.34.46/32;
                address catia2 10.196.34.47/32;
                address catia3 10.196.34.48/32;
            }
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ike;
                            all;
                        }
                    }
                }
                st0.0;
            }
        }
        security-zone DMZ-trust {
            address-book {
                address WebServer 10.196.24.31/24;
            }
        }
    }
}
applications {
    application HTTP {
        protocol tcp;
        destination-port 80;
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

 

Kind regards.

 

 

EDIT: I noticed trying to run "commit" after every single command that when I run the first one it doesn't work if I let /24 mask, do you know why? It only accepts /32 atthe end. My internal network is /24 so what can I do? I am talking about the:

set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/24

 

 


Viewing all articles
Browse latest Browse all 3959

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>