Hello,
I am trying to set up a webserver.
I need the following:
187.72.138.193> 10.196.24.31 on port 80
What am I doing wrong?
When I try to access it from outside it keeps loading forever then an error appears (timed out).
I am using SRX220H2 with JUNOS Software Release [12.1X44-D15.5]
I tried the following:
set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/24
set applications application HTTP protocol tcp
set applications application HTTP destination-port 80
set security nat destination pool dnat_10_196_24_31m24 address 10.196.24.31/24 port 80
set security nat destination rule-set DEST-NAT from zone untrust
set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-address 187.72.138.193/32
set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 match destination-port 80
set security nat destination rule-set DEST-NAT rule WEB-SERVER-TCP-80 then destination-nat pool dnat_10_196_24_31m24
set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match source-address any
set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match destination-address WebServer
set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ match application HTTP
set security policies from-zone untrust to-zone DMZ-trust policy INTERNET-TO-DMZ then permit
set security nat source rule-set DMZ-TO-INTERNET from zone DMZ-trust
set security nat source rule-set DMZ-TO-INTERNET to zone untrust
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match source-address 10.196.24.31/24
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET match destination-address 0.0.0.0/0
set security nat source rule-set DMZ-TO-INTERNET rule DMZ-TO-INTERNET then source-nat interface
You can check below my conf file:
## Last changed: 2017-05-19 21:30:15 UTC
version 12.1X44.5;
system {
host-name rotem_brazil_aqa;
authentication-order password;
root-authentication {
encrypted-password "$1$n8cjdRxy$egOP32tYsiL.x4qMR71050";
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$vo1HUMSt$GYLlMi6geHv9zTEg0OFAG.";
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
port 80;
}
https {
system-generated-certificate;
}
}
dhcp {
name-server {
10.196.24.31;
}
router {
10.196.24.1;
}
pool 10.196.24.0/24 {
address-range low 10.196.24.51 high 10.196.24.210;
exclude-address {
10.196.24.177;
10.196.24.178;
10.196.24.74;
}
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 187.72.138.193/28;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.196.25.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-1/0/0 {
description "##Backbone##";
gigether-options {
auto-negotiation;
}
unit 0 {
description "##Backbone##";
family inet {
address 10.196.24.1/24 {
primary;
}
}
}
}
st0 {
unit 0 {
family inet;
family inet6;
}
}
vlan {
unit 0;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 187.72.138.206;
route 10.0.0.0/8 next-hop st0.0;
route 58.87.44.105/32 next-hop st0.0;
route 58.87.44.106/32 next-hop st0.0;
route 58.87.44.107/32 next-hop st0.0;
route 58.87.44.93/32 next-hop st0.0;
}
}
protocols {
stp;
}
security {
ike {
proposal pre-g2-3des-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy Rotem {
mode aggressive;
proposals pre-g2-3des-sha;
pre-shared-key ascii-text "$9$kmQnhclWX-tueW8LbwjHqmz6ApB";
}
gateway Rotem {
ike-policy Rotem;
address 58.87.57.67;
local-identity hostname rotem_brazil_newararaquara;
external-interface ge-0/0/0;
}
}
ipsec {
proposal esp-3des-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy Rotem {
proposals esp-3des-sha;
}
vpn Rotem {
bind-interface st0.0;
ike {
gateway Rotem;
no-anti-replay;
ipsec-policy Rotem;
}
establish-tunnels immediately;
}
}
utm {
feature-profile {
web-filtering {
type surf-control-integrated;
surf-control-integrated {
server;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set DMZ-TO-INTERNET {
from zone DMZ-trust;
to zone untrust;
rule DMZ-TO-INTERNET {
match {
source-address 10.196.24.31/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dnat_10_196_24_31m24 {
address 10.196.24.31/24 port 80;
}
rule-set DEST-NAT {
from zone untrust;
rule WEB-SERVER-TCP-80 {
match {
destination-address 187.72.138.193/32;
destination-port 80;
}
then {
destination-nat pool dnat_10_196_24_31m24;
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy catia-alc-license {
description catia-alc-license;
match {
source-address trust;
destination-address [ catia catia2 catia3 ];
application any;
}
then {
deny;
}
}
}
from-zone untrust to-zone trust {
policy RotemVPN {
match {
source-address 10.0.0.0/8;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone untrust to-zone DMZ-trust {
policy INTERNET-TO-DMZ {
match {
source-address any;
destination-address WebServer;
application HTTP;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address trust 10.196.24.0/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
ge-1/0/0.0;
}
}
security-zone untrust {
address-book {
address 10.0.0.0/8 10.0.0.0/8;
address catia 10.196.34.46/32;
address catia2 10.196.34.47/32;
address catia3 10.196.34.48/32;
}
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
ike;
all;
}
}
}
st0.0;
}
}
security-zone DMZ-trust {
address-book {
address WebServer 10.196.24.31/24;
}
}
}
}
applications {
application HTTP {
protocol tcp;
destination-port 80;
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
Kind regards.
EDIT: I noticed trying to run "commit" after every single command that when I run the first one it doesn't work if I let /24 mask, do you know why? It only accepts /32 atthe end. My internal network is /24 so what can I do? I am talking about the:
set security zones security-zone DMZ-trust address-book address WebServer 10.196.24.31/24