Hello,
I have a HR service running on my IIS inside a server I have in my network.
All people from my network can access it but now it needs to be accessed by people from outside my network.
Today we have a IT ticket system running on the same server (10.196.24.31:8085) and it is accessible from outside our network. This configuration was done for a person who is not here anymore.
My HR system works on port 8090.
I would like to have this (10.196.24.31:8090) accessed by outside also.
My external IP is 187.72.138.193, so if you try to access 187.72.138.193:8085 you will find my IT ticket system.
I want the same for 187.72.138.193:8090 (my HR system)
I am quite new in this Juniper devices and I do not understand much about that.
I would be glad if someone can help me to let it accessible from outside my network.
I think part of the service is already done, since we can access the 8085 port, in my conception it is needed to only allow the 8090 port, right?
Please find below my current configuration:
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
management-url admin;
http {
port 8081;
}
https {
system-generated-certificate;
}
}
dhcp {
maximum-lease-time 28800;
default-lease-time 28800;
name-server {
10.196.24.31;
}
router {
10.196.24.1;
10.196.25.1;
}
pool 10.196.24.0/24 {
address-range low 10.196.24.51 high 10.196.24.210;
exclude-address {
10.196.24.177;
10.196.24.178;
10.196.24.74;
}
}
pool 10.196.25.0/24 {
address-range low 10.196.25.100 high 10.196.25.200;
exclude-address {
10.196.25.129;
10.196.25.126;
}
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
inactive: ntp {
server 200.160.7.186 prefer;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 187.72.138.193/28;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.196.25.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-1/0/0 {
description "##Backbone##";
gigether-options {
auto-negotiation;
}
unit 0 {
description "##Backbone##";
family inet {
address 10.196.24.1/24 {
primary;
}
}
}
}
st0 {
unit 0 {
family inet;
family inet6;
}
}
vlan {
unit 0;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 187.72.138.206;
route 10.0.0.0/8 next-hop st0.0;
route 58.87.44.105/32 next-hop st0.0;
route 58.87.44.106/32 next-hop st0.0;
route 58.87.44.107/32 next-hop st0.0;
route 58.87.44.93/32 next-hop st0.0;
}
}
protocols {
stp;
}
security {
ike {
proposal pre-g2-3des-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy Rotem {
mode aggressive;
proposals pre-g2-3des-sha;
pre-shared-key ascii-text "$9$kmQnhclWX-tueW8LbwjHqmz6ApB"; ## SECRET-DATA
}
gateway Rotem {
ike-policy Rotem;
address 58.87.57.67;
local-identity hostname rotem_brazil_newararaquara;
external-interface ge-0/0/0;
}
}
ipsec {
proposal esp-3des-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy Rotem {
proposals esp-3des-sha;
}
vpn Rotem {
bind-interface st0.0;
ike {
gateway Rotem;
no-anti-replay;
ipsec-policy Rotem;
}
establish-tunnels immediately;
}
}
utm {
feature-profile {
web-filtering {
##
## Warning: requires 'wf_key_surfcontrol_cpa' license
##
type surf-control-integrated;
surf-control-integrated {
server;
}
}
}
}
flow {
inactive: traceoptions {
file webtest;
flag basic-datapath;
packet-filter 1-server {
destination-prefix 10.196.24.31/32;
destination-port 80;
}
packet-filter 2-server-out {
source-prefix 10.16.24.31/32;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set DMZ-TO-INTERNET {
from zone DMZ-trust;
to zone untrust;
rule DMZ-TO-INTERNET {
match {
source-address 10.196.24.31/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dnat_10_196_24_31m24 {
address 10.196.24.31/32 port 80;
}
pool Webserver1 {
address 10.196.24.31/32 port 80;
}
inactive: rule-set DEST-NAT {
from zone untrust;
rule WEB-SERVER-TCP-80 {
match {
destination-address 187.72.138.193/32;
destination-port 8085;
}
then {
destination-nat pool dnat_10_196_24_31m24;
}
}
}
rule-set Webserver1 {
from zone untrust;
rule Web1 {
match {
destination-address 187.72.138.193/32;
destination-port 8085;
}
then {
destination-nat pool Webserver1;
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
187.72.138.194/32 to 187.72.138.204/32;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy catia-alc-license {
description catia-alc-license;
match {
source-address trust;
destination-address [ catia catia2 catia3 ];
application any;
}
then {
deny;
}
}
}
from-zone untrust to-zone trust {
policy RotemVPN {
match {
source-address 10.0.0.0/8;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
policy Allow-Webserver1 {
match {
source-address any;
destination-address Webserver1;
application [ HTTP junos-http ];
}
then {
permit;
}
}
}
from-zone untrust to-zone DMZ-trust {
policy INTERNET-TO-DMZ {
match {
source-address any;
destination-address WebServer;
application [ HTTP junos-http ];
}
then {
permit {
destination-address;
}
}
}
}
from-zone DMZ-trust to-zone trust {
policy DMZ-to-trust-web {
match {
source-address any;
destination-address any;
application [ junos-http HTTP ];
}
then {
permit {
destination-address;
}
}
}
}
from-zone trust to-zone DMZ-trust {
policy ALLOW-web-to-DMZ {
match {
source-address trust;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address trust 10.196.24.0/24;
address Webserver1 10.196.24.31/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
ge-1/0/0.0;
ge-0/0/1.0;
}
}
security-zone untrust {
address-book {
address 10.0.0.0/8 10.0.0.0/8;
address catia 10.196.34.46/32;
address catia2 10.196.34.47/32;
address catia3 10.196.34.48/32;
}
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
ike;
all;
}
}
}
st0.0;
}
}
security-zone DMZ-trust {
address-book {
address WebServer 10.196.24.31/32;
}
}
}
}
applications {
application HTTP {
protocol tcp;
destination-port 8085;
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}