Specific port not accessible externally using Netscreen 25

By neil.velie ·
I recently configured the DMZ on a Juniper Netscreen 25 to allow a user to make a demo accessible to a customer over the Internet. I set up Trust --> DMZ, DMZ --> Untrust, and Untrust --> DMZ policies. Everything is working great, with the exception of a specific port (8000) on the Untrust --> DMZ policy - I just can't get it to be accessible from the Internet, period.

I have a MIP configured to map the external IP to the DMZ host IP, and accessing other ports/services within this policy, such as SSH and ICMP, works with no problems whatsoever using the external IP. The same troublesome port works perfectly on the internal network via the Trust --> DMZ policy I set up; this policy is almost identical to the Untrust --> DMZ policy, with the IP addresses being different, of course. Setting the permitted services to "ANY" on the Untrust --> DMZ policy makes no difference; still can't access port.

One other thing I've noticed is that there is no traffic showing up in the log for the policy (logging is enabled), not even for services that successfully connect, such as SSH. I tried creating a "DENY ALL" version of the same policy, and the log on this policy shows the denied traffic...except for port 8000. No traffic at all shows up for this port. If it matters, the service I am trying to access is a web-based front end using this format http://externalIP:8000.

This is absolutely maddening. Does anyone have any idea at all what the problem might be? Thanks!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Figured it out

by neil.velie In reply to Specific port not accessi ...

I figured out the problem - there was a Trust --> Untrust policy blocking the traffic, and evidently the DMZ is part of the Trust zone, so all the traffic from my computer was being blocked. I added another Trust --> Untrust policy that provided an exception for my laptop, and everything works now.

Collapse -

good job

by shasca In reply to Figured it out

Related Discussions

Related Forums