Firewall – Netscreen-25 : Cannot forward port 443 to an internal server

firewallhttpsnetscreenport-forwarding

A customer is using a NetScreen-25 firewall.
By default it has a web interface on port 80 and 443.
I've changed the port for the HTTPS web interface to some other number that is not being used
and disabled the checkbox that normally enabled the HTTPS web interface.

I've then added a policy to forward incoming tcp requests on port 443 to 192.168.2.2:443
like I would add any other NAPT policy. However the policy is never hit (even though it's at the top of the list) so data never gets forwarded to the internal server.

We want to expose the internal site via HTTPS to the internet (without the user having to specify a port other than 443 of course).

Has anybody got an idea what might be wrong?
Might this be a bug in the device given that it normally reserves 443 for it's web interface
even when you change the port and disable it?

Thank you

Best Answer

And if you put the sever in the DMZ? It should bypass the firewall then. Does that work?

// Allowing Outbound Traffic By default, the NetScreen-25 device does not allow inbound or outbound traffic, nor does it allow traffic to or from the DMZ. You need to create access policies to permit specified kinds of traffic in the directions you want. (You can also create access policies to deny and tunnel traffic.) The following access policy permits all kinds of outbound traffic from any point on the Trust network to any point on the Untrust network. set policy outgoing “inside any” “outside any” any permit save You can also use the Outgoing Policy Wizard in the WebUI management application to create access policies for outbound traffic. See “Accessing the Device With the WebUI” on page 18 for information on accessing the WebUI application. //

Related Solutions

Firewall – Can’t get into Juniper Networks Netscreen Web interface

Console into the firewall as kageeslin suggested, then do a 'get interface ' and look for something like this:

Interface ethernet0/0(VSI):
  description ethernet0/0
  link up, phy-link up/full-duplex
  vsys Root, zone Untrust, vr trust-vr, vsd 0
  *ip 192.168.1.1/24   mac abcd.abcd.abcd
  manage ip 192.168.1.2, mac abcd.abcd.abcd
  ping enabled, telnet enabled, SSH enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled

Make sure you are trying to connect to one of your manageable interfaces and also make sure that it has a route back to you (get route). Can the firewall ping your PC?

[edited for additional testing steps]

Once you have console access:

Check the admin ports that the web server is listening on:

get conf | inc admin

Try setting a filter for your connection and debug.

clear dbuf
set ffilter src-ip <your ip address>
debug flow basic
[try the connection again]
sh db str

Cisco ASA 5505; Can’t forward port 443: Why am I getting “Error: unable to download policy”

The Cisco ASDM runs on port 443, so you'll probably have to switch that to a different port before trying to forward 443 to an inside destination.

Best Answer

Related Solutions

Firewall – Can’t get into Juniper Networks Netscreen Web interface

Cisco ASA 5505; Can’t forward port 443: Why am I getting “Error: unable to download policy”

Related Topic