Hi,

I have attached my network diagram. I have connected my servers to the VLAN 10 in the cisco core switch 4506. I want to access the servers from the outside cloud (internet) through juniper SSG 140, i have only one public IP which is configured in the juniper firewall ssg 140, i am also using the same publick IP for the VPN connectivity through juniper.

What is the best way to access the servers which are on vlan 10 from outside through juniper ssg 140?

Please advise.

_________________
if you are not willing to learn, no one can help you !
if you are determined to learn, no one can stop you !
Do it now or NEVER !

If you only have 1 IP, you'll need to set up a VIP on the Juniper. This will be done on a port by port basis.

This is the Juniper help page for VIPs: http://kb.juniper.net/CUSTOMERSERVICE/KB4740

Let me know if you get stuck, I've done this plenty of times on SSG's and GT's

_________________
www.mellowd.co.uk/ccie/

thx for the brisk response. i went through the same weblink. I am little confuse regarding which virtual IP i should mention. I do not have any websever as well as of now.

secondly did you try this method did is work for u?

_________________
if you are not willing to learn, no one can help you !
if you are determined to learn, no one can stop you !
Do it now or NEVER !

The webserver can be any server you want to access.

For example, let's say the server IP is 172.188.100.50 - You want to be able to RDP into this server.

You create a vIP for port 3389 pointing to 172.188.100.50 - You then create a policy allowing traffic from yourself to the VIP address.

Voila, it works.

Yes this method has worked hundreds of times for me thus far

_________________
www.mellowd.co.uk/ccie/

Here are what i am doing....

I am using eth/02 having public IP 89.148.x.x/32. I created the VIP and then the policy untrust to trust for "any" service.

Its showing me also up. You can see the same in the snapshot as well.

Its still not working, Am i putting the service wrong?

After all this process how i have to access the mstsc.

_________________
if you are not willing to learn, no one can help you !
if you are determined to learn, no one can stop you !
Do it now or NEVER !

You've mapped it to the wrong service. You're trying to change Public:3389 to private:80

In order for RDP to work, 3389 needs to go to 3389

I don't think Juniper's have 3389 defined, so you'll need to make a custom service first

_________________
www.mellowd.co.uk/ccie/

great!!!!Thank you so much...i have created the custom service and i am able to access my service through RDP from out site....

One more little query, i am trying to define the vip for my core switch for telnet service, but i am getting the error that the "telnet service is reserved for the management of the box". I try to create the custom service but the same message.

Any idea how i can define telnet service for my core cisco switch, so that i can access from outside.

_________________
if you are not willing to learn, no one can help you !
if you are determined to learn, no one can stop you !
Do it now or NEVER !

Yes. The answer is in the error message.

Telnet, port 23 is reserved for management of the Juniper. So basically Public:23 will ALWAYS go to the Juniper, it'll never be forwarded.

What you can do is to map Public:1023 to core_switch:23 - The Juniper will forward all packets with a destination port of 1023 to your internal port 23.

_________________
www.mellowd.co.uk/ccie/

Will mapping work?
Sorry,but could you please guide me how to map public 1023 to core_switch 23. If i 'll create a MIP it will do the direct port mapping but not the port translation. I tried to mapped the 1023 port to telnet 23 port in the coreswitch using command "ip port-map telnet port 1023". But it is not serving the purpose.

_________________
if you are not willing to learn, no one can help you !
if you are determined to learn, no one can stop you !
Do it now or NEVER !

Don't make any changed in the core switch, all you're doing is the VIP in the firewall.

On the firewall create a new VIP with a virtual IP of 1023. Map that to Port 23 'map to service' - and then create your policy

_________________
www.mellowd.co.uk/ccie/

Thankssss...its working fine

I hope i 'll get help from you for other issues as well.....

Thanks a lot once again.

_________________
if you are not willing to learn, no one can help you !
if you are determined to learn, no one can stop you !
Do it now or NEVER !

No problem. Glad it's all working

_________________
www.mellowd.co.uk/ccie/

As a side note, its a really, REALLY bad idea to telnet from the outside world into your equipment; telnet is plain text, and anybody can read the packets to capture your username/password.

_________________
"A problem well stated is a problem half solved". (Charles Kettering)

Do you have any better solution?

_________________
if you are not willing to learn, no one can help you !
if you are determined to learn, no one can stop you !
Do it now or NEVER !

SSH

_________________
www.mellowd.co.uk/ccie/

I checked using SSH, when i try to SSH with a virtual port configured on my juniper using my public IP, it is connecting but after that only the cursor is blinking of the putty window....nothing happened after that.

Before i checked from my office using telnet "89.148.x.x 1023" it was working fine. But now even the telnet is not working from my home.

I checked my firewall its off and also my router for the port, i even tried to change the virtual port 1023 to 80 but no use.

_________________
if you are not willing to learn, no one can help you !
if you are determined to learn, no one can stop you !
Do it now or NEVER !

i changed the ssh port which was for the box management and after that i am able to access my Cisco_core switch from out side of my office, i checked ftp and RDP they are also working fine...

But the 1023 virtual port for the telnet service did not work for me outside of my office LAN..i hope i 'll figure that out soon...

_________________
if you are not willing to learn, no one can help you !
if you are determined to learn, no one can stop you !
Do it now or NEVER !

Currently i am taking the remote access of only one server through my juniper SSG 140 using VIP and the remote desktop port.

how i can take the remote desktop for more than one systems?

_________________
if you are not willing to learn, no one can help you !
if you are determined to learn, no one can stop you !
Do it now or NEVER !

The problem is that you cannot create 2 VIP's to the same port.

What you can do is this. Create a few VIP's like so:

PublicIP:3389 --->InternalIP1:3389
PublicIP:3390 --->InternalIP2:3389
PublicIP:3391 --->InternalIP3:3389

Then to RDP to PC2, you'll need to RDP to PublicIP:3390 and so on

_________________
www.mellowd.co.uk/ccie/

thank you so much, worked perfectly.

_________________
if you are not willing to learn, no one can help you !
if you are determined to learn, no one can stop you !
Do it now or NEVER !