RE: Port Forwarding not working always with Juniper SSG140 from Shahid Mushtaq on 2011-01-25 (Ccielab archives 01/2011)

From: Shahid Mushtaq <bxperts_at_gmail.com>
Date: Tue, 25 Jan 2011 22:56:25 +0300

Hi Aaron,

One firewall with One Trust zone contains internal interface and Untrust
zone contains two interfaces connecting to two separate cisco routers.

Regards,

Shahid

-----Original Message-----
From: Aaron [mailto:aaron1_at_gvtc.com]
Sent: Tuesday, January 25, 2011 4:21 PM
To: Shahid
Cc: ccielab_at_groupstudy.com
Subject: Re: Port Forwarding not working always with Juniper SSG140

Is that one firewall or two?

Aaron

On Jan 25, 2011, at 6:05 AM, Shahid <bxperts_at_gmail.com> wrote:

> Dear Experts,
>
>
>
> I am diagnosing one issue and looking for your help. The traffic from
> outside is reaching fine to the internal server from ISP1 but having
> troubles sometimes from ISP2.
>
>
>
> ADSL connections are terminated to two separate (Cisco Routers).
> Juniper
> SSG140 Firewall is connected to both ISPs routers over the Ethernet.
>
>
>
> From both ISPs the public IP addresses are mapped (Port-Forwarding) to
> internal same server having (HTTP, HTTPS, POP3 and SMTP). The traffic
> from
> ISP1 is reaching to the server while from ISP2 is reaching sometimes
> but often not.
>
>
>
> I have used the following methods to trace the issue.
>
> 1. I have checked using the online port scanner on the IP Address of
> ISP2 and got the results that the port shows sometimes reachable and
> sometimes not.
>
> 2. In the syslog message from SSG140 shows that the service=pop3
> proto=6 src zone=Untrust dst zone=Trust action=Permit sent=78
> *rcvd=0*
>
> 3. One remote PC I used wireshark and noticed that the remote host
sent
> the SYN message and waiting for the acknowledgment.
>
> Can be this issue with the ISP router if that one is blocked SYN
> packets sometimes.
>
> *For Juniper Experts. *
>
>
>
> Both interfaces of ISPs are in the Untrust zone and having same type
> of Firewall polices.
>
>
>
> Regards,
>
>
> Shahid
>
> Kuwait
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Jan 25 2011 - 22:56:25 ART

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 07:39:17 ART