Hi everybody,

I just wanted to share little implementation of dynamic vpns on the branch SRX cluster that I did lately.

The case here was to have granular control over to what services and subnets certain group of users have access.

First thing that I tried was to setup couple of dynamic VPNs with different statements in the match condidtions (different destIP and applications), but it wouldn't work. The tunnels would not establish for all of the test users.

So I came up with an alternative solution that works.

Basically what I've done:

1) created new virtual router only for VPN termination

VR-VPN {
    instance-type virtual-router;
    interface reth2.5;
    interface reth4.0;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 172.16.0.1;
            route 10.0.0.0/8 next-hop 192.168.255.1; -->route to protected resources
        }
    }
}

2) configured two access profiles with the SAME authentication mechanism (in my case LDAP) but DIFFERENT address-assigment pools (so that different type of users get differnet IPs)

profile ADMIN_VPN {
    authentication-order [ ldap password ];
    address-assignment {
        pool admin;
    }
    ldap-options {
        base-distinguished-name OU=OU-VPN,DC=lab,DC=local;
        search {
            search-filter sAMAccountName=;
            admin-search {
            }
        }
    }
    ldap-server {
        10.0.200.1 port 389;
    }
}
profile USERS_VPN {
    authentication-order [ ldap password ];
    address-assignment {
        pool users;
    }
    ldap-options {
        base-distinguished-name OU=OU-VPN,DC=lab,DC=local;
        search {
            search-filter sAMAccountName=;
            admin-search {
            }
        }
    }
    ldap-server {
        10.0.200.1 port 389;
    }
}

address-assignment {
    pool pool_admin {
        family inet {
            network 172.20.1.0/24;
            range range1 {
                low 172.20.1.11;
                high 172.20.1.200;
            }
            xauth-attributes {
                primary-dns 10.0.200.1/32;
                secondary-dns 8.8.8.8/32;
            }
        }
    }
    pool pool_users {
        family inet {
            network 172.20.11.0/24;
            range range2 {
                low 172.20.11.11;
                high 172.20.11.200;
            }
            xauth-attributes {
                primary-dns 10.0.200.1/32;
                secondary-dns 8.8.8.8/32;
            }
        }
    }

3) configured two IKE gateways with distinct xauth profiles configured in step 2

policy dyn_vpn_policy {
    mode aggressive;
    proposal-set standard;
    pre-shared-key ascii-text "$9$8.RLXNJZDqmTg439Ct0OxN-bgajHqz6Ck.01IESy"; ## SECRET-DATA
}

gateway ADMIN_GW {
    ike-policy dyn_vpn_policy;
    dynamic {
        hostname @admin.srx.vpn;
        connections-limit 10;
        ike-user-type group-ike-id;
    }
    external-interface reth2.5;
    xauth access-profile ADMIN_VPN;
}

gateway USERS_GW {
    ike-policy dyn_vpn_policy;
    dynamic {
        hostname @users.srx.vpn;
        connections-limit 10;
        ike-user-type group-ike-id;
    }
    external-interface reth2.5;
    xauth access-profile USERS_VPN;
}

4) configured IPSec VPNS:

policy dyn_vpn_policy {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set standard;
}

vpn USERS_VPN {
    ike {
        gateway USERS_GW;
        ipsec-policy dyn_vpn_policy;
    }
}
vpn ADMIN_VPN {
    ike {
        gateway ADMIN_GW;
        ipsec-policy dyn_vpn_policy;
    }
}

5) Created new security zones for the new VPN virtual router interfaces

security-zone VPN_WAN{
   host-inbound-traffic {
       system-services {
           ping;
           https;
           ike;
       }
   }
   interfaces {
       reth2.5;
   }
}
security-zone VPN_LAN{
   host-inbound-traffic {
       system-services {
           ping;
           traceroute;
       }
   }
   interfaces {
       reth4.0;
   }
}
security-zone VR-VPN{
   host-inbound-traffic {
       system-services {
           ping;
           traceroute;
       }
   }
   interfaces {
       reth3.0;
   }
}

6) Configured dynamic-vpn stanza:

Here we can configure only one access profie for every user, so this is the part where we realize that we need to have one access profile that can authenticate all of our users. At this point we can differentiate to which subnets a group of users has access to, but this is standard dynamic vpn configuration.

dynamic-vpn {
    access-profile ADMIN;
    clients {
        admins{
            remote-protected-resources {
                10.0.0.0/8;
            }
            remote-exceptions {
                0.0.0.0/0;
            }
            ipsec-vpn ADMIN_VPN;
            user {
                vpn-admin;
            }
            user-groups {
                Administrators;
            }
        }
        users {
            remote-protected-resources {
                10.10.0.0/16;
            }
            remote-exceptions {
                0.0.0.0/0;
            }
            ipsec-vpn USERS_VPN;
            user {
                vpn-test-user;
            }
        }
    }
}

7) Configured the actual policies:

First are the standard policies to terminate the VPNs.

from-zone VPN-WAN to-zone VPN-LAN {
    policy admin_dyn_vpn {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn ADMIN_VPN;
                }
            }
        }
    }
    policy dyn_vpn_users {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn USERS_VPN;
                }
            }
        }
    }
}

And then the granular policies I was looking for:

from-zone VR-VPN to-zone SERVERS {
    policy DNS {
        match {
            source-address any;
            destination-address any;
            application junos-dns-udp;
        }
        then {
            permit;
        }
    }
    policy DYN_VPN_TEST {
        match {
            source-address VPN_NET_1; --->admin subnet 172.20.1.0/24
            destination-address any;
            application [ junos-ping junos-https junos-ssh ];
        }
        then {
            permit;
        }
    }
    policy DYN_VPN_TEST_2 {
        match {
            source-address VPN_NET_2; ---> users subnet 172.20.11.0/24
            destination-address any;
            application [ junos-ping junos-http junos-https];
        }
        then {
            permit;
        }
    }
}

8) The final touch is to fix the routing. Assuming that the SRX cluster is the default GW for the servers we only need a static routes pointing to the remote users IP addresses:

set routing-options static route 172.20.1.0/24 next-hop 192.168.255.2
set routing-options static route 172.20.11.0/24 next-hop 192.168.255.2

If You have more subnets and planned them toughtfully You could create only one static route towards the VPN VR.

One last thing is that when in cluster mode SRX does not support logical tunnnel interfaces (lt-0/0/0) so I had to use two interfaces on each SRX to facilitate a connection between the main routing instance and the VR. Example connections: node0: ge-0/0/8 <---> ge-0/0/9, node1: ge-5/0/8 <---> ge-5/0/9. and then they were bundled into a classic reth interfaces.

The end result is that two types of users (admin and starndard) can establish simultanious IPSec VPN tunnels with each having his own set of destinations and ports opened.

In the attachement You'll find a graphic illustrating the design to better understand it.

I hope this is helpful :-)

Cheers

Hi everybody,

could you give me an example how to realize my drawing?

I want to play with IPv6 but unfortunately my Provider has only IPv4...

I don't have access to the Devices in light blue.

Do I need to configure all my Routers or only the first one? The Client is v6 only.

Some Servers in the Web are still v4 only - can i reach them with the Client if he has no v4 address at all?



It would be really helpful if you have some examples, that point me to the right direction.

Thanks

Dear all,

Just wondering if anyone has any experience of an SPC card failure in a high end (3400) standalone SRX?

Just wondering if the effect is essentially reduced capacity until the card is replaced, or, as these units are cold-swappable only, whether it results in the platform stopping, until it can be rebooted without the SPC...

Anybody had this happen to them and can share the experience?

Thanks in advance!

Hi everyone,

First of all, sorry for my bad english, I hope to explain well...

I have 2 ISP links in my SRX220 and I need to have balancing between those links, and when some of the links falls, all traffic will go out by the other.

I'm new using SRX and some partners told me that I needed firewall filters to make balancing my ISPs, so I created two balancing filters: in the first term I have configured as source-address all my LAN 10.0.0.0/8 with destination-address 0.0.0.0/0 and then routing instance ISP1 (this is my routing instance to send all traffic by my first ISP) , and I have a second term configured as the first one, but with a routing instance ISP2. I thought that with this configuration I would had failover too.

Some days ago, I had a failure in my principal ISP, so I was hoping that all traffic went out by my secondary link, but that never happened. Do you think I have something wrong in my firewall flters configuration? Or maybe I need to configure something else like RPM services or IP monitoring?

Good morning.

This just started happening to me with 1 of my SRX100's (brand new, H2, etc.) It has 1 ipsec tunnel, NAT, nothing special that an SSG5 can't do. But it comes with the added benefit of spurious meltdowns.

I'm an SRX amateur, so it is entirely possibly that I don't know what I am doing.

Not being able to copy-paste configs doesn't help ^^;

When it melts down, there's nothing logged that I can see, the tunnel drops and telnet becomes completely unresponsive, sometimes it recovers in a few minutes, sometimes it takes 20+. After being up for 30 days, it just started doing this. 

Searching this forum shows that this has been going on for a couple of years with no effective solution beyond going back to now discontinued SSG5's.

The only thing of interest I can find is it complaining about the Routing Engine 0 being warm. However, I can't see 64'C being noteworthy in a fanless router.

I also see people saying what does "show chassis forwarding" etc do. Minor problem, when it is unresponsive, it is serious about it and it remains that way until recovery.

The GUI shows the control cpu as 100%, which people post as being "inaccurate, use the CLI" which sort of defeats the purpose of having a GUI.

So,

1) Where do I really look *after* it has recovered from a meltdown.

2) What is the real solution? (Since going back to SSG's isn't possible now.)

Hi,

I have a strange behavior on our SRX240.

We have setup several Site-toSite-VPNs (policy-based) and we are using the dynamic VPN (only with Pulse-Client).

The Tunnels work fine.

The Problem is, that the somehow the routing to the internal network (172.18.10.0) for the site-to-site-VPNs stop working when no dynamic VPN is online. As soon as one or more dynamic Connection is made and online the Remote-Networks of the Site-to-Site-VPNs can route in our network. If all dynamic VPNs are offline, it takes about 5-10 Minutes and then the routing of the Remote-Networks of the Site-To-Site-VPNs wil stop working and any Connection inside our Network is stuck at the SRX. When connecting whith Pulse again the routing for Site-To-Site-VPNs work immediatly when Pulse finished connecting and Connction is done.

Somehow it looks like the Dynamic VPN is setting some routing, which will get lost when no dynamic VPN is connected.

Does anyone have any idea where to search for this Problem?

Here are some configurations-parts of the srx which might help:

skoenig@wall> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     xxx.xxx.xxx.xxx/29
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
sp-0/0/0.16383          up    up   inet     10.0.0.1            --> 10.0.0.16
                                            10.0.0.6            --> 0/0
                                            128.0.0.1           --> 128.0.1.16
                                            128.0.0.6           --> 0/0
ge-0/0/1                up    down
ge-0/0/1.0              up    down eth-switch
ge-0/0/2                up    down
ge-0/0/2.0              up    down eth-switch
ge-0/0/3                up    up
ge-0/0/3.0              up    up   eth-switch
ge-0/0/4                up    down
ge-0/0/4.0              up    down eth-switch
ge-0/0/5                up    down
ge-0/0/5.0              up    down eth-switch
ge-0/0/6                up    down
ge-0/0/6.0              up    down eth-switch
ge-0/0/7                up    down
ge-0/0/7.0              up    down eth-switch
ge-0/0/8                up    down
ge-0/0/8.0              up    down eth-switch
ge-0/0/9                up    down
ge-0/0/9.0              up    down eth-switch
ge-0/0/10               up    down
ge-0/0/10.0             up    down eth-switch
ge-0/0/11               up    down
ge-0/0/11.0             up    down eth-switch
ge-0/0/12               up    down
ge-0/0/12.0             up    down eth-switch
ge-0/0/13               up    down
ge-0/0/13.0             up    down eth-switch
ge-0/0/14               up    down
ge-0/0/14.0             up    down eth-switch
ge-0/0/15               up    down
ge-0/0/15.0             up    down eth-switch
fxp2                    up    up
fxp2.0                  up    up   tnp      0x1
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
st0.0                   up    up   inet
tap                     up    up
vlan                    up    up
vlan.0                  up    up   inet     172.18.10.1/24
vlan.4                  up    down inet     192.168.10.254/24
vlan.5                  up    down inet     192.168.11.1/24


skoenig@wall> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 19w0d 17:24:50
> to xxx.xxx.xxx.xxx via ge-0/0/0.0
172.18.10.0/24 *[Direct/0] 30w0d 01:12:17
> via vlan.0
172.18.10.1/32 *[Local/0] 30w0d 01:12:42
 Local via vlan.0
192.168.10.254/32 *[Local/0] 30w0d 01:12:42
 Reject
192.168.11.1/32 *[Local/0] 30w0d 01:12:42
 Reject
xxx.xxx.xxx.xxx/29 *[Direct/0] 19w0d 17:24:50
> via ge-0/0/0.0
xxx.xxx.xxx.yyy/32 *[Local/0] 30w0d 01:12:29
 Local via ge-0/0/0.0



skoenig@wall> show ethernet-switching interfaces
Interface State VLAN members Tag Tagging Blocking
ge-0/0/1.0 down vlan0 2 untagged blocked by STP
ge-0/0/2.0 down vlan0 2 untagged blocked by STP
ge-0/0/3.0 up vlan0 2 untagged unblocked
ge-0/0/4.0 down vlan0 2 untagged blocked by STP
ge-0/0/5.0 down vlan0 2 untagged blocked by STP
ge-0/0/6.0 down vlan4 6 untagged blocked by STP
ge-0/0/7.0 down vlan4 6 untagged blocked by STP
ge-0/0/8.0 down vlan4 6 untagged blocked by STP
ge-0/0/9.0 down vlan4 6 untagged blocked by STP
ge-0/0/10.0 down vlan4 6 untagged blocked by STP
ge-0/0/11.0 down vlan5 7 untagged blocked by STP
ge-0/0/12.0 down vlan5 7 untagged blocked by STP
ge-0/0/13.0 down vlan5 7 untagged blocked by STP
ge-0/0/14.0 down vlan5 7 untagged blocked by STP
ge-0/0/15.0 down vlan5 7 untagged blocked by STP

Thank in advance,

Steven

So basically i have an HP server that comes with iLO dedicated port, but i only have 1 network port to use so i want to be able to use that 1 network port to use as in/out network traffic and also iLO traffic separately on different network

So lets say i want to be able to pass traffic for regular bandwidth traffic on 192.168.20.0/24 network and also will like to use iLO on 172.20.20.0/24 network 

How do i configure that port on Juniper SRX240 router to be able to do this? SO the two network will pass through that 1 network port.

Below is what my current configuration looks like

ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }

vlan {
        unit 1 {
            family inet {
                address 192.168.20.1/24;
            }
        }
        unit 2 {
            family inet {
                address 172.20.20.1/24;
            }
        }
    }

Thanks

Hi all,

My current Internet connection to ISP is a VLAN trunk link including two VLANs. My SRX need to get IP addresses from these two VLANs with DHCP. ISP requires all traffic in one VLAN must have CoS=4, while in the other VLAN, DHCP request must have CoS=0.

I can use

    set class-of-service host-outbound-traffic ieee-802.1 default 100

to force almost all traffic generated from route engine to set CoS=4, which meets one VLAN's requirement, and I am able to obtain an IP address. But the other VLAN does not happy with this setting, I cannot get DHCP reply from their server.

Is there anyway to set host-outbound-traffic by interface, or any workaround applied?

Hi All,

Below is the minimum configuration SNMPv3 on my SRX. As i know on Junos Space or NMS the info that "bold" as per below need to match right between SRX and NMS. But the problem now Juos Space cannot discover SRX using SNMPv3. Is it anything i missing? Thanks and appreciate someone feedback

mangkuk@SRX5800> show configuration snmp
v3 {
usm {
local-engine {
user test {
authentication-md5 {
authentication-key "hgjhvhjvjhgjhg"; ## SECRET-DATA
}
privacy-none;
}
}
}
vacm {
security-to-group {
security-model usm {
security-name test {
group srx;
}
}
}
access {
group srx {
default-context-prefix {
security-model any {
security-level authentication {
read-view all;
write-view all;
}
}
}
}
}
}
}

On SRX240, there are two separate ISP each with static IP.  Other end has two different static IPs.  In normal operation there are two separate tunnels up, BGP fills routing table with routes over both VPNs (primary is preferred and active due to prepends).

The problem is that when the primary ISP goes out, the secondary VPN interface (st0.20) also shows as down and of course the routing table becomes completely empty of BGP routes.   Secondary ISP remains active on pp0.0 when primary ISP is down.

      ge0/0/0.0 - ISP 1 - Primary VPN st0.0 - - - 5.5.5.5
SRX <                                                     > Dest
      pp0.0 - - - ISP 2 - Secondary VPN st0.20- - 6.6.6.6

Hi all,I am using SRX 220 as gateway to ISP. Two VLANs from ISP are terminated as a L3 logical interfaces as below:

ge-0/0/0 {
    per-unit-scheduler;
    vlan-tagging;
    encapsulation flexible-ethernet-services;
    unit 34 {
        vlan-id 34;
        }
    }
    unit 35 {
        vlan-id 35;
        family inet {
            dhcp {
                client-identifier ascii juniper;
                vendor-id juniper;
            }
        }
    }
}
ge-0/0/3 {
    flexible-vlan-tagging;
    unit 34 {
        vlan-id 34;
    }
}

I need to bridge ge-0/0/0.34 and ge-0/0/3.34.
I found a thread (http://forums.juniper.net/t5/SRX-Services-Gateway/Layer-2-and-Layer-3-logical-interfaces-on-same-physical/td-p/245068) talked about a similiar problem with me, but in that thread, he is using MPLS which I didn't.

Hi -

My ISP provides myself with a "flat" /48 ipv6 subnet (not routed).

I have assigned an IP/64 to the "untrust" interface of my SRX240 (junos 12.1X47-D25.4) and set the default gateway. I can ping6 to/from the SRX, so far so good.

Now I'd like to assign a /64 subnet to the each internal interfaces of my SRX but I face a problem regarding the "who has" neighbor solicitations: the ISP's router does not know that the targeted /64's are behind my SRX and so how to route the traffic to.

In this situation, I think one have to rely on proxy-ndp. However, it seems that junos requires ipv6s to be natted. Is there a way to both assign public subnets to the internal interfaces and to rely on proxy-ndp? Or is there another/better way to make the internal subnets reachable from world-wide?

Thanks in anticipation.

Hello,

I'm not a JunOS expert but learning fast, if you could assist I would be greatly appreciated.

I setting up an SRX550 to be the gateway for our office to route traffic between ISP and AWS.  We have an Ethernet Private Line that is connected to Amazon using BGP and it is running fine.  We have another ISP Ethernet that is connected to the Internet using a private class C of 10.0.4.0/24.  The ISP has provided 10.0.4.0/24 with DW 10.0.4.1, and DNS 8.8.8.8.  I would like to set up our SRX as our office Gateway at 10.0.4.2 such that Amazon traffic is routed to BGP and DNS request is routed to through SRX (10.0.4.2) and out to ISP DW (10.0.4.1).  Below is my configuration and it is not working, that is the workstation connected to SRX cannot ping to one another, nor the SRX (10.0.4.2), nor the ISP DW (10.0.4.1).  Thank you in advance for your help

Vuonge

=======================

system {

    host-name AWSMACRTR;

    root-authentication {

        encrypted-password "XXXXXXXX"; ## SECRET-DATA

    }

    name-server {

        8.8.8.8;

        4.2.2.2;

    }

    services {

        dhcp {

            pool 10.0.4.0/24 {

                address-range low 10.0.4.100 high 10.0.4.200;

                router {

                    10.0.4.2;

                }

                propagate-settings ge-0/0/2;

            }

            propagate-settings ge-0/0/2.3;

        }

    }

}

interfaces {

    ge-0/0/0 {

        unit 0 {

            family inet {

                address 10.0.4.2/24;

            }

        }

    }

    ge-0/0/1 {

        description "Direct Connect to Amazon";

        flexible-vlan-tagging;

        mtu 1522;

        unit 0 {

            vlan-id 100;

            family inet {

                mtu 1500;

                address 54.239.244.142/31;

            }

        }

    }

    ge-0/0/2 {

        description "Internal Trusted Non-Routable Network";

        unit 0 {

            family ethernet-switching {

                vlan {

                    members vlan-trust1;

                }

            }

        }

    }

    vlan {

        unit 0 {

            family inet {

                address 192.168.1.1/24;

            }

        }

        unit 1 {

            family inet {

                address 10.0.4.2/24;

            }

        }

    }

}

routing-options {

    static {

        route 0.0.0.0/0 next-hop 10.0.4.1;

    }

    autonomous-system 65000;

}

protocols {

    bgp {

        group EBGP {

            type external;

            peer-as 7224;

            neighbor 54.239.244.145 {

                local-address 54.239.244.144;

                authentication-key "XXXXXXXX"; ## SECRET-DATA

                export EXPORT-DEFAULT;

            }

        }

    }

    stp;

}

policy-options {

    policy-statement EXPORT-DEFAULT {

        term DEFAULT {

            from {

                route-filter 54.239.244.144/31 exact;

            }

            then accept;

        }

        term REJECT {

            then reject;

        }

    }

}

security {

    nat {

        source {

            rule-set rs1 {

                from zone trust;

                to zone untrust;

                rule r1 {

                    match {

                        source-address 10.0.4.0/24;

                        destination-address 0.0.0.0/0;

                    }

                    then {

                        source-nat {

                            interface;

                        }

                    }

                }

            }

        }

    }

    policies {

        from-zone trust to-zone untrust {

            policy internet-access {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

    }

    zones {

        security-zone trust {

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {

                vlan.1;

                ge-0/0/0.0;

            }

        }

        security-zone untrust {

            screen untrust-screen;

            interfaces {

                ge-0/0/1.0;

            }

        }

    }

}

vlans {

    vlan-trust0 {

        vlan-id 3;

        l3-interface vlan.0;

    }

    vlan-trust1 {

        vlan-id 2;

        l3-interface vlan.1;

    }

}

Hi,

Making a traceoption under security alg, we've received output, which is not clear. Is there any possibility how to recognize the relation between the (src_\dst_)zone_id with its canonical name. The same for the lsys name. Of course it can be done manually, reviewing all the logs, routing etc, but I'm looking for more convenient way to do this.

Apr 13 08:10:10 08:10:10.243487:CID-01:FPC-01IC-00:THREAD_ID-17:RT:jsf_msrpc_alg_check_policy_by_map: lookup poicy for: lsys: 2, v_src_port:32768, v_dst_port:2, src_zone_id = 51,dst_zone_id = 48, src addr:x.x.x.x, dst addr:....

thanks in advance,

Radek

Hi,

I have created 4 vlans in a network. however there is a device that it is transmitting broadcast traffic in a Vlan but I want that this traffica can reach the others Vlans.

 can I do it??

I have thought if I install one switch L2 connected with this topology Can I Achive my target??

   SWITCH L2  (WITHOUT VLANS) - PORT 1 VLAN 1, PORT 2 VLAN 2, PORT 3 VLAN 3, PORT 4 SRX JUNIPER.

Or Can I assing in one interface, more than one Vlan??

Thanks.

Regards..

It would be very useful if set security flow traceoptions had an option to save the file in a format readable in Wireshark.

Hi, I have a route based IPsec VPN to a customer, assume the traffic-selector is 1.2.3.4/32 to 5.6.7.8/32, the vpn is bound to st0.1, when the vpn comes up, a static route to 5.6.7.8/32 is automatically populated in the  routing table. This is all good in most cases, but I have a scenario that the customer wants redundant vpn gateway on their side, essentially same traffic selector but different ike gateways, say this backup vpn is bound to st0.2, we now will have two static routes geneated with next-hop being different, I don't want Junos to loadbalance because st0.2 is backup only, how can I get around this?

Hello team,

I have  SRX210HE2 on my client my version is JUNOS 12.1X46-D40.2 with idp-signature database

My customer just want use a single zone (trust-to-trust) from the begining end customer required us transparent mode for this Juniper so end customer give us one ip address from their LAN and all interfaces (except one WAN interface for management purposes) are members of this vlan: This is the scenario:

LAN---int 0/3--SRX 210---int 0/7 WAN Juniper SRX end customer

                                     ---int 0/2 LAN Juniper SRX end customer (several host customer point to DG this Juniper)

                                     ---int 0/1 LAN Cisco Inet access (mostly host customer point to this DG)

My first question is if this scenario works without using Zones (see

https://forums.juniper.net/t5/SRX-Services-Gateway/HELP-Client-thinks-he-can-do-without-using-Zones/td-p/84226)

 On the other hand I´ve tested application firewall feature but seems like appFw not going to working; I tried to block specific application like youtube but doesn´t work

When I connect by teamviewer to one host and play youtube I didn´t see sessions matched just increase number of sessions with appid pending although application group is configured:

root@SRX_Montrel> show security application-firewall rule-set my-appfw
Rule-set: my-appfw
Rule: block youtube
Dynamic Applications: junos:YOUTUBE-STREAM, junos:YOUTUBE-COMMENT, junos:YOUTUBE
Dynamic Application Groups: junos:web:multimedia:web-based
<<< Action:deny
Number of sessions matched: 0
Number of sessions redirected: 0
Default ruleermit
Number of sessions matched: 1
Number of sessions redirected: 0
Number of sessions with appid pending: 6<<<<

Any idea ?

Thanks in advanced.

hello

I post hear a while back and now have my VPN configs solid, they are easly and pop right up.

I'm doing a dynamic VPN config from SRX 210 to SRX240

SRX 210 > internet > FW > SRX 240 >FW > internal network

I plan to set ge-0/0/0 as the only interface this is connect to he firewall i can SSH to the box and ping this interface

defual router pointed at firewall

static route pointed to IP space in the st0.1 interface tunnel

My VPN tunnel is up and i can see traffic (so can the firewall) coming over the VPN tryign to get out.

but we can not get the traffic to go into the rest of the network

becuase i only have one interface no Vlans are up on the box and I think this may be the issue (i cannot ping across the tunnel eather and i dont see traffic from the 240 come into the 210 on the st interface

is do not see the encrypt pack count incfreas when pingin across the tunnel.

do I have to use 2 interfaces? is there a way do this with 1 interface only?

Thanks upfront for any knowlege