Hi

I have an SRX320 running 15.1X49-D70.3 and am struggling to get any useful DHCP information from the box, just as you can do with a Cisco equivilent.

Simply put, I want to check the the pool has not been exhausted, however the only meaningful commands to run are;

user@SRX> show dhcp server statistics
Packets dropped:
Total 7
Send error 3
No binding found 4

Messages received:
BOOTREQUEST 120659
DHCPDECLINE 17
DHCPDISCOVER 26217
DHCPINFORM 752
DHCPRELEASE 263
DHCPREQUEST 93410
DHCPLEASEQUERY 0
DHCPBULKLEASEQUERY 0

Messages sent:
BOOTREPLY 114861
DHCPOFFER 22805
DHCPACK 86431
DHCPNAK 5625
DHCPFORCERENEW 0
DHCPLEASEUNASSIGNED 0
DHCPLEASEUNKNOWN 0
DHCPLEASEACTIVE 0
DHCPLEASEQUERYDONE 0

Or 'show dhcp server binding' 

Is there a way to check the pool to show available addresses and perhaps conflicts?

Thanks!

I have a device that I need to open up a range of internet facing ports (UDP and TCP).  I want to do this in as secure a way as possible (I know opening up ports permently isn't secure by nature....), But the lack of upnp means I need to have these ports opened up in the traditional way.

What is my best way to achieve this? Is it best to assign this via a specific physical fast ethernet port, or a specific internal IP address.   All my devices are currently behind a firewall and nat.  Can I create a zone where this single device can see my internal network and the internet, and have unrestricted incoming services?

I have had a go at this a few times, but always fail.  It sure what I am doing wrong.  Here is my current configuration. If someone can help with my config, or point me in the right direction, I would very much appreciate it.

https://pastebin.com/raw/T6TV6mVa

Thanks

Hi all,

We have SRX_Main in main datacenter and SRX_Backup in backup datacenter.

Traffic form branches to backup datacenter goes through main datacenter - Branch router -> SRX_Main -> SRX_Backup.

In that case where is right place to put firewall policies (SRX_Main or SRX_Backup), when dsestination is in backup datacenter ?

Thanks

Hi, guys,

Issue found on traceoption on physical interfaces of SRX345 ( JUNOS 15.1X49-D110.4 built 2017-09-08 ).

I want to record/capture the event log of physical interface status, so the following configuration is set up:

        set interfaces traceoptions file interface_status.txt
        set interfaces traceoptions file size 10m
        set interfaces traceoptions file files 24
        set interfaces traceoptions file world-readable
       set interfaces traceoptions flag config-states
       commit and-quit

Strangely, interface event status could not be found in "/var/log/interface_status.txt", but found in "/var/log/messages",

any issue/advice, thx ?

Also, any recommended configuration to traceoption the event log logical physical, such as GRE interface of "gr-0/0/0.10" ?

Interface status in "Messages" :

root@labtest-fw2% cat messages
Nov 15 07:00:00 labtest-fw2 newsyslog[25618]: logfile turned over due to size>100K
Nov 15 07:02:14 labtest-fw2 mib2d[1713]: SNMP_TRAP_LINK_DOWN: ifIndex 519, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/0/7
Nov 15 07:02:14 labtest-fw2 mib2d[1713]: SNMP_TRAP_LINK_DOWN: ifIndex 545, ifAdminStatus up(1), ifOperStatus down(2), ifName irb.733
Nov 15 07:12:29 labtest-fw2 mib2d[1713]: SNMP_TRAP_LINK_DOWN: ifIndex 519, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/0/7
Nov 15 07:12:29 labtest-fw2 mib2d[1713]: SNMP_TRAP_LINK_DOWN: ifIndex 545, ifAdminStatus up(1), ifOperStatus down(2), ifName irb.733
Nov 15 07:12:43 labtest-fw2 mib2d[1713]: SNMP_TRAP_LINK_DOWN: ifIndex 512, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/0/1
Nov 15 07:12:43 labtest-fw2 mib2d[1713]: SNMP_TRAP_LINK_DOWN: ifIndex 554, ifAdminStatus up(1), ifOperStatus down(2), ifName gr-0/0/0.40
Nov 15 07:12:44 labtest-fw2 rmopd[1718]: RMOPD_ICMP_SENDMSG_FAILURE: sendmsg(ICMP): Network is down

How to configure the interface traceoption for recording these messages in the traceoption file "interface.txt" ?

Hi, guy,

Due to geographical reason, I would like to create RPM service in SRX345 (two sites) for keeping ping between two sites,

Any advice on:  how to set up traceoption in order to record the ping result in terms of RTT and Jitter  ?

Such as my rpm configurations:

=======================
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp probe-type tcp-ping
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp target address 10.10.12.18
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp probe-count 2
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp probe-interval 1
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp test-interval 1
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp destination-port 53201
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp source-address 10.10.12.17
set services rpm probe Probe2018d1-Tp01-Tcp test TestH2018dTcp thresholds successive-loss 2

set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp probe-type udp-ping
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp target address 10.10.12.13
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp probe-count 6
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp probe-interval 3
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp test-interval 3
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp destination-port 53201
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp source-address 10.10.12.14
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp thresholds successive-loss 5
set services rpm probe Probe2013d1-Tp01-Udp test TestH2013dUdp thresholds total-loss 5

For traceoption configuration :

=======================

set services rpm traceoptions file RPM_status.txt
set services rpm traceoptions file size 10m
set services rpm traceoptions file files 24
set services rpm traceoptions file world-readable
set services rpm traceoptions flag all

RPM log as below:

==============

SRX1> show log RPM_status.txt
Sep 1 23:51:41 rmop_calc_jitter: rdiff: 4998925, sdiff: 5000898, jitter: -1973
Sep 1 23:51:42 received SIGCHLD, PID: 1789
Sep 1 23:51:42 RMOPD_SIGCHLD: Received SIGCHLD signal
Sep 1 23:51:42 waitpid() returned: No child processes
Sep 1 23:51:43 rmop_calc_jitter: rdiff: 5010840, sdiff: 5002035, jitter: 8805
Sep 1 23:51:46 rmop_calc_jitter: rdiff: 5054230, sdiff: 5003636, jitter: 50594
Sep 1 23:51:46 test_done: sent 5, test 0
Sep 1 23:51:46 PING_TEST_COMPLETED: pingCtlOwnerIndex = Probe5120d1Gw7065, pingCtlTestName = TestH5120d0
Sep 1 23:51:46 RTM_CHANGE gencfg for probe Probe5120d1Gw7065, test TestH5120d0 to state PASS
Sep 1 23:51:46 rmop_calc_jitter: rdiff: 5024705, sdiff: 5003303, jitter: 21402
Sep 1 23:51:46 test_done: sent 5, test 15
Sep 1 23:51:46 PING_TEST_COMPLETED: pingCtlOwnerIndex = Probe2aGw7065+4129, pingCtlTestName = Test2aGw7065
Sep 1 23:51:46 RTM_CHANGE gencfg for probe Probe2aGw7065+4129, test Test2aGw7065 to state PASS
Sep 1 23:51:48 rmop_calc_jitter: rdiff: 4999952, sdiff: 5000957, jitter: -1005
Sep 1 23:51:51 rmop_calc_jitter: rdiff: 4946028, sdiff: 5001119, jitter: -55091
Sep 1 23:51:51 rmop_calc_jitter: rdiff: 4996843, sdiff: 5001355, jitter: -4512
Sep 1 23:51:53 rmop_calc_jitter: rdiff: 5009813, sdiff: 5002119, jitter: 7694
Sep 1 23:51:53 test_done: sent 5, test 30
Sep 1 23:51:53 PING_TEST_COMPLETED: pingCtlOwnerIndex = Probe2aGw7065+4129, pingCtlTestName = Test2aGw4129
Sep 1 23:51:53 RTM_CHANGE gencfg for probe Probe2aGw7065+4129, test Test2aGw4129 to state PASS

I just want to get the RTT and Jitter test results, how to configuration the traceoption, thx a lot ?

Hi, Guys,

Any advice on keeping saving the results " show services rpm history-results owner test" and " show services rpm probe-results", thx a lot ?

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-services-rpm-history-results.html

Thanks a lot

Benson

Hi,

We have SRX210HE with Junos 11.4R10 version.
We have connected 50 Mbps WAN Link on fe-0/0/6 interface but total interface bandwidth
max 10 Mbps. Their is no limitation configuraed on interface.

Please suggest how to fix it. Is their any WAN interface bandwidth limitation matrix for branch SRX.

Regards,

Target..

Hello,

i am trying upgrade devices SRX340 in a chassis using ICU, but I get the following message:

user@SRX340> request system software in-service-upgrade /var/tmp/junos-srxsme-15.1X49-D190.2-domestic.tgz no-sync
WARNING: Not enabled dual root partition on secondary node
         ISSU not allowed

Hi,

DHCP stops leasing IP when I apply the below-mentioned filter to the VLAN interface, My requirement is all the traffic (0.0.0.0/0) from a certain vlan 20 should go through the VPN tunnel where other VLAN traffic should move through untrust interface, everything works fine but when I apply the FBF filter DHCP stops. Do I need to change the instance type to virtual router and create the DHCP inside the Virtual router? to get things works or is there any other method.

set system services dhcp pool 172.30.10.64/27 address-range low 172.30.10.66
set system services dhcp pool 172.30.10.64/27 address-range high 172.30.10.94
set system services dhcp pool 172.30.10.64/27 default-lease-time 3600
set system services dhcp pool 172.30.10.64/27 name-server 172.30.10.65
set system services dhcp pool 172.30.10.64/27 router 172.30.10.65

set interfaces vlan unit 20 family inet filter input Kochi-TV-Phone

set interfaces vlan unit 20 family inet address 172.30.10.65/27
set firewall filter Kochi-TV-Phone term Route-Over-KKD from source-address 172.30.10.64/27
set firewall filter Kochi-TV-Phone term Route-Over-KKD from destination-address 0.0.0.0/0
set firewall filter Kochi-TV-Phone term Route-Over-KKD then log
set firewall filter Kochi-TV-Phone term Route-Over-KKD then routing-instance Kochi-KKD-Routing-table

set routing-options interface-routes rib-group inet FBF-Group
set routing-options rib-groups FBF-Group import-rib Kochi-KKD-Routing-table.inet.0
set routing-options rib-groups FBF-Group import-rib inet.0

set routing-instances Kochi-KKD-Routing-table instance-type forwarding
set routing-instances Kochi-KKD-Routing-table routing-options static route 0.0.0.0/0 next-hop st0.0

Hi All, 

On one of the threads it is mentioned that MFA or 2F is not possible with dynamic vpns on srx.  Reason being https traffic, but this is allowed on the external interface. So what might be the reason ? Also is there any workaround for this ? 

The setup for remote access vpn is exactly the same as that specified in Juniper docs, the primary authenticator being ldap server. Hence the idea is to trigger the second authentication to a radius server. Is this possible ? 

Also is there a way to get RSA, Pulse secure and Juniper SRX 240 to be setup to have 2F authentication ? 

Please guide thanks.

Hi All,

I need some help regarding Juniper SRX-240. The device working fine. But after restarted when I try to log in and type "root" then press enter the following output comes on CLI.

login: root
Nov 19 04:41:58 last message repeated 9 times
Nov 19 04:41:59 login: login_getclass: unknown class 'junos-login-defaults'
Nov 19 04:41:59 /kernel: cpuid = 0
Nov 19 04:41:59 /kernel: BAD_PAGE_FAULT: pid 1273 (login), uid 0: pc 0x87f6968 got a read fault at 0x466000
Nov 19 04:41:59 /kernel: Trapframe Register Dump:
Nov 19 04:41:59 /kernel: zero: 0000000000000000 at: 00000000088603c0 v0: 0000000000000001 v1: 000000000000ffff
Nov 19 04:41:59 /kernel: a0: 000000000045c120 a1: 0000000000465000 a2: 0000000000001000 a3: 0000000000000000
Nov 19 04:41:59 /kernel: t0: 0000000000466000 t1: 0000000000465000 t2: 0000000000000003 t3: 0000000000000484
Nov 19 04:41:59 /kernel: ta0: 0000000000464000 ta1: 000000000887b030 ta2: 0000000000464000 ta3: 0000000008451dbc
Nov 19 04:41:59 /kernel: t8: 0000000000000000 t9: 00000000087f8590 s0: 000000000000ffff s1: 0000000000465ffe
Nov 19 04:41:59 /kernel: s2: 000000000045c120 s3: 00000000000007ff s4: 000000000000ffff s5: 000000000000ffff
Nov 19 04:41:59 /kernel: s6: 0000000000000008 s7: 0000000000462200 k0: 0000000000000000 k1: 0000000000000000
Nov 19 04:41:59 /kernel: gp: 0000000008883020 sp: 000000003ffecb30 s8: 0000000008817540 ra: 00000000087f68fc
Nov 19 04:41:59 /kernel: sr: 0000000050808cf3 mullo: 00000000000fffff mulhi: 0000000000000fffNov 19 04:41:59 /kernel: pc: 00000000087f6968 cause: 0000000000000008 badvaddr: 0000000000466000Nov 19 04:41:59 /kernel: 96300002 2e020004 14400011 00000000Nov 19 04:41:59 kmd[1201]: /var/etc/vpn_tunnel.id file not available

Amnesiac (ttyu0)

login:

Can someone help me in this?

I have decided to start to get away from pulsesecure VPN client and setup my own openvpn server on a VPN in my environment and connect to that using openvpn client

now i have been able to setup the server and have am able to connect to it from a laptop BUT i can not reach anything in my senvironment.

Is there anything special i have to do to get this to work?

thanks

I am totally new to Juniper routers. I have used mostly had Netgear and Linksys routers so I am unfamiliar with the terminology. I am a total noob so bear with me. I have an SRX300 and am trying to set it up on a simple home network. I bumbled my way thru using Putty. I set up set up DHCP and computers get a network address just fine. For the life of me I cannot get the internet working!! I have spectrum and a dynamic IP address. I can ping 8.8.8.8 and the computers show the online icon. I can't ping any websites or visit them. I've been accessing the router thru SSH and the web interface thru Firefox. Here's my config file. Please help

## Last changed: 2019-11-24 01:14:32 EST
version 15.1X49-D150.2;
system {
time-zone EST;
root-authentication {
encrypted-password "$5$k4fUdCLb$Kuk.Z./1SYz.UO8bHzqwDyY7mAxvbZVjX/dU/9eoow8";
}
name-server {
8.8.8.8;
8.8.4.4;
}
services {
ssh;
netconf {
ssh;
}
dhcp-local-server {
group jdhcp-group {
interface irb.0;
}
}
web-management {
https {
system-generated-certificate;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
inactive: phone-home {
server https://redirect.juniper.net;
rfc-complaint;
}
}
security {
log {
mode stream;
report;
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp-client;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family inet;
}
}
irb {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
access {
address-assignment {
pool junosDHCPPool {
family inet {
network 192.168.1.0/24;
range junosRange {
low 192.168.1.2;
high 192.168.1.254;
}
dhcp-attributes {
router {
192.168.1.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}

Hello team:

Customer published a tender that requests a next generation firewall cluster.

The SRX1500 family fits almost perfectly, except by the fact that its factory default is a 100GB SSD whereas the RFP requests at least 200GB of local storage.

Question: ¿ can I buy a third party 200GB 2.5" SSD and replace the factory provided 100GB SSD? ¿ Will JUNOS be able to address the entire storage?

Your kind answers will be greatly appreciated.

Best regards

Rogelio Alvez

Argentina

Problem is that I DO NOT have any global policies or default polices configured. When testing I find that although I can ping from my trust zone across my VPN any test ping from VPN to trust fails. This is contra to my configured polices (see below)

root@dig-srx1.haiti.bitek.com# show security policies
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy smnp-colo {
match {
source-address any;
destination-address colo;
application [ junos-snmp-agentx snmp ];
}
then {
permit;
log {
session-init;
}
}
}
policy zeroMQ {
match {
source-address any;
destination-address CMngt;
application CTL;
}
then {
permit;
log {
session-init;
}
}
}
policy NOC {
match {
source-address any;
destination-address NOC;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}

from-zone vpn to-zone trust {
policy Colo {
match {
source-address colo;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
policy NOC {
match {
source-address NOC;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone trust to-zone trust {
policy interzone {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}

When looking at the trace options output it can be seen that the check inbound from 192.168.100.1 to 192.168.102.1 we can see that the packet passes my configured policy but fails a second default polices that is listed as a global polcy.  (This is shown below)

Nov 25 15:06:54 15:06:53.929207:CID-0:RT: routed (x_dst_ip 192.168.102.1) from vpn (st0.0 in 0) to irb.0, Next-hop: 192.168.102.1

Nov 25 15:06:54 15:06:53.929207:CID-0:RT:flow_first_policy_search: policy search from zone vpn-> zone trust (0x0,0x7d84d,0xd84d)

Nov 25 15:06:54 15:06:53.929207:CID-0:RTolicy lkup: vsys 0 zone(8:vpn) -> zone(6:trust) scope:0

Nov 25 15:06:54 15:06:53.929207:CID-0:RT: 192.168.100.1/2048 -> 192.168.102.1/52529 proto 1

Nov 25 15:06:54 15:06:53.929207:CID-0:RTolicy lkup: vsys 0 zone(5:global) -> zone(5:global) scope:0

Nov 25 15:06:54 15:06:53.929207:CID-0:RT: 192.168.100.1/2048 -> 192.168.102.1/52529 proto 1

Nov 25 15:06:54 15:06:53.929207:CID-0:RT: app 0, timeout 60s, curr ageout 60s

Nov 25 15:06:54 15:06:53.929207:CID-0:RT: packet dropped, denied by policy

Nov 25 15:06:54 15:06:53.929207:CID-0:RT: denied by policy default-policy-logical-system-00(2), dropping pkt

Problem is "how is this default policy in the system? I do apprantly not have it configured in my config file, however its in the system. I either need to remove it or reorder it. How can this be done?

Thanks in advance

I've been working on some logging we recieve to our JSA from the SRX's we manage. Most of the SRXs are 340's. We are using JIMs at a our clients and i've noticed some weird returns from the WEBFILTER_URL_PERMITTED and WEBFILTER_URL_BLOCKED. I am seeing a few instances where the users return as: null, null\, unauthentciated-user and unknown-user. Now the unauthenticated-user is pretty self explanatory, and I believe the unknown-user is when the AD-Integration is unavailable for whatever reason. What i'm a bit confused on is the null\ returns. For example a raw log (with some PI redacted) :

<14>1 2019-11-13T14:59:25.284Z SRX340 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.135 source-address="X.X.X.X" source-port="XX" destination-address="X.X.X.X" destination-port="XX" session-id="158533" application="HTTPS" nested-application="MICROSOFT" category="N/A" reason="BY_FALLBACK_DEFAULT_ACTION" profile="DEFAULT" url="" obj="/" username="null\" roles="N/A" application-sub-category="miscellaneous"]

The other odd return i've seen is where the url is completely blank, which we can see in the above example as well. 

Just trying to get to the bottom of what may be causing the null returns. The messages aren't terribly common, just having a tough time finding any documentation on the reason for those different returns.

Thanks!

This post isn't a question, more of an answer tying together a bunch of other posts and KB articles that I've been searching through.

Problem:

You have an older SRX series (running DHCPd - the set system services dhcp version) and you want to configure DHCP Option 125 (or 43) for handing out boot strings to a Mitel IP Phone.

You're tearing your hair out because you keep seeing error messages such as:

byte-stream can have only 254 8-bit unsigned values separated by space

Option 125 must be defined as byte type

Solution:

Take your Mitel boot string eg:

id:ipphone.mitel.com;sw_tftp=192.168.20.240;call_srv=192.168.5.10;

and convert it to decimal using one of the many online tools available eg: https://www.asciitohex.com 

Take the resulting decimal string and add it to your DHCP option 125 as a byte-stream eg:

set system services dhcp pool 192.168.150.0/24 option 125 byte-stream "105 100 58 105 112 112 104 111 110 101 46 109 105 116 101 108 46 99 111 109 59 115 119 95 116 102 116 112 61 49 57 50 46 49 54 56 46 50 48 46 50 52 48 59 99 97 108 108 95 115 114 118 61 49 57 50 46 49 54 56 46 53 46 49 48 59"

and commit.

Problem solved!

Hi All,

Can multiple dynamic vpn access profiles be configured on the SRX 240 firewall ?  There is already an in production remote access dynamic vpn setup that uses LDAP authentication for users. We would like to create another vpn profile and have a radius server as the authenticator for one single user (as this just a test env). Is this possible on the SRX 240 firewall ? If not, then within the existing VPN config can a single user name be added in such a way that this user be authenticated by radius server and not ldap ? 

Hi All, 

All traffic from trust zone to internet is set to source-nat "interface" thus it gets natted to the public ip. I want to disable this common natting for all traffic types and have custom static nat rules for specific user subnets but at the same time retain the source-nat interface for other traffic types. I intend to do this by putting in the below commands 

set rule NAT-OFF match source-address 10.X.20.0/22  

set rule NAT-OFF match destination-address 0.0.0.0/0

set rule NAT-OFF then source-nat off ----------------------------- This should turn off the source-interface nat

and put in below commands or each user subnet residing on different sites

set security nat static rule-set Libpublicip from zone trust to zone untrust
set security nat static rule-set Libpublicip rule Libpublicip match source-address 10.X.20.0/24
set security nat static rule-set Libpublicip rule Libpublicip then static-nat prefix <public ip>
set proxy-arp interface ge-0/0/15.0 address <public ip> 

Then i assume that static-nat will continue to work as configured irrespective of the source-nat being turned off as above ? 

Please guide.