Hi,

I'm trying to configure vpn between Fortigate 800C and SRX 240 in test environment (the same subnet for WAN interfaces). I have a problem with ike:

Juniper:

 show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2842773 DOWN f819d2c735939f64 a267c13f16767608 Any A.B.C.24

Fortigate:

 diagnose vpn ike gateway
name: VPN-SRX
version: 1
interface: wan1 5
addr: A.B.C.24:500 -> A.B.C.25:500
created: 6s ago
auto-discovery: 0
IKE SA: created 1/1
IPsec SA: created 0/0

id/spi: 375 82b42b5847a79362/0000000000000000
direction: responder
status: connecting, state 3, started 6s ago

SRX debug:

[Nov 14 19:07:46]ike_free_sa: Start
[Nov 14 19:07:47]ikev2_packet_allocate: Allocated packet dc0400 from freelist
[Nov 14 19:07:47]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Nov 14 19:07:47]ike_get_sa: Start, SA = { dac663eb 94378770 - 00000000 00000000 } / 00000000, remote = A.B.C.24:500
[Nov 14 19:07:47]ike_sa_allocate: Start, SA = { dac663eb 94378770 - 0ccc7df7 e063728a }
[Nov 14 19:07:47]ike_init_isakmp_sa: Start, remote = A.B.C.24:500, initiator = 0
[Nov 14 19:07:47]ike_decode_packet: Start
[Nov 14 19:07:47]ike_decode_packet: Start, SA = { dac663eb 94378770 - 0c97b2f3 dd18068f} / 00000000, nego = -1
[Nov 14 19:07:47]ike_decode_payload_sa: Start
[Nov 14 19:07:47]ike_decode_payload_t: Start, # trans = 1
[Nov 14 19:07:47]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Nov 14 19:07:47]ike_st_i_vid: VID[0..16] = 4048b7d5 6ebce885 ...
[Nov 14 19:07:47]ike_st_i_vid: VID[0..20] = 4048b7d5 6ebce885 ...
[Nov 14 19:07:47]ike_st_i_vid: VID[0..16] = 82990317 57a36082 ...
[Nov 14 19:07:47]ike_st_i_sa_proposal: Start
[Nov 14 19:07:47]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Nov 14 19:07:47]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg e06800)
[Nov 14 19:07:47]ike_isakmp_sa_reply: Start
[Nov 14 19:07:47]ike_state_restart_packet: Start, restart packet SA = { dac663eb 94378770 - 0c97b2f3 dd18068f}, nego = -1
[Nov 14 19:07:47]ike_st_i_sa_proposal: Start
[Nov 14 19:07:47]ike_st_i_cr: Start
[Nov 14 19:07:47]ike_st_i_cert: Start
[Nov 14 19:07:47]ike_st_i_private: Start
[Nov 14 19:07:47]ike_st_o_sa_values: Start
[Nov 14 19:07:47]A.B.C.25:500 (Responder) <-> A.B.C.24:500 { dac663eb 94378770 - 0c97b2f3 dd18068f [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
[Nov 14 19:07:47]ike_alloc_negotiation: Start, SA = { dac663eb 94378770 - 0c97b2f3 dd18068f}
[Nov 14 19:07:47]ike_encode_packet: Start, SA = { 0xdac663eb 94378770 - 0c97b2f3 dd18068f } / d4330be2, nego = 0
[Nov 14 19:07:47]ike_send_packet: Start, send SA = { dac663eb 94378770 - 0c97b2f3 dd18068f}, nego = 0, dst = A.B.C.24:500,  routing table id = 0
[Nov 14 19:07:47]ike_delete_negotiation: Start, SA = { dac663eb 94378770 - 0c97b2f3 dd18068f}, nego = 0
[Nov 14 19:07:47]ike_free_negotiation_info: Start, nego = 0
[Nov 14 19:07:47]ike_free_negotiation: Start, nego = 0
[Nov 14 19:07:47]IKE negotiation fail for local:A.B.C.25, remote:A.B.C.24 IKEv1 with status: No proposal chosen
[Nov 14 19:07:47]  IKEv1 Error : No proposal chosen

Fortigate debug:

ike 0:VPN-SRX-PL: schedule auto-negotiate
ike 0:VPN-SRX-PL: auto-negotiate connection
ike 0:VPN-SRX-PL: created connection: 0x399fb00 5 A.B.C.24->A.B.C.25:500.
ike 0:VPN-SRX-PL:383: initiator: main mode is sending 1st message...
ike 0:VPN-SRX-PL:383: cookie 04dc6135a7b58c34/0000000000000000
ike 0:VPN-SRX-PL:383: out 04DC6135A7B58C3400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00050428
ike 0:VPN-SRX-PL:383: sent IKE msg (ident_i1send): A.B.C.24:500->A.B.C.25:500, len=172, id=04dc6135a7b58c34/0000000000000000
ike 0: comes A.B.C.25:500->A.B.C.24:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=04dc6135a7b58c34/b68f181de8ae682f:18ad0f9b len=102
ike 0: in 04DC6135A7B58C34B68F181DE8AE682F0B10050018AD0F9B000000660000004A000000010110000E04DC6135A7B58C34B68F181DE8AE682F800C000100060022436F756C64206E6F742066696E642061636365707461626C652070726F706F73616C80080000
ike 0:VPN-SRX-PL:383: ignoring unsupported INFORMATIONAL message 0.
ike 0:VPN-SRX-PL:383: out 04DC6135A7B58C3400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00050428
ike 0:VPN-SRX-PL:383: sent IKE msg (P1_RETRANSMIT): A.B.C.24:500->A.B.C.25:500, len=172, id=04dc6135a7b58c34/0000000000000000
ike 0:VPN-SRX-PL:383: out 04DC6135A7B58C3400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00050428
ike 0:VPN-SRX-PL:383: sent IKE msg (P1_RETRANSMIT): A.B.C.24:500->A.B.C.25:500, len=172, id=04dc6135a7b58c34/0000000000000000
ike 0: comes A.B.C.25:500->A.B.C.24:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=04dc6135a7b58c34/b68f181de8ae682f:18ad0f9b len=102
ike 0: in 04DC6135A7B58C34B68F181DE8AE682F0B10050018AD0F9B000000660000004A000000010110000E04DC6135A7B58C34B68F181DE8AE682F800C000100060022436F756C64206E6F742066696E642061636365707461626C652070726F706F73616C80080000
ike 0:VPN-SRX-PL:383: ignoring unsupported INFORMATIONAL message 0.
ike 0:VPN-SRX-PL:383: negotiation timeout, deleting
ike 0:VPN-SRX-PL: connection expiring due to phase1 down

I've tried with compatibile proposals and selecting manually some of them.

Current p1 for SRX:

authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;

Current p1 for Fortigate:

edit "VPN-SRX"
set interface "wan1"
set proposal aes128-sha1
set dhgrp 2
set nattraversal disable
set remote-gw A.B.C.25
set psksecret ENC qtJ/743mzf[cut]8nsg==
next

I'm new in Fortinet.

Maybe someone have experience with connecting these boxes?

Regards, Kacper

Regarding to the firewall filters and policer on SRX. I would like to ask about what is the proper configuration if inside of a subnet with 192.168.200.0/24 is limited to download only for 128k but it will not affect youtube streaming at 720p or 1080p , Does the SRX work on it ? when I try to do the attached configuration as following like this, I do not get the expect results above, which between downloading and streaming youtube also limited to 128k limit.

Hi,

Is there a reason this policy doesn't work?

prefix-list routes-from-main {
1.1.1.0/24;
}

policy-statement accept-from-main {
term ok {
from {
rib inet.0;
prefix-list routes-from-main;
}
then accept;
}
term reject-rest {
then reject;
}
}

Basically I wanted to import a route from inet.0 to another routing instance.

Importing routes from a routing instance to another instance (or even inet.0) works with from instance statement:

prefix-list routes-from-test-vr {
    1.1.1.0/24;
}
policy-statement accept-from-test-vr {
    term ok {
        from {
            instance test-vr;
            prefix-list routes-from-test-vr;
        }
        then accept;
    }
    term reject-rest {
        then reject;
    }
}

test2-vr {
    instance-type virtual-router;
    interface lo0.1;
    routing-options {
        instance-import accept-from-test-vr;
    }
}

What does from rib statement match anyways, and how does it compare to from instance matching?

Is there a way to make from rib statement work or i'll have to resort to rib-groups?

I have several VRs on an SRX.

The untrust is on reth0 vlan 10

But i cant create reth0 unit 10 vlan-id 10 and at the same time unit 11 vlanid-10 to hook these up to different VRs.

Any suggestion on how to design this?

Since I have production running on VR1 i dont really like to do a major redesign on that one :x

One solution I can see is to hook up vlan 10 on another reth interface to the same switch segment. Not that pretty but it might work.

//Rob

Hello! Trying to configure ospf on srx100 device with routing-instance enabled, everything works fine between devices without routing instance.

show routing-instances 
cifra1 {
    instance-type virtual-router;
    interface st0.0;
    interface st0.4;
    interface st0.8;
    interface vlan.1;
    routing-options {                   
        interface-routes {              
            rib-group inet cifra1;      
        }                               
        static {                        
            route 0.0.0.0/0 next-hop 212.152.36.217;
            route 172.17.0.0/16 next-hop 192.168.9.3;
            route 192.168.10.0/24 next-hop st0.8;
            route 192.168.11.0/24 next-hop st0.4;
        }                               
    }                                   
    protocols {                         
        ospf {                          
            rib-group cifra1;           
            area 0.0.0.0 {              
                interface st0.4;        
                interface st0.8;        
                interface vlan.1;                    
            }                           
        }                               
    }                                   
} 

All protocols are allowed in trust zone.

But

run show ospf neighbor instance cifra1  

is empty.

run show ospf interface instance cifra1   
Interface           State   Area            DR ID           BDR ID          Nbrs
st0.4               PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            0
st0.8               PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            0
vlan.1              DR      0.0.0.0         10.12.31.1      0.0.0.0            0
vlan.1              DR      0.0.0.0         10.12.31.1      0.0.0.0            0

Any ideas why?

Hi Guys,

I am new with Juniper firewalls, i have a juniper firewall SRX340 (Junos 15.1X49-D45) and trying to configure it as Transparent mode. IS this series support transparent mode or should go with mix mode l2 and l3 mode (Switch and NAT).

Thanks

Brijmohan

Hello!

ipsec VPN is up, but not passing data KB 10093 but no luck.

Ipsec SA listed on both devices:

no:

run show security ipsec security-associations 
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   <131073 ESP:3des/sha1 4b8ee27d 3527/ unlim   U   root 500   217.12.253.226  >131073 ESP:3des/sha1 9973f3e1 3527/ unlim   U   root 500   217.12.253.226

tco:

show security ipsec security-associations   Total active tunnels: 3  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway         <131074 ESP:3des/sha1 2f9a9ed  3587/ unlim   U   root 500   83.234.107.110    >131074 ESP:3des/sha1 26c5a0c0 3587/ unlim   U   root 500   83.234.107.110

Routes confgured:

no:

show route 172.17.20.28                                                             

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.17.20.0/24     *[Static/5] 00:01:44
                    > via st0.0

tco: 

show route 192.168.18.33                                                                  

inet.0: 100 destinations, 101 routes (100 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.18.0/24    *[Static/5] 00:00:31
                    > via st0.1

rt-cifra1-all.inet.0: 21 destinations, 22 routes (21 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/100] 3w3d 04:39:54
                    > to 213.167.60.117 via fe-0/0/1.0

Tunnel interfaces are in "trust" zone and traffic permitted on both devices

no:

LAN {
    address TCO-admin-net 172.17.20.0/24;
    address NO-LAN 192.168.18.0/24;
    address PBX 172.17.22.0/24;
    address-set LAN-set {
        address TCO-admin-net;
        address PBX;
    }
    attach {
        zone trust;
    }
}

and policy:

show security policies from-zone trust to-zone trust 
policy from-NO {
    match {
        source-address NO-LAN;
        destination-address LAN-set;
        application any;
    }
    then {
        permit;
    }
}
policy to-NO {
    match {
        source-address LAN-set;
        destination-address NO-LAN;
        application any;
    }
    then {
        permit;
    }
}

tco device is pretty the same, but has firewall rule for policy based routing

filter FILTER1 {
    term pod-allow {
        from {
            destination-address {
                192.168.0.0/16;
            }
        }
        then accept;
    }
    term mgmt-allow {
        from {
            destination-address {
                172.16.0.0/12;
            }
        }
        then accept;
    }
    term TERM-test {
        from {
            source-address {
                172.17.20.28/32;
            }
        }                               
        then {                          
            routing-instance rt-cifra1-test;
        }                               
    }                                   
    term default {                      
        then {                          
            routing-instance rt-cifra1-all;
        }                               
    }                                   
}

But it shouldn't affect vpn traffic.

I am stuck

Hi Juniper Community,

I am unable to connect the SRX340 in transparent mode via LACP to a Cisco Catalyst Switch.

Afaik it is not possible to use LACP, instead static LAGs should be used.

May be some of you have already been able to configure a SRX in transparent mode and can help with some insight:

How do I have to configure the Cisco Catalyst Switch and the SRX340 in order to establish a redundant connection between the two devices in transparent mode?

thx in advance...

 SRX240H2   --  JUNOS 12.3X48-D30.7

example ,

I plugged my laptop to vlan14 where the pool is 192.168.14.0/23 so it get the right dhcp Ip 

then 

 I plugged the same laptop to vlan2  where the pool is 192.168.2.0/24 and the result :
the dhcp is wrong keep on vlan14 and gateway is correct 192.168.2.1., the laptop should be Client pool name: "LAN2"

similar behavior I had with other 2 different laptops . 



configuration only for the vlan2 and vlan14

   dhcp-local-server {
            group JDHCP {
                interface vlan.14;
                interface vlan.2;
   }
}

access {
    address-assignment {
        pool LAN14-15 {
            family inet {
                network 192.168.14.0/23;
                range dhcprange {
                    low 192.168.14.10;
                    high 192.168.14.254;
                }
                dhcp-attributes {
                    maximum-lease-time 3600;
                    name-server {
                        8.8.8.8;
                        8.8.4.4;
                    }
                    router {
                        192.168.14.1;
                    }
                    propagate-settings vlan.14;
                }
            }
        }
        pool LAN2 {
            family inet {
                network 192.168.2.0/24;
                range dhcprange {
                    low 192.168.2.50;
                    high 192.168.2.152;
                }
                dhcp-attributes {
                    maximum-lease-time 3600;
                    name-server {
                        8.8.8.8;
                        8.8.4.4;
                    }
                    router {
                        192.168.2.1;
                    }
                    propagate-settings vlan.2;
                }
        
            }
        }
    }
}


security    {
   zones {
     security-zone trust {
     tcp-rst;
     host-inbound-traffic {
        system-services {
           all;
        }
        protocols {
           all;
        }
    }
    interfaces {
     vlan.2
     vlan.14
    }
}

interfaces {
    ge-0/0/3 {
        description LAN;
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ 2 14 ];
                }
            }
        }
     }
    vlan  {
    unit 2 {
            family inet {
                address 192.168.2.2/24 {
                    vrrp-group 2 {
                        virtual-address 192.168.2.1;
                        priority 200;
                        preempt {
                            hold-time 10;
                        }
                        accept-data;
                        authentication-type md5;
                        authentication-key "XXXXXXXXXXXX";
                        track {
                            route 0.0.0.0/0 routing-instance default priority-cost 60;
                        }
                    }
                }
            }
        }
   unit 14 {
    family inet {
        address 192.168.14.2/23 {
            vrrp-group 14 {
                virtual-address 192.168.14.1;
                priority 200;
                preempt {
                    hold-time 10;
                }
                accept-data;
                authentication-type md5;
                authentication-key "XXXXXX"; ## SECRET-DATA
                track {
                    route 0.0.0.0/0 routing-instance default priority-cost 60;
                }
            }
        }
    }
}
}

vlans{
   GUEST2 {
        vlan-id 2;
        l3-interface vlan.2;
    }
  GUESTS14 {
    vlan-id 14;
    l3-interface vlan.14;

}

Any suggestion ?

Dears, 

I have the new site to Install SRX300 and build VPN connect to old site. But VPN is failed.   

From the command : show security ike security-associations , the state is DOWN

The attach have 2 SRX config.txt

Many Thx

THE-O

Hi -

I am about to order some SRX340 (hardware + software licence) but there is one information that I am not able to get. Do I need a contract service and if any what's the minimal one is necessary in order to let me upgrade the software of my SRX? What reference number should then I ask my retailer for? Don't know if that matters but I'm from France. Thanks in anticipation.

Olivier

Hi, i'm trying to add a dmz zone on lan port 2, local ip 192.168.5.180.

Here it is my test:

version 12.1X46-D55.3;
system {
 host-name JuniperSRX210;
 time-zone Europe/Rome;
 root-authentication {
 encrypted-password "password/";
 }
 name-server {
 8.8.8.8;
 8.8.4.4;
 208.67.222.222;
 208.67.220.220;
 }
 services {
 ssh;
 telnet;
 xnm-clear-text;
 web-management {
 http {
 interface vlan.0;
 }
 https {
 system-generated-certificate;
 interface vlan.0;
 }
 }
 dhcp {
 router {
 192.168.5.1;
 }
 pool 192.168.5.1/24 {
 address-range low 192.168.5.110 high 192.168.5.250;
 }
 propagate-settings ge-0/0/0.0;
 }
 dynamic-dns {
 client address.domain.com {
 server dyndns;
 agent dyndns;
 username name;
 password "password";
 interface pp0.0;
 }
 }
 }
 syslog {
 archive size 100k files 3;
 user * {
 any emergency;
 }
 file messages {
 any critical;
 authorization info;
 }
 file interactive-commands {
 interactive-commands error;
 }
 }
 max-configurations-on-flash 5;
 max-configuration-rollbacks 5;
 license {
 autoupdate {
 url https://ae1.juniper.net/junos/key_retrieval;
 }
 }
}
interfaces {
 ge-0/0/0 {
 unit 0 {
 family inet {
 dhcp;
 }
 }
 }
 ge-0/0/1 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-trust;
 }
 }
 }
 }
 fe-0/0/2 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-dmz;
 }
 }
 }
 }
 fe-0/0/3 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-trust;
 }
 }
 }
 }
 fe-0/0/4 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-trust;
 }
 }
 }
 }
 fe-0/0/5 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-trust;
 }
 }
 }
 }
 fe-0/0/6 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-trust;
 }
 }
 }
 }
 fe-0/0/7 {
 unit 0 {
 family ethernet-switching {
 vlan {
 members vlan-trust;
 }
 }
 }
 }
 at-1/0/0 {
 encapsulation ethernet-over-atm;
 atm-options {
 vpi 8;
 }
 dsl-options {
 operating-mode auto;
 }
 unit 0 {
 encapsulation ppp-over-ether-over-atm-llc;
 vci 8.35;
 }
 }
 pp0 {
 traceoptions {
 flag all;
 }
 unit 0 {
 point-to-point;
 ppp-options {
 pap {
 default-password "sometext";
 local-name Ispname;
 local-password "password";
 passive;
 }
 }
 pppoe-options {
 underlying-interface at-1/0/0.0;
 client;
 }
 no-keepalives;
 family inet {
 negotiate-address;
 }
 }
 }
 vlan {
 unit 0 {
 family inet {
 address 192.168.5.1/24;
 }
 }
 }
}
routing-options {
 static {
 route 0.0.0.0/0 {
 next-hop pp0.0;
 metric 0;
 }
 }
}
security {
 address-book {
 global {
 address server-qnap 192.168.5.60/32;
 address server-netgear 192.168.5.70/32;
 address server-denon 192.168.5.100/32;
 address server-ps4 192.168.5.80/32;
 }
 }
 alg {
 ftp ftps-extension;
 mgcp disable;
 rsh;
 sccp disable;
 sip {
 disable;
 application-screen {
 unknown-message {
 permit-nat-applied;
 }
 }
 traceoptions {
 flag all;
 }
 }
 }
 flow {
 tcp-mss {
 all-tcp {
 mss 1350;
 }
 }
 }
 screen {
 ids-option untrust-screen {
 icmp {
 ping-death;
 }
 ip {
 source-route-option;
 tear-drop;
 }
 tcp {
 syn-flood {
 alarm-threshold 1024;
 attack-threshold 200;
 source-threshold 1024;
 destination-threshold 2048;
 timeout 20;
 }
 land;
 }
 }
 }
 nat {
 source {
 rule-set trust-to-untrust {
 from zone trust;
 to zone untrust;
 rule source-nat-rule {
 match {
 source-address 0.0.0.0/0;
 }
 then {
 source-nat {
 interface;
 }
 }
 }
 }
 rule-set dmz_to_untrust {
 from zone dmz_zone;
 to zone untrust;
 rule dmz-source-nat-rule {
 match {
 source-address 0.0.0.0/0;
 }
 then {
 source-nat {
 interface;
 }
 }
 }
 }
 }
 destination {
 pool nat-pool-qnap-51413 {
 address 192.168.5.60/32 port 51413;
 }
 pool nat-pool-qnap-57532 {
 address 192.168.5.60/32 port 57532;
 }
 pool nat-pool-qnap-9091 {
 address 192.168.5.60/32 port 9091;
 }
 pool nat-pool-qnap-3306 {
 address 192.168.5.60/32 port 3306;
 }
 pool nat-pool-netgear-21 {
 address 192.168.5.70/32 port 21;
 }
 pool nat-pool-netgear-51414 {
 address 192.168.5.70/32 port 51414;
 }
 pool nat-pool-denon-80-47313 {
 address 192.168.5.100/32 port 80;
 }
 rule-set main-rule-set {
 from zone untrust;
 rule qnap-51413 {
 match {
 destination-address 0.0.0.0/0;
 destination-port 51413;
 protocol tcp;
 }
 then {
 destination-nat {
 pool {
 nat-pool-qnap-51413;
 }
 }
 }
 }
 rule qnap-57532 {
 match {
 destination-address 0.0.0.0/0;
 destination-port 57532;
 protocol tcp;
 }
 then {
 destination-nat {
 pool {
 nat-pool-qnap-57532;
 }
 }
 }
 }
 rule qnap-9091 {
 match {
 destination-address 0.0.0.0/0;
 destination-port 9091;
 protocol tcp;
 }
 then {
 destination-nat {
 pool {
 nat-pool-qnap-9091;
 }
 }
 }
 }
 rule qnap-3306 {
 match {
 destination-address 0.0.0.0/0;
 destination-port 3306;
 protocol tcp;
 }
 then {
 destination-nat {
 pool {
 nat-pool-qnap-3306;
 }
 }
 }
 }
 rule netgear-21 {
 match {
 destination-address 0.0.0.0/0;
 destination-port 21;
 protocol tcp;
 }
 then {
 destination-nat {
 pool {
 nat-pool-netgear-21;
 }
 }
 }
 }
 rule netgear-51414 {
 match {
 destination-address 0.0.0.0/0;
 destination-port 51414;
 protocol tcp;
 }
 then {
 destination-nat {
 pool {
 nat-pool-netgear-51414;
 }
 }
 }
 }
 rule denon-80-47313 {
 match {
 destination-address 0.0.0.0/0;
 destination-port 47313;
 protocol tcp;
 }
 then {
 destination-nat {
 pool {
 nat-pool-denon-80-47313;
 }
 }
 }
 }
 }
 }
 }
 policies {
 from-zone trust to-zone untrust {
 policy default-permit {
 match {
 source-address any;
 destination-address any;
 application any;
 }
 then {
 permit;
 }
 }
 }
 from-zone dmz_zone to-zone untrust {
 policy vlan-dmz-to-untrust {
 match {
 source-address any;
 destination-address server-ps4;
 application any;
 }
 then {
 permit;
 }
 }
 }
 from-zone untrust to-zone trust {
 policy server-access {
 match {
 source-address any;
 destination-address [ server-qnap server-netgear server-denon ];
 application any;
 }
 then {
 permit;
 }
 }
 }
 }
 traceoptions {
 file flowtrace size 10m world-readable;
 }
 zones {
 security-zone dmz-zone {
 host-inbound-traffic {
 system-services {
 all;
 }
 protocols {
 all;
 }
 }
 interfaces {
 vlan.1 
 }
 }
 security-zone trust {
 host-inbound-traffic {
 system-services {
 all;
 }
 protocols {
 all;
 }
 }
 interfaces {
 vlan.0;
 }
 }
 security-zone untrust {
 screen untrust-screen;
 host-inbound-traffic {
 system-services {
 all;
 }
 protocols {
 all;
 }
 }
 interfaces {
 at-1/0/0.0 {
 host-inbound-traffic {
 system-services {
 all;
 }
 protocols {
 all;
 }
 }
 }
 pp0.0 {
 host-inbound-traffic {
 system-services {
 all;
 }
 protocols {
 all;
 }
 }
 }
 }
 }
 }
 vlans {
 vlan-trust {
 vlan-id 3;
 l3-interface vlan.0;
 }
 vlan-dmz {
 vlan-id 2;
 l3-interface vlan.1;
 }
}

But it's rejected on CLI :

"The configuration could not be un-locked.

Error(s):
1) syntax error
2) error recovery ignores input until this point
3) syntax error

Warning(s):
1) vlans
2) }
3) }"

Someone can help me?

Thanks.

We have a SRX1400 cluster running on JUNOS Software Release [12.3X48-D35.7]. I was running some Failover test cases. In one of the cases, when we power off primary node, the failover works fine but, after powering on the primary node, few minutes later (6 minutes to be precise), the traffic stops between the zones for almost 10 minutes and then cluster comes back to normal operation.

I also tried removing the "preempt" parameter but, results were same. Please let me know how to eliminate this downtime.

Regards

When doing: show security flow statistics  we see the dropped pacekts.

root@fw1.phl> show security flow statistics
Current sessions: 351
Packets forwarded: 15168819
Packets dropped: 157887
Fragment packets: 0

I know I can log these to a file but we dont want to fill up the space on the device. How would we go about logging it to a remote rsyslog server?

This is really basic, I am sure. Normally I would try to figure it out on my own but do not have the luxury of time.

I have an SRX300 with no specified VLAN's, just the default:

root@HSRX300# run show vlans

Routing instance        VLAN name       Tag        Interfaces
default-switch                 default                 1

I would like a VLAN for guest WiFI and have the SRX also server a DHCP range to this VLAN as well.

I've seen a few examples but each seem to not quite apply or have a few mistakes in the examples that must later be corrected, etc.

Thanks in advance.

I'm trying to NAT64 my internal LAN IPv6 network to the Internet which only supports IPv4. Any ideas on where to start?

Hi,

I'm trying to log all traffic information for a specific device when it access the internet on my srx branch series network but when I do a "show log traffic-log" command the log file is empty.

Here's my current config for the logs:

set system syslog file traffic-log any any
set system syslog file traffic-log match RT_FLOW_SESSION
set security policies from-zone trust to-zone untrust policy default-permit match source-address Desktop123
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit then log session-init
set security policies from-zone trust to-zone untrust policy default-permit then log session-close

I even tried changing the source-address to any with "set security policies from-zone trust to-zone untrust policy default-permit match source-address any" but I am still unable to get any log information.

Can anyone tell me what I am doing wrong?

Thanks!

Hello everyone, I’m trying to configure my srx100 for almost 2 weeks and can’t find solution to my problem. Here is my setup:

BT Openreach modem (BT infinity broadband) -->srx100 -->LAN with 1 physical server and 6 VMs

Have been given block of ip addresses from BT:

• network address: XXX.142.86.40
• router/Hub address: XXX.142.86.46
• subnet mask: 255.255.255.248
• block: xxx.142.86.41 - xxx.142.86.45

Configured public facing interface on srx100 to be xxx.142.86.45/29 and also created nat-src and nat-dest rules. Config file attached.

PROBLEM:

I can access the internet and DNS resolution works fine but I can’t get my ‘incoming services’ to work. I want to be able to connect to one of my internal servers (192.158.1.225) via PPTP but currently am unable to make this work. I need to be able to ‘route my emails to exchange server too but bacuse I can’t connect via VPN I assume that all other forwarded ports are not working. I checked the config hundreds of times and I’m pretty sure that the problem is with nat-dest policy/rule/address pool as I can access the Internet ok from internal network.

Can someone tell me if I assigned the ip addresses to public interface correctly or maybe I messed up something with nat-dest rules.

Also I checked internal RRAS server and I can connect via VPN locally so there is no problem there. Also (you might think its silly but trying everything here), I added two ip addresses for my RRAS server (Dial-up vpn address and interface address) to make sure the problem isn’t with internal server. Checked the logs on my RRAS server hundreds of times and nothing is being logged there when I am trying to connect from another location using xxx.142.86.45 ip address. Logs are not showing anything on my SRX100 so maybe this is something you can help with too. Tried clearing the space on SRX but still nothing being shown in policy log while viewing via web browser.

I have a customer who has very similar infrastructure (also with BT) and this config works for him like a charm for them.

PLEASE HELP! I am pulling my hair out!

Hi,

SRX-to-Zyxel scenario.

cannot get the traffic flow working over policy based vpn

vpn is up both IKE and IPSEC.

policy and reverse policy are configured.

when viewing statistics for ipsec ID, it shows "Encrypted" but no "Decrypted":

ESP Statistics:
  Encrypted bytes:            52740
  Decrypted bytes:                0
  Encrypted packets:            423
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

When pinging server on other side we can see "encrypted" incrementing 

we were troubleshooting this and tried to trace the traffic towards the server across the vpn but it went to the internet

we created source nat rule with "source nat off" and now it simply dies at firewall meaning it goes into the tunnel?!

anyway no ping response from the other side, which should be allowed.

checking the matching policy while pinging from srx side to Zyxel side.

run show security flow session destination-prefix 192.168.75.5/32
Session ID: 10408, Policy name: vpn-1/32, Timeout: 52, Valid
  In: 192.168.1.190/476 --> 192.168.75.5/1;icmp, If: vlan.103, Pkts: 1, Bytes: 60
  Out: 192.168.75.5/1 --> 192.168.1.190/476;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0

Session ID: 16269, Policy name: vpn-1/32, Timeout: 38, Valid
  In: 192.168.1.190/473 --> 192.168.75.5/1;icmp, If: vlan.103, Pkts: 1, Bytes: 60
  Out: 192.168.75.5/1 --> 192.168.1.190/473;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0

Session ID: 35130, Policy name: vpn-1/32, Timeout: 58, Valid
  In: 192.168.1.190/477 --> 192.168.75.5/1;icmp, If: vlan.103, Pkts: 1, Bytes: 60
  Out: 192.168.75.5/1 --> 192.168.1.190/477;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0

Dont really know what to check next guys,

any help would be appreciated.

PS:

forgot to mention version

Model: srx240h2
JUNOS Software Release [12.1X46-D25.7]

I just got this new SRX100 just to add Dynamic VPN on to controls network.  I worked it out with the Web Manager and it set it up for me.  I can connect to the SRX100 with Pulse VPN but I do not get onto the network interface.  I new to this version as I am better with the SSG5.

We have a stadic IP on the SRX100 untrusted and I have local pc and controls on the trusted side.  The user name and password works but it only seems not to be routed anywere.  I like to route my VPN with in the 192.168.178.0/24.  But I get lost with IKE pool.  I tried to add a web manager base security policy but it will not let me pick a zone.

Software Version: JUNOS Software Release [12.1X46-D35.1]
Bios Version: 2.7

Please let me know I will be here for about 4-5 hours

THanks

Rob