Quantcast
Channel: SRX Services Gateway topics
Viewing all 3959 articles
Browse latest View live

Multinet with DHCP and static?

July 25, 2017, 1:23 pm
$
0
0

Anyone know how I can multinet an interface and also use DHCP client?

 

Situation: cable modem connected to ge-0/0/0. DHCP needed to obtain lease from ISP. But, the cable modem is managed at 192.168.100.1/24, so an IP in that subnet is needed to view management info. Trying to set both a static IP and dhcp-client results in a config error. If I set the DHCP assigned address as a static IP, everything works as it should, except the ISP is eventually going to get upset because there are no DHCP renewals for that IP and I'd expect that to cause a problem at some point.

 

I want something like this, but it results in a "'dhcp-client' Incompatible with interface assigned with address" complaint.

 

set interfaces ge-0/0/0 description "External Cable Modem"
set interfaces ge-0/0/0 enable
set interfaces ge-0/0/0 unit 0 family inet address 192.168.100.11/24
set interfaces ge-0/0/0 unit 0 family inet dhcp-client retransmission-attempt 6
set interfaces ge-0/0/0 unit 0 family inet dhcp-client retransmission-interval 40
set interfaces ge-0/0/0 unit 0 family inet dhcp-client update-server

I also tried creating L3 VLANs, but it won't let me assign more than one to an access (untagged) interface.

 

Edit: Well, it's butt-ugly, but instead of blackholing just 192.168.0.0/16, I did this, which at least lets it work via the default route:

 

static {
    route 10.0.0.0/8 discard;
    route 172.16.0.0/12 discard;
    route 192.168.0.0/18 discard;
    route 192.168.64.0/19 discard;
    route 192.168.96.0/22 discard;
    route 192.168.101.0/24 discard;
    route 192.168.102.0/23 discard;
    route 192.168.104.0/21 discard;
    route 192.168.112.0/20 discard;
    route 192.168.128.0/17 discard;
}
Search

SRX st0 interface IP MTU settings

July 25, 2017, 3:15 pm
$
0
0

Hi, all, I am a little confused by SRX's DF bit behavior, according to this article:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB25625&actp=METADATA

DF bits of the inner IP packets is always cleared.

 

So if I have incoming Ethernet interface IP MTU set to 1500bytes, outgoing st0 interface MTU set to 1400 bytes (which is manditory by a 3rd party), when I have an incoming packet on Ethernet interface with IP size 1401 bytes, DF bit set, SRX will send out "Fragmentation needed" back with suggested MTU 1400 bytes back to the source, all good ... now if the above article is accurate, I should never set IP MTU size on the tunnel interface (or rather any manual IP MTU settings on st0 interface should be ignored), because by default any incoming packets can be fragmented regardless DF bits as long as IPsec encapsulated packet size exceeds egress IP MTU. correct?

 

If my argument is not correct, then what are my options to clear the DF bit so 1401 bytes packets can be processed?

 

Thanks,

Is there any PR that related all FPC on SRX5800 chasiss cluster suddnly reboot itself?

July 25, 2017, 5:01 pm
$
0
0

Hi all,

 

 

Yesterday i'm facing the all the FPC on both SRX5800 chassis cluster reboot by itslef at same time. The weird thing the SCB/RE not reboot so we can isolate due to power issue. I'm already open JTAC, but the Level 1 JTAC said it's look like due to temperature issue because it see temperature change but for me it's not valid because the log already appear many time before. I'm see this PR https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1241061 but it said on SRX1500 and not sure whether this PR also involve on SRX5800.

 

Jul 25 23:04:15 LCC: Modifying fan speed to 199 as high temp is now 53 C

 

Thanks and appreciate someone help.

 

Subinterface allocation on Lsys

July 25, 2017, 6:48 pm
$
0
0

Say a single 1GB uplink or in ae, with sub-interfaces. 

 

ge-0/0/0 unit 1 

ge-0/0/0 unit 2

 

or 

 

ae0.1

ae0.2

 

Can you assign these sub-interfaces on Lsys as logical interfaces?

IDP signature update and Protect-RE filter

July 26, 2017, 2:41 am
$
0
0

Can anyone tell me the source & destination ports to be permitted to allow an SRX to update the IDP signatures?

 

I have tried allowing source port HTTPS on the input filter to the loopback interface but this has failed. When I disable the filter it works as expected.

 

Thanks

Port forwarding for VPN

July 26, 2017, 3:27 am
$
0
0

I have put a VPN server in my LAN behind a Juniper SRX 210. In order to make it accessible from the outside I have (tried to) forward ports 500, 1702, 1723 and 4500, but so far not managed to establish a connection with the server.

 

The VPN server is located at 10.35.10.7 and the SRX has a public IP of 10.20.1.58 on ge-0/0/0.0.

First I added a security nat destination for the ports (only port 500 shown here).

  

        destination {
            pool Pool1 {
                address 10.35.10.7/32 port 500;
            }
            rule-set rule-set1 {
                from interface ge-0/0/0.0;
                rule rule1 {
                    match {
                        destination-address 10.20.1.58/32;
                        destination-port 500;
                    }
                    then {
                        destination-nat pool Pool1;
                    }
                }
            }
        }

 

Then I added a security policy for incoming data.

 

        from-zone untrust to-zone trust {
            policy allowVPNaccess {
                match {
                    source-address any;
                    destination-address 10.35.10.7/32;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

 

I there something else required?

Or is something else blocking the communication? The complete configuration is attached.

Fabric link for SRX 240

July 26, 2017, 1:21 pm
$
0
0

Hello

 

I have a question about the SRX 240 for HA cluster, now I have two firewalls made  into one logical device sharing one IP address for a cluster id 5.... My question is I have child 0 packets are alive but child 1 is o packets receieved and sent and the failover is not working the seconday doesn't pickup the traffic from the reth interface.

 

I have connected the control link ge-0/0/1 and one fabric link, the issue is when I connect and configure another fabric link on ge-0/0/15 its working ok

 

 

why I have to do two fabric links while the guide from Juniper says one link??!

 

 

What is the base rule to decide how many fabric links you need??

 

Note: configuratons are ok fro both nodes and redudancy groups.

Difference between UTM & NGFW

July 27, 2017, 4:17 am
$
0
0

what is the main difference between next generation firewall & UTM ??

Search

Destination NAT

July 28, 2017, 6:23 pm
$
0
0

Hi all, 

I have two scenarios shown below. 

1. Destination NAT same IP address facing the Internet. 

PC:80 (web service) -------- SRX:80 (IP: x.x.x.x) ---------the Internet

I have PC and SRX also turn on service port 80, after that, I operate destination from untrust zone with IP x.x.x.x which is the IP on SRX facing the Internet destination NAT to PC's address.
What's happen when I type https://x.x.x.x on a web browser?  I think it will access PC:80 instead of SRX:80. Anyone verify this for me?

2. Destination NAT range pool to range destination NAT IP 
PC1, PC2, PC3  ---------- SRX --------- the Internet
I have destination NAT pool is y.y.y.y/29 (present PC1, PC2, PC3) and destination NAT IP is x.x.x.x/29. When I do destination NAT from untrust zone with x.x.x.x/29 to pool y.y.y.y/29. What's happening to go on? 
Having some situations going on but I don't know which is true
a. I ping test x.x.x.1 it's mapping to PC1, x.x.x2 mapping to PC2 etc... 
b. I ping test x.x.x.x it's also mapping to PC1. 
c. I ping test x.x.x.1 it's random mapping to y.y.y.y/29 

Regards, 
Hoang Nguyen Huy

source + destination NAT vs static NAT

July 28, 2017, 8:39 pm
$
0
0

Hi all, 

I want to open the topic compare with source + destination NAT vs static NAT. 
Like you know:
- Source NAT supports internal IP access to the Internet and is one-way direction
- Destination NAT supports access internal IP through IP public from the Internet and is also unidirectional connection.

- Static NAT is known 1-1 mapping.
So what happens when deploying source + destination NAT instead of using static NAT. 

I have a topology: 

PC: 192.168.1.10/24 ------------ SRX  ge0/0/0: 10.10.10.1/24--------- the Internet. 

Destination NAT: 1.1.1.1 to 192.168.1.10; source NAT pool is also 1.1.1.1 or use source NAT interface

if I use static NAT, the traffic flow like below
IN:     12.12.12.1/123 ->  1.1.1.1/80
OUT  192.168.1.10/80 -> 12.12.12.1/123
Reverse static
IN:     192.168.1.10/123 -> 12.12.12.1/23
OUT  12.12.12.1/23 -> 1.1.1.1/123

and when I use source + destination NAT
The non-reverse static is approximate 
IN: 12.12.12.1/123 -> 1.1.1.1/80 
OUT: 192.168.1.10/80 -> 12.12.12.1/123 
The resverse statis is approximate 
IN:     192.168.1.10/123 -> 12.12.12.1/23
OUT  12.12.12.1/23 -> 1.1.1.1/456

So I think source + destination NAT is okay to deploy bi-directional connection. In a nutshell, what's the root cause to use static NAT? Please clarify for me to truly understand. 

Regards, 
Hoang Nguyen Huy

 

Help w/Configuration_ Total Rookie w/SRX

July 29, 2017, 9:30 am
$
0
0

Guys,

 

I need help with this config.  It is going nowhere fast.  I am a total newbie to SRX.  I may have already bricked one.  I put this config together and I can not get back and forth to the other subnets.  Screen_OS and Junos are not the same I found.

Any and all suggestions are appreciated.  Config attached..

 

Thank You,

Quaz

I battle with the fxp0 interfaces in a cluster configuration and I do not understand anything

July 29, 2017, 2:27 pm
$
0
0

Hello everybody,

 

I try to configure a Juniper SRX 100h2 in cluster. All seem correct for me with the cluster. See bellow my config:

set version 12.1X47-D35.2
set groups node0 system host-name EROS
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.6.30/24
set groups node1 system host-name HADES
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.6.31/24
set apply-groups "${node}"
set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 interface-monitor fe-0/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-1/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-0/0/2 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-1/0/2 weight 255
set interfaces fe-0/0/1 fastether-options redundant-parent reth0
set interfaces fe-0/0/2 fastether-options redundant-parent reth1
set interfaces fe-1/0/1 fastether-options redundant-parent reth0
set interfaces fe-1/0/2 fastether-options redundant-parent reth1
set interfaces fab0 fabric-options member-interfaces fe-0/0/0
set interfaces fab1 fabric-options member-interfaces fe-1/0/0
set interfaces reth0 vlan-tagging
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 81 description VLAN81
set interfaces reth0 unit 81 vlan-id 81
set interfaces reth0 unit 81 family inet address 192.168.81.254/24
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 192.168.111.30/24
set routing-options static route 192.168.100.0/24 next-hop 192.168.81.1
set security zones security-zone Trusted host-inbound-traffic system-services all
set security zones security-zone Trusted interfaces reth0.81
set security zones security-zone Untrusted host-inbound-traffic system-services ping
set security zones security-zone Untrusted interfaces reth1.0

2017-07-29_16-43-30.png

 

What I do not understand... This are the fxp interfaces. I read a lot of subject related to the topic, but with me that's don't work. I need to plug the management Juniper interfaces (normaly, fe-0/06 and fe-1/0/6) to a cisco switch. This switch's ports are configured in access mode with a MGMT Vlan.

 

All reth are accessible with a ping.

 

Normaly, with this configuration It should work...

 

Would I have forgotten something in my configuration !...

 

Thank for your help.

how to delete multiple count under security policy in one single command?

July 30, 2017, 7:43 am
$
0
0

Hi all,

 

 

Currently my security policy has been configured with "then count" with around 1000 policy. As per advise by Juniper Engineering team the using "count" under security policy will make RE burden so they advise to removed it. So the issue is how i can remove the "count" in the policy? replace pattern can be use if we want to change from one word to another word. But how if we want to delete it?

 

Thanks and appreciate someone help.

 

 

Dynamic VPN

July 30, 2017, 11:09 am
$
0
0

Is dynamic VPN considered to be IPSEC VPN or SSL VPN ???

>i was searching and i found that some vendors like fortinet consider dialup VPN or Client vpn as type of SSL VPN ???

Ip monitoring on SRX 240

July 30, 2017, 12:35 pm
$
0
0

I have two reth interfaces reth1.0 and reth0.0 both is on defferent subnets??  can I configure IP monitoring or not??!  if not what options I have to keep my system alive.

 

 

where I can find the commands.

 

 

Search

Policy configuration SRX3600

July 31, 2017, 4:52 am
$
0
0

 

Hi Experts,

 

Cannot configure any more policies in the firewall. it says we have reached the limit of 60 allowed policies.

 

admin@fw-cl1# commit

error: system security-profile policy logical-system quota exceeded (usage 61 > max 60) in OM

error: configuration check-out failed.

 

The release on srx is 12.1X44-D45.2 which is EOS

 

Best Regards,

Waqas

Filter Based Forwarding support on st0 interface

July 31, 2017, 10:39 am
$
0
0

Hi,

I have a need to configure FBF on IPsec tunnel interface st0

 

 SRX-300#set interfaces st0.10 family inet ?

Possible completions:
  <[Enter]>            Execute this command
> address              Interface address/destination prefix
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> dhcp-client          Dynamic Host Configuration Protocol client configuration
  mtu                  Protocol family maximum transmission unit
  negotiate-address    Negotiate address with remote
> next-hop-tunnel      One or more next-hop tunnel tables
  no-neighbor-learn    Disable neighbor address learning on interface
> sampling             Interface sampling
  unconditional-src-learn  Glean from arp packets even when source cannot be validated
  |                    Pipe through a command

 

SRX-300 is running 15.1X49, It does not even have the option to configure filters on st0 interface, is FBF only supported on physical interfaces on low end SRXes? I do see "filter" option available on higher end SRX boxes (SRX-5400 running 15.1), but I need to verify the configuration on small SRX boxes in the lab before applying to production boxes.

rib import routes

July 31, 2017, 12:41 pm
$
0
0

hi 

 

is it possible to import static routes from one table to another and filter out some routes, in my example I would like to filter out

default gateway.

 

 

 

thanks

vSRX IPSec Site to Site VPN with dual wan

July 31, 2017, 8:01 pm
$
0
0

Hi all,

 

I currently testing Route baesd IPSec VPN with dual wan deployment by vSRX D100 version. When I set it up initially, IKE getting error with Timed out. Can anyone share some suggestions on this?

 

Regards,

Dylen

Tunnel loop detected with peer

August 1, 2017, 1:24 pm
$
0
0

We have an SRX1500 with over a hundred VPN tunnels.  Every few nights we get a "IPSec negotiation loop detected with peer, Rejecting negotiation" event on our SA.  Users on the remote end notice the network outage for several minutes.  I have opened a JTAC case, but they really didn't tell me anything.  Said our VPN configurations look good.  No other issues with other VPN's on the same box.  The only thing thats a bit different than other tunnels is we do specify a remote-identity with this one.  

 

I have not really found anything related to "loop detected" messages in KB's are in the forums.  Anybody have any idea what this is?  

 

HM

Viewing all 3959 articles
Browse latest View live
Search