Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: Log rules between 2 zones

September 25, 2017, 2:44 pm
$
0
0

Good place to start

http://www.juniper.net/documentation/en_US/junos/topics/concept/security-system-log-message-overview.html

 

Basic configuration example

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16506

 

If you want to configure local logging (not recommended in production) 

set security log mode event
set system syslog file traffic-log user info
set system syslog file traffic-log match "RT_FLOW_SESSION"

Verification

show log traffic-log
monitor start traffic-log

In the policy action please add (as mentioned) then session-init or session-close or both. In production it's recommended to use session-close only.

 

Regards, Wojtek

 

 

Search

Re: SRX210 behind ISP Modem

September 25, 2017, 2:52 pm
$
0
0

There are 3 types of Source NAT
1-Interface-based source NAT - Best use case when you have a single IP on the interface (always has PAT)
2-Pool based Source NAT – address pool with/ without port address translation (if you have a pool of addresses like your case)
3-Source NAT with address-shifting this is the equivalent of Static NAT (one-to-one static NAT without PAT from an address pool)

You are enabling option 3


set security nat source pool NAT_SRCE_POOL_HOME_LAN description "NAT SOURCE POOL FOR HOME-LAN to INTERNET CONNECTIONS"
set security nat source pool NAT_SRCE_POOL_HOME_LAN address 172.20.15.129/26<======================================
set security nat source pool NAT_SRCE_POOL_HOME_LAN host-address-base 10.20.15.129/32
set security nat source rule-set NAT_SRCE_HOME_LAN from zone HOME_LAN
set security nat source rule-set NAT_SRCE_HOME_LAN to zone Internet
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match source-address 10.20.15.129/26<=======================
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match destination-address 0.0.0.0/0
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet then source-nat pool NAT_SRCE_POOL_HOME_LAN
set security nat proxy-arp interface ge-0/0/0.0 address 172.20.15.129/32 to 172.20.15.191/32

======================================You would need to make thse changes for your original pool to work.
set security nat source pool NAT_SRCE_POOL_HOME_LAN host-address-base 10.20.15.129/32<===Address shifting would be problematic since you only had a single address for the pool. You would neet to set the pool to the list of address you own like this:
(You actually got so much IPs from your ISP for home?? Interesting!)
set security nat source pool NAT_SRCE_POOL_HOME_LAN address 172.20.15.129/26 to 172.20.15.191/32
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match source-address 10.20.15.0/26<==========(Use your home network unless you only want to to allow a single IP to use the pool)

Re: SRX 1500 LACP issue's connecting to EX4200 and Extreme X460-G1

September 25, 2017, 3:07 pm
$
0
0

If you configure lacp on Juniper, then it must be configured on the remote device in this case Extreme. Other wise remove lacp from SRX to Extreme if no lacp on extreme. lacp on Ex is fine with lacp on SRX to EX.

VLAN tagging on SRX 100

September 25, 2017, 9:12 pm
$
0
0

Hello everyone.

 

I just bought SRX 100 and deleted all the default config.

 

Please consider the following set up:

 

 

Cisco R1 f1 199.199.199.10---------199.199.199.1 f0/0/0 SRX

 

Cisco R1 and SRX should talk using dot q tag 10

ISSUE:

R1 can not ping 199.199.199.1 because SRX does not respond to R1's ARP request for 199.199.199.1:

 

 

 

Capture34.PNG

 

 

SRX Config:

 

root> show configuration | display set
set version 11.4R7.5
set system root-authentication encrypted-password "$1$K8pkQCB3$PMhEh2V68NzABTnuUWOiv0"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/0 unit 0 vlan-id 20
set interfaces fe-0/0/0 unit 0 family inet address 200.200.200.1/24
set interfaces fe-0/0/0 unit 10 vlan-id 10
set interfaces fe-0/0/0 unit 10 family inet address 199.199.199.1/24
set interfaces fe-0/0/1 unit 0
set interfaces fe-0/0/2 unit 0
set interfaces fe-0/0/3 unit 0
set interfaces fe-0/0/4 unit 0
set interfaces fe-0/0/5 unit 0
set interfaces fe-0/0/6 unit 0
set interfaces fe-0/0/7 unit 0
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security zones security-zone TRUST interfaces fe-0/0/0.10 host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces fe-0/0/0.10 host-inbound-traffic protocols all
set security zones security-zone TRUST interfaces fe-0/0/0.0

 

 

#########################

 

 

 

what am i missing?

 

 

 

 

Re: VLAN tagging on SRX 100

September 25, 2017, 9:21 pm
$
0
0

R1 port is in access mode or trunk mode?

Re: Active/Active chassis cluster

September 26, 2017, 12:39 am
$
0
0

Hi,

 

Not sure if this will be of any benefit or not.

 

I have just finished configuring and testing 2 x SRX1500 for A/P and A/A. My results may surprise you, and in fact is not uncommon (apparently).

 

Given that there are two points of protection ---- The Control Plane and the Data Plane ----- I have found that the SRX actually is always in an A/A state from a Data Plane perspective. When I disconnected the Control Plane the HA, as it should, failed and immediately placed the Secondary into "Ineligeble" for 3 minutes, where, if the Data Plane is not lost, it then places it into disable. This was because the primary still sees itself as operational and so therefore assumes all responsibility and removes the secondary from the equation. If within those three minutes we also disconnect the Data Plane, then the secondary becomes the primary as it assumes the original primary is lost.

 

Now, what is important to understand here is that the Control Plane is purely for the chassis (hence the removal of the HA connection only affects the failover for the chassis), while the Fabric Ports are for the RTOs (Real Time Objects) synchronisation (VPNs, NAT, etc etc). The Reth ports are for the actual data.

 

What I found was, unless I disconnected everything, the ports for the data were always UP, even if the HA port was disconnected. That's why, I believe, it runs in A/A, from a data perspective, even if you believe it is A/P.... it is only truly A/P from a Control Plane perspective.

 

Obviously, I can only come to these conclusions from the testing I have just completed and the results and behaviour of the SRX from those tests.

 

If you want me to post the Config I used then please let me know (if that helps) Smiley Happy

 

 

SYSLOG Help with SRX

September 26, 2017, 1:50 am
$
0
0

Hello,

 

we have an SRX with 4 x Routing instances, all interafces are configured and members of one of these 4 routing instances.  I need to get the SRX to send SYSLOG data to our syslog server but cannot get it working.  I believe this SYSLOG traffic will originate from the default routing instance; i have no interfaces in the default routing instance.  The SYSLOG server is accessed the MGMT routing instance, i have added the config below but my syslog server is getting no logs.

 

system

   syslog {

        archive size 100k files 3;

        user * {

            any emergency;

        }

        host 192.168.1.200 {

            any any;

        }

        file messages {

            any critical;

            authorization info;

        }

        file interactive-commands {

            interactive-commands error;

        }

        file TRAFFIC-LOG {

            any any;

            match RT_FLOW_SESSION;

        }

        source-address 192.168.30.254;

 

routing-options {

    traceoptions {

        file routing-log size 10k files 5;

        flag general;

    }

    static {

        route 192.168.1.200/32 next-table MGMT.inet.0;

 

can anyone assist please? note 192.168.30.254 is an address assigned to an internface in MGMT routing instance.  i can PING the SYSLOG server fine from the MGMT routing instance.

 

Many thanks

 

Ryan

Re: SYSLOG Help with SRX

September 26, 2017, 1:54 am
$
0
0
Try configure a loopback interface and keep it in inet/default routing instance. SRX will generate Syslog with loopback IP. You can use "source-address" option under syslog to change the address as per your requirement.
Search

Re: SRX 1500 LACP issue's connecting to EX4200 and Extreme X460-G1

September 26, 2017, 3:04 am
$
0
0

LACP is enabled on the Extreme switches, I just have not set the Acitivity mode i.e. Active or Passive nor have I set the timeout vaule (The periodic time on Juniper device) as Extreme and Juniper have different timeout vaules.

 

As I said Juniper periodic slow is 30 seconds and fast is 1 second, Extreme's option are either 3 seconds or 90 seconds.

 

So do I go with slow for Juniper and then fast on the Exteme?  If way I am going to get a confilct in timeout's.

Re: SRX210 behind ISP Modem

September 26, 2017, 4:55 am
$
0
0

Lyndidon, thanks for the reply! You are correct that I am trying to implement #3. This is the guide that I was using.

nat-security-source-nat-address-shifting-configuring

 

Also, your comment on so may IPs from ISP is incorrect, the pool range is still a class C (172.16.0.0 - 172.31.0.0). Most don't use that range for private so you may just have misread it.

 

I did have a range originally in the pool but when that wasn't working went to the CIDR/prefix. Either way, when I analysed the traceoptions output and the security flow sessions, I would alway see the translation happening properly - the 10.20.25.x would get NAT'd to 172.20.15.x within the confines of the pool.

 

Not sure about your comment for the source address in the rule. The range that I want inside to match is in fact .129 - .191 so starting at .0/26 wouldn't work. Again, I did note that when the system was working, it worked perfectly fine with these rules.

 

I'm fairly convinced that it's an arp issue begin that at some point the IPS modem forgets how to get back to the internal network. So by forcing a ping from the internal back to the ISP IP, it creates the appropriate tables to allow it to work. At some point, that table ages out and it stops working - that's my theory at least.

 

If that is true, the isn't that what the proxy-arp is supposed to be for and if so, why does it appear to not be working as configured.

 

Thanks again for the reply and suggestions. I'll take a look at the instructions again and verify I didn't cross something up. If it starts failing again, I'll go back to interface NAT which may be good enough anyway and use the rules and firewall filters on the SRX to manage who can do what.

Re: SYSLOG Help with SRX

September 26, 2017, 5:10 am
$
0
0

What address range(s) are your interfaces in and is the SYSLOG server in a different range?

 

I had a similar circumstance and while it may not be the best (???) method, I had a routing instance where the SYSLOG server lived and I used the firewall filter to get the traffic there.

 

firewall family inet filter ALLOW_SYSLOG from source port 514

firewall family inet filter ALLOW_SYSLOG from source address range allowed

firewall family inet filter ALLOW_SYSLOG then routing-instance ROUTE_TO_SYSLOG_SERVER

 

This isn't tested/checked, just typed from memory.

Re: VLAN tagging on SRX 100

September 26, 2017, 7:51 am
$
0
0

According to the pcap the arp request is tagged.

 

SRX100 uses 10/100 interfaces--is the link negotiated correctly?

 

What does 'monitor traffic interface fe-0/0/0.10' show on the srx during the ping attempt?

ipv6 vlan interface

September 26, 2017, 12:14 pm

Re: VLAN tagging on SRX 100

September 26, 2017, 12:20 pm
$
0
0

R1  port is subinterface which expects dot1q tag from SRX.

 

This is what I see on capture.

 

1)  SRX sends traffic as untagged  out of f0/0/0 even though we have configured it with vlan-tagging which is why R1  ignores the traffic as there is no tag

 

 

Re: SRX Session Analyzer based on Perl

September 26, 2017, 2:26 pm
$
0
0

How do I find this script? Thank you.

Search

Re: SRX 1500 LACP issue's connecting to EX4200 and Extreme X460-G1

September 26, 2017, 4:20 pm
$
0
0

Configuration seems to be fine.
LACP times out when it doesn't receive 3 consecutive messages. On SRX you configure how often LACP messages are sent. On Extreme you configure the timeout. So basically fast on SRX matches to short on Extreme and slow matches to long. Even if you had a mismatch it should still work because transmitter should operate at receiver’s rate.

I would start troubleshooting by collecting outputs of the following commands

show lacp interfaces reth1
show lacp statistics interfaces reth1
show lacp timeouts reth1
show interfaces reth1 extensive
show interfaces xe-0/0/16 extensive
show interfaces xe-0/0/17 extensive
show interfaces xe-7/0/16 extensive
show interfaces xe-7/0/17 extensive

 

Regards, Wojtek

SRX tunnel to Cisco ASR configured for EZVPN?

September 26, 2017, 5:37 pm
$
0
0

For reasons that are difficult to explain, and mildly polical in nature as far as my company is concerned I have a need to create a site to site tunnel between an SRX 650 at one location and a Cisco ASR 1002x at another location. Cisco ASR is preconfigured using a Cisco EZVPN setup.

 

SOOO.... question..... is this even possible to do? Anyone try this before?

 

 

 

 

Re: VLAN tagging on SRX 100

September 27, 2017, 12:20 am
$
0
0

I dont see an issue with config. Try a reboot of SRX, if that dont fix try upgrade to any latest versions like 12.1X46 or 12.3X48 as 11.4 is very old.

SRX240H Power Loss: Cannot Login

September 27, 2017, 5:32 am
$
0
0

Hello:

 

Unfortnately, our data center had a catastrophic power loss (their automatic transfer switches failed), and we lost power to our rack.  One of our client SRX's on reboot will not allow any logins (root, users, or SSH ... SSH is simply refused a connection).  I'm working on getting a serial connection setup to see if that will help.

 

Any ideas on this?  The ruies and routing are working fine, and so I'm a bit concerned to try another reboot.  If so, I'll definitely try it after hours, however.

 

As Always,

Don

Re: SRX240H Power Loss: Cannot Login

September 27, 2017, 5:45 am
Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>