Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

tcpdump on SRX

October 1, 2017, 7:23 pm
$
0
0

Hi everyone

 

I am trying to set up tcpdump to capture traffic  involving 199.199.199.10

 

PC1 199.199.199.10--199.199.199.1 fe0/0/1-TRUST-SRX-UNTRUST-fe-0/0/2-200.200.200.1---200.200.200.2 PC2

 

SET UP:

SRX has vlan 199, vlan.199, 199.199.199.1, zone TRUST

SRX has vlan 200, vlan.200, 200.200.200.1 zone UNTRUST

 

SRX peforms STATIC NAT (DEST) and change the destination IP 100.100.100.10 to 200.200.200.20

Below we can see SRX successfullys NATS and route the traffic to 200.200.200.2

 

The whole config is under additional info at the bottom of this post.

 

root> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0

Static NAT rule: RULE1 Rule-set: ZEE1
Rule-Id : 1
Rule position : 1
From zone : TRUST
Destination addresses : 100.100.100.10
Host addresses : 200.200.200.20
Netmask : 32
Host routing-instance : N/A
Translation hits : 186


root> show security flow session

 


Session ID: 2232, Policy name: A/4, Timeout: 2, Valid
In: 199.199.199.10/33662 --> 100.100.100.10/1;icmp, If: vlan.199, Pkts: 1, Bytes: 60
Out: 200.200.200.20/1 --> 199.199.199.10/33662;icmp, If: vlan.200, Pkts: 1, Bytes: 60

 

Below I have set up the tcpdum to capture all routed traffic received on vlan .199:

 

root@% tcpdump -i vlan.199


verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.


Listening on vlan.199, capture size 96 bytes

 

Reverse lookup for 199.199.199.1 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

01:53:00.832297 In arp who-has 199.199.199.1 (54:e0:32:d3:b8:08) tell 199.199.199.10
01:53:00.832401 Out arp reply 199.199.199.1 is-at 54:e0:32:d3:b8:08

 

 

PC1 can reach 200.200.200.20 , using natted IP 100.100.100.10 as can be seen in session flow but tcpdump on SRX is only capturing ARP traffic not transit traffic( I did not specify any filter so all traffic that terverses vlan.199 should be captured).

 

This is my first time doing tcpdumb on SRX,  so not sure if I am missing anything.

 

Thanks

 

 

 

Additional info:

 

root> show configuration | display set
set version 11.4R7.5
set system root-authentication encrypted-password "$1$K8pkQCB3$PMhEh2V68NzABTnuUWOiv0"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan199
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan200
set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan199
set interfaces fe-0/0/4 unit 0
set interfaces fe-0/0/5 unit 0
set interfaces fe-0/0/6 unit 0
set interfaces fe-0/0/7 unit 0
set interfaces vlan unit 199 family inet address 199.199.199.1/24
set interfaces vlan unit 200 family inet address 200.200.200.1/24
set security address-book global address ZEE 200.200.200.20/32
set security address-book global address GIGI 100.100.100.10/32
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat static rule-set ZEE1 from zone TRUST
set security nat static rule-set ZEE1 rule RULE1 match destination-address 100.100.100.10/32
set security nat static rule-set ZEE1 rule RULE1 then static-nat prefix 200.200.200.20/32
set security policies from-zone TRUST to-zone UNTRUST policy A match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy A match destination-address ZEE
set security policies from-zone TRUST to-zone UNTRUST policy A match application any
set security policies from-zone TRUST to-zone UNTRUST policy A then permit
set security policies from-zone UNTRUST to-zone TRUST policy A match source-address GIGI
set security policies from-zone UNTRUST to-zone TRUST policy A match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy A match application any
set security policies from-zone UNTRUST to-zone TRUST policy A then permit
set security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces vlan.199
set security zones security-zone UNTRUST host-inbound-traffic system-services all
set security zones security-zone UNTRUST interfaces vlan.200
set vlans vlan199 vlan-id 199
set vlans vlan199 l3-interface vlan.199
set vlans vlan200 vlan-id 200
set vlans vlan200 l3-interface vlan.200

 

 

 

 

 

 

 

 

 

Search

high 'Real-time threads CPU utilization' on fwdd

October 1, 2017, 8:02 pm
$
0
0

As per subject.

I have a high 'Real-time threads CPU utilization' on fwdd.

Yet, 'top -H' or 'show system processes extensive' shows fwdd as only taking 30 to 40% CPU....

 

Help/suggesstions here ?

Re: Error when commit static nat two public ip into one private IP?

October 1, 2017, 8:14 pm
$
0
0

Hi spuluka,

 

 

If one private ip on destination-nat have multiple port so do i need to assign the destination-port on destination-nat or just do it on security policy only?

 

 

Thanks and appreciate your feedback

Re: tcpdump on SRX

October 1, 2017, 10:18 pm
$
0
0

hi !

it catches only packets with local RE destination or source

no capture of forwarded packets as this capture is done in the RE and not in the PFE

 

and arps as broadcast will reach the RE, therefore they are seen

 

regards

 

alexander

Re: SYSLOG and Control plane on SRX 650

October 2, 2017, 3:21 am
$
0
0

There is no adverse affect on the control plane using the mgmt port for logging on the branch devices.  Because the branch devices cannot generate both the volume of logs that can be seen on the high end and there is no hardware separate path that those logs must traverse.

 

This is simply not an issue on the branch devices.

Re: Error when commit static nat two public ip into one private IP?

October 2, 2017, 3:25 am
$
0
0

Both is best.

 

You wuld need to add the port to the NAT rule to share the address with mutiple internal servers.

 

And for security reasons you would include the port in the policy so that only the legitimate traffic would go to that particular server.  This is best practice since without the NAT rule the traffic won't get a session anyway.

Re: Security policy Untrust to zone Trust is denying traffic.

October 2, 2017, 3:30 am
$
0
0

This rule is not correct because the source address is some "any' address on the internet not your WAN.

set security policies from-zone untrust to-zone trust policy siege match source-address WAN
set security policies from-zone untrust to-zone trust policy siege match destination-address any
set security policies from-zone untrust to-zone trust policy siege match application siege
set security policies from-zone untrust to-zone trust policy siege then permit

This would be the best optoin for the policy

 

set security policies from-zone untrust to-zone trust policy siege match source-address any
set security policies from-zone untrust to-zone trust policy siege match destination-address INTERNAL_SERVER
set security policies from-zone untrust to-zone trust policy siege match application siege
set security policies from-zone untrust to-zone trust policy siege then permit

You also need the destination NAT rule for this to work.  With the pool for the server and the proxy arp if an address other than one configured on the SRX port as seen on page 9

 

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

Re: SRX GATEWAY Cluster with VLAN

October 2, 2017, 3:36 am
$
0
0

A RETH is a single redundant interface there are exactly two members and they are the matching interfaces on the two SRX devices.

 

Think of this as failover.  This is the single PAIR of interfaces that back each other up for the connection at hand.

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/chassis-cluster-redundant-ethernet-interface-understanding.html

 

examples of chassis cluster deploy

https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide.pdf

 

For the layer 3 interface on the SRX, when you have a single connection in the VLAN configure the address directly on RETH interface.  When you have multiple interfaces in the same VLAN you configure a VLAN interface and add the member interfaces to the VLAN group.

 

VLAN interface configuration

https://kb.juniper.net/InfoCenter/index?page=content&id=KB11000

Search

Re: Any one has exprienced impement this command on SRX5800?

October 2, 2017, 5:31 am
$
0
0

Hi all,

 

 

Is there any one exprienced apply that config into SRX5800 production?

 

 

Thanks

SRX VLAN Tagged/Untagged Port (packet mode)

October 2, 2017, 6:07 am
$
0
0

Hello all, 

 

I am losing my mind here trying to figure out what I am doing wrong with this config. I am off-site from the device and am attempting to do some testing of different configurations and routing between devices. I have only made a few physical connections, and was hoping to be able to use VLAN interfaces as subinterfaces on one of the physical ports so that I could have multiple logically separate subnets. 

 

I have tried using different unit numbers, and tried flexible vlan tagging but nothing seems to work. I have read probably 100 forum posts and articles that seem to have about 5 different ways of doing this and none of them seem to work, plus most aren't dealing with packet-mode and feel there is a bit of a disconnect in the support from one mode to another. 

 

I have the physical all set up as a point to point link, but I would like to create another on the same physical port, tagged with VLAN 100 while leaving the below on Unit 0 as untagged. 

 

I would like to place 172.20.20.1/30 on VLAN 100 on ge-0/0/2

 

ge-0/0/2 {
unit 0 {
family inet {
address 12.12.12.181/30;

 

Any ideas? 

 

Re: SRX VLAN Tagged/Untagged Port (packet mode)

October 2, 2017, 6:21 am
$
0
0

Hello,

 

frontdist wrote:

would like to create another on the same physical port, tagged with VLAN 100 while leaving the below on Unit 0 as untagged. 

 

I would like to place 172.20.20.1/30 on VLAN 100 on ge-0/0/2

 

ge-0/0/2 {
unit 0 {
family inet {
address 12.12.12.181/30;

 

Any ideas? 

 

Yes. Try the following config snippet:

    ge-0/0/2 {
        flexible-vlan-tagging;
        native-vlan-id 1;
        unit 0 {
            vlan-id 1;
            family inet {
                address 12.12.12.181/30;
            }
        }
        unit 100 {
            vlan-id 100;
            family inet {
               address 172.20.20.1/30;
	   }
        }
    }

HTH

Thx
Alex

 

SRX340 SSD installation

October 2, 2017, 6:56 am
$
0
0

I have been unable to find ANY documentation of the installation of an SSD device for logging in the SRX300 series.

I HAVE found references that indicate the following:

1) it is supported in our SRX340

2) minimum size for SRX340 is 100GB

 

BUT, after installing a 240GB Samsung 840 SSD, the SRX340 is stuck with the status light in alarm.

The device doesn't appear to have finished starting up, only the managment port is active.

ports 0/0 and up are dead/ inactive.  Even the power button is nonresponsive.

After pulling the power cord and removing the drive, the device starts up normally when re-energized.

 

Please advise, what is the procedure for installing an SSD drive, and which drives are supported?

None of our resellers have the "official" Juniper SKU 100GB SSD drive for sale.

Re: SRX VLAN Tagged/Untagged Port (packet mode)

October 2, 2017, 7:00 am
$
0
0

I have done the following: 

 

ge-0/0/2 {
flexible-vlan-tagging;
native-vlan-id 1;
unit 0 {
vlan-id 1;
family inet {
address 12.12.12.181/30;
}
}
unit 100 {
vlan-id 100;
family inet {
address 172.20.20.1/30;
}
}

 

I can now ping 172.20.20.2 (the other end on vlan 100), however I can no longer ping 12.12.12.182 which is on the same interface as 172.20.20.2 on the other device? 

 

When I remove the VLAN information, I can once again ping 12.12.12.182 address. 

Re: tcpdump on SRX

October 2, 2017, 8:45 am
$
0
0

Thanks for you response, it makes sense, so we can not do tcpdump on transit traffic.

 

How about this( Not sure if this will wok)

 

1) We define the capture filter and capture the transit traffic and store that file locally.

2) We use tcp dump to read the file.

 

 

Re: SYSLOG and Control plane on SRX 650

October 2, 2017, 8:49 am
$
0
0

Thanks Spuluka,

 

You mentioned:

Because the branch devices cannot generate both the volume of logs that can be seen on the high end and there is no hardware separate path that those logs must traverse.

 

 

Does Highend SRX have separte path these logs must traverse?  Actually I need to understand the architecture to fully grasp this syslog thing.

 

Appreciate your help , have a nice day!!

Search

Re: SRX VLAN Tagged/Untagged Port (packet mode)

October 2, 2017, 9:28 am
$
0
0

I have also moved the network that was on the unit 0 native vlan to a tagged vlan under another unit, replicated the configuration at the far end device (a sonicwall) and was able to get it to work. 

 

It seems I am missing something with the ability to combine tagged and untagged on the same port. This becomes a problem if the far end device doesn't support features on a subinterface and only on a physical interface. As a workaround one could throw a switch in the middle to strip or add tagging as required, but I feel like on a device like this I should be able to make it work as I intend. 

Private VLANs - Juniper SRX Firewall

October 2, 2017, 10:27 am
$
0
0
Hi all

We have a link from our Cisco switch to a Juniper SRX firewall where the Cisco end is configured as a promiscuous port. Over this link we configure a primary PVLAN.

Connected to the switch we also have a bunch of servers all in the same isolated PVLAN and subnet which is mapped to the primary. In this situation how is ARP handled when one server needs to communicate with another? An intra-zone rule on the SRX? Proxy ARP maybe?

Thank you

Re: SRX VLAN Tagged/Untagged Port (packet mode)

October 2, 2017, 11:00 am
$
0
0

Ok, so apparently there was a change in the default configuration with the newer firmware vs the older firmware and the switching. 

 

When I ran: 

 

set protocols l2-learning global-mode switching

 

It began to work... There are a million question on the board here about VLAN implementations, so I hope like hell that this helps someone else. 

Nat'ing to public IP space before entering a route-based VPN

October 2, 2017, 2:33 pm
$
0
0

I'm trying to set up a route based VPN on an SRX340 to a isco ASA. The remote end willnot allow private IPs to be tunned thru and so i have to NAT the traffic on my side to public space before it enters the VPN so that it exits the other side as a public IP. Any pointers on how that might be done?

From ScreenOS to JunOS

October 2, 2017, 2:37 pm
$
0
0

Hello Expert,

 

I'm changin some configuration from ScreenOS SSG-550M to JunOS  SRX5600 but I have some doubts regarding this change:

 

The current config in ScreenOS have several Virtual Routers my doubt is with the Trust-Vr - Do I need to create a Virtual Router for this or use the SRX [inet.0] router itself for this Virtual Router?

 

What is best practices for this?

 

Also If you can share with me a config in ScreenOS to JunOS it will be for great help  

 

Thanks for the help

 

Mario Cruz

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>