Works great!!
↧
Re: Event option and change of config
↧
Re: IP-Monitoring not failing over
Is your next hop 192.168.0.2 reachable?
↧
↧
Re: I want to create a policy to allow *.cisco.com or cisco.com/uri
Just to clarify, wild card references like *.cisco.com that permit all domains above this like www.cisco.com and your mycase.cloudapps.cisco.com can be used for web filtering policies.
But security polcies with DNS based address books require FQDNs that can be resolved directly. So you would need to specifiy www.cisco.com as one address entry and mycase.cloudapps.cisco.com as a second. They both can be members of a group but you CANNOT use wild cards for address objects in security policies. The security policy flow process does a live DNS lookup and operates based on ip addresses resolved.
So for this type of policy you would need to use web filtering with its ability to do the inspection of the actual url. And in this particular case they likely run on ssl so you would also need to setup ssl decryption for the policy as well.
↧
Re: Issue with hub and spoke VPN with internet breakout
I think I get the topology and pathing here but forgive me if this is wrong. I think you have internet sources coming in at the hub > static NAT to an address down the VPN to the spoke. Then the return path as no route from the spoke to the hub.
In these situations, I would remove the static NAT and use double NAT instead.
Create a destination NAT for the public address to the spoke site private address
Create a source NAT to interface for the same traffic. This will change the general internet address to the interface address on the tunnel at the hub site. Thus the hub site will have the return path automatically and the traffic will be restored to the public address via the source NAT process at the hub site.
↧
Re: Trouble with double NAT
From the tests you have run so far it sounds like the NAT policies are correct on both firewalls but you appear to be missing a security policy for at least the DNS traffic.
On both SRX while making the DNS request from the host check to see is a session is correctly created with the source prefix of your workstation on the first SRX and on the second SRX either this address or any NAT applied in the first device.
show security flow session soure-prefix 1.1.1.1/32 destination-prefix 8.8.8.8
on the SRX where a session is NOT created, you can run debug to get the details on why.
https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110
↧
↧
Re: IP-Monitoring not failing over
Yes, 192.168.0.2 is reachable. It is a simple setup. Primary Internet router is the SRX300 at 192.168.0.1 the backup Internet router is a DSL router at 192.168.0.2. It is a small office so there is just the 192.168.0.0/24 subnet. I eventually want the 0.0.0.0/0 route to become the next hop but for now am just testing with trying to insert the 4.2.2.2/32 route in the routing table.
↧
Re: What are mean Invalidated sessions?
Hi wdudys,
I'm already open that KB url. But may i know how to check the invalidated session? Is it just enough using show security flow session? But this command is for real-time flow. How i to check the all not real-time flow that in that invalidated session?
Thanks and appreciate any anyone feedback.
↧
NAT configuration
Hello Experts,
Can anyone please verify my config if it will satisfy these 2 requirements:
1) Do static NAT translation from 10.10.200.10/11 to 10.10.22.10/11 when traffic flow from trusted to untrusted zone. Also traffic will be translated from 10.10.22.10/11 to 10.10.200.10/11 when traffic hit the unstrusted zone and destined to trusted zone.
set security nat static rule-set RS1 from zone untrust set security nat static rule-set RS1 rule 1 match destination-address 10.10.22.10/32 set security nat static rule-set RS1 rule 1 then static-nat prefix 10.10.200.10/32
set security nat static rule-set RS1 rule 2 match destination-address 10.10.22.11/32 set security nat static rule-set RS1 rule 2 then static-nat prefix 10.10.200.11/32
2) Any traffic that flows from trust to untrust zone that doesn't have a static NAT entry should be translated to interface IP of untrust zone. If there is a static NAT entry, it should take precedence.
set security nat source rule-set RS1 from zone trust
set security nat source rule-set RS1 to zone untrust
set security nat source rule-set RS1 rule 255 match source-address 0.0.0.0/0
set security nat source rule-set RS1 rule 255 match destination-address 0.0.0.0/0
set security nat source rule-set RS1 rule 255 then source-nat interface
↧
Re: NAT configuration
The config will satisfy your requirements. Static NAT is bi-directional (1) and it takes precedence over source nat(2).
Note:- You may need to configure proxy arp if the static nat ip is in the range of untrust interface ip subnet.
↧
↧
Re: NAT configuration
..as already stated, static nat ist bidirectional, which means that also any trafic comming in on the untrust interface with corresponding outside source address can initiate a session and will be translated to the inside source address ( as long as security policy does not prevent this)
regards
alexander
↧
I am not able to access my protected resources via Dyn VPN from public remote site.
Hi There,
I am having issue with my dynamic vpn using pulse secure. i am able to connected and getting IP, but not able to ping the resoureces. The starnge is that i cannot even ping my SRX LAN IP as well.
below is my configuration.
nali@JEDDAH-JEDDAH-MDIA200# show security dynamic-vpn
access-profile SERVER;
clients {
all {
remote-protected-resources {
10.2.72.0/28;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn DYN_VPN;
user {
client1;
}
}
}
[edit]
nali@JEDDAH-JEDDAH-MDIA200# show security ike
policy SERVER_IKE {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "$9$n-3d9t0EhrMWxz3hyleXxjHqfF/tp0BEc0Odb"; ## SECRET-DATA
}
gateway SERVER_GW {
ike-policy SERVER_IKE;
dynamic {
hostname DYNVPN;
connections-limit 10;
ike-user-type group-ike-id;
}
external-interface ge-0/0/0.0;
xauth access-profile SERVER;
}
[edit]
nali@JEDDAH-JEDDAH-MDIA200# show security ipsec
vpn-monitor-options {
interval 10;
threshold 10;
}
policy IPSEC_DYN_POLICY {
proposal-set standard;
}
vpn DYN_VPN {
ike {
gateway SERVER_GW;
ipsec-policy IPSEC_DYN_POLICY;
}
}
[edit]
nali@JEDDAH-JEDDAH-MDIA200# show access address-assignment
pool SERVER_POOL {
family inet {
network 10.10.10.0/24;
xauth-attributes {
primary-dns 4.4.4.2/32;
}
}
}
[edit]
nali@JEDDAH-JEDDAH-MDIA200#
C:\Users\MRS-5>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection* 15:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::c03f:be5d:4968:bd12%17
IPv4 Address. . . . . . . . . . . : 10.10.10.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
hope someone can help me with many thanks in advance
↧
Re: I am not able to access my protected resources via Dyn VPN from public remote site.
↧
Re: I am not able to access my protected resources via Dyn VPN from public remote site.
Thanks brother. i already checked it but still not able to ping even the LAN IP in SRX
↧
↧
Re: SRX Behind NAT Device Dynamic VPN with Pulse
what i understand from the link is vpn client is not support with static nat and FQDN.
but normal nat should work fine yet i am facing issue with vpn clinet 
↧
Re: Dynamic VPN behind NAT
i think local identity is used when we have static nat.
↧
Re: Dynamic VPN issues srx 240
i think i am kind of having the same issue. however, i did many wrong things to the configuration now. can you please share your configuration to compare it with mine and see where did i do the changes.
↧
Re: Dynamic VPN behind NAT
Nemat3, Local Identity is just a method that the vpn gateways can validate each other when setting up the connection. This is not related to the use of nat at all.
↧
↧
Re: SRX240 Max IPSec VPN's
Hi All,
This thread is a bit old now, but I thought I'd post the fact that the SRX240 cluster is happy with more than 1000 tunnels. We put another 17 on there this morning and it hasn't fallen into a blackhole.
ipperf@SRX240H2-02> show security ipsec security-associations
node1:
--------------------------------------------------------------------------
Total active tunnels: 1020
Happy days.
Andy
↧
rate-limit for each client in SRX240
I want to introduce a rate-limit (20 Mbps for example) for each client (inside, outside and DMZ) in my juniper SRX240
↧
Re: rate-limit for each client in SRX240
You can achieve this using Firewall Policers.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB28161
https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-policer-bandwidth-limit-in-firewall-filter/td-p/220905
https://kb.juniper.net/InfoCenter/index?page=content&id=KB28161
https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-policer-bandwidth-limit-in-firewall-filter/td-p/220905
↧