Re: NAT on multiple network interfaces on server removes internet!

January 23, 2018, 2:30 am

≫ Next: Re: SRX320 VDSL/ADSL Module Configuration

≪ Previous: Re: Wrong 'mode' after factory reset

This inactive rule is incorrect from zone to zone and is not necessary because static nat takes care of both destination and source nat. You can delete this.

rule-set dyn-vpn-ruleset

The static nat rules look correct.

I assume that interface ge-0/0/0 has an ip address subnet that includes these proxy arp ranges and is therefore correct.

interface ge-0/0/0.0 {
                address {
                    145.10.5.100

Policies are the correct zones and addresses. But policy uses address objects so you will need to create address objects for each ip address. You can then use these directly in your policy or put them into an address set and create one policy with that address set instead.

  destination-address 10.5.1.7/32;

https://www.juniper.net/documentation/en_US/junos/topics/example/zone-address-book-configuring-cli.html

You should also consider changing the any application into only those you really need to expose to the internet. And if they are different for each server then keep them as separate policy with the minimum ports exposed.

↧

Re: SRX320 VDSL/ADSL Module Configuration

January 23, 2018, 2:38 am

≫ Next: Re: Order of Operation: Source NAT and Security Policy

≪ Previous: Re: NAT on multiple network interfaces on server removes internet!

I don't use the web gui much from the cli you would remove the interface

delete interfaces fe-0/0/0

Is this an ADSL or VDSL line?

The example I have was from setting up ADSL. If yours is VDSL then this is the correct example.

https://www.juniper.net/documentation/en_US/junos/topics/example/vdsl2-pim-security-interface-property-configuring.html

↧

Re: Order of Operation: Source NAT and Security Policy

January 23, 2018, 2:44 am

≫ Next: SRX 550 no free space

≪ Previous: Re: SRX320 VDSL/ADSL Module Configuration

Your destination nat rule set is missing the zone context.

You also cannot use 0.0.0.0 as the destination you need to specifiy the public addresses

And you need a separate rule for all three servers as a result.

See page 9 here for the full example

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

↧

SRX 550 no free space

January 23, 2018, 2:53 am

≫ Next: Re: Configure Route filter on SRX 220 h2

≪ Previous: Re: Order of Operation: Source NAT and Security Policy

Hello all i have this issue that j-web refuse to open because there is no disk space and i have issued 'request system storage cleanup' but no effect .. after some troubleshooting i have found that /var folder is full i have removed all log files under log folder and still the same :- df

Filesystem 512-blocks Used Avail Capacity Mounted on
/dev/ad0s1a 1216152 359672 759188 32% /
devfs 2 2 0 100% /dev
/dev/md0 40024 12656 24168 34% /junos
/cf/packages 1216152 359672 759188 32% /junos/cf/packages
devfs 2 2 0 100% /junos/cf/dev
/dev/md1 1053196 1053196 0 100% /junos
/cf 40024 12656 24168 34% /junos/cf
devfs 2 2 0 100% /junos/dev/
/cf/packages 1216152 359672 759188 32% /junos/cf/packages1
procfs 8 8 0 100% /proc
/dev/bo0s3e 93896 292 86096 0% /config
/dev/bo0s3f 1215176 1213280 -95316 109% /cf/var
/dev/md2 687744 65780 566948 10% /mfs
/dev/md3 1240 1240 0 100% /cf/var/packages/mnt/kav-worker-octeon-12.1X47-D10
/cf/var/jail 1215176 1213280 -95316 109% /jail/var
/cf/var/log 1215176 1213280 -95316 109% /jail/var/log
devfs 2 2 0 100% /jail/dev
/dev/md4 128728 8 118424 0% /mfs/var/run/utm
/dev/md5 3768 1160 2308 33% /jail/mfs

-------------------------------------------------------------------------

root@HODCFW01% du -hs /cf/*
288K /cf/bin
3.1M /cf/boot
2.0K /cf/dev
158K /cf/etc
0B /cf/kernel
0B /cf/kernel.old
0B /cf/opt
0B /cf/packages
169M /cf/packages1
4.0K /cf/packages2
10K /cf/root
462K /cf/sbin
2.1M /cf/usr
275M /cf/var

-------------------------------------------------------------------------------------------

root@HODCFW01% du -hs /cf/var/*
2.0K /cf/var/account
6.0K /cf/var/at
2.0K /cf/var/backups
4.0K /cf/var/crash
4.0K /cf/var/cron
271M /cf/var/db
2.0K /cf/var/empty
272K /cf/var/etc
2.0K /cf/var/heimdal
2.0K /cf/var/home
138K /cf/var/jail
2.8M /cf/var/log
2.0K /cf/var/logical-systems
2.0K /cf/var/mail
2.0K /cf/var/msgs
2.0K /cf/var/named
18K /cf/var/opt
843K /cf/var/packages
2.0K /cf/var/pdb
2.0K /cf/var/preserve
12K /cf/var/run
2.0K /cf/var/rwho
14K /cf/var/spool
6.0K /cf/var/sw
16K /cf/var/tmp
4.0K /cf/var/transfer
2.0K /cf/var/validate
2.0K /cf/var/yp

----------------------------------------------------------------------------------------------------------------

Any recommendations the only folder here has a space is db folder !!!!!!

↧

Re: Configure Route filter on SRX 220 h2

January 23, 2018, 3:14 am

≫ Next: Re: SRX320 VDSL/ADSL Module Configuration

≪ Previous: SRX 550 no free space

Sounds like filter based forwarding would work for this based on the source address of the traffic forwarding to the desired next hop.

https://www.juniper.net/documentation/en_US/junos/topics/example/filter-based-forwarding-example.html

↧

Re: SRX320 VDSL/ADSL Module Configuration

January 23, 2018, 3:37 am

≫ Next: Re: SRX 550 no free space

≪ Previous: Re: Configure Route filter on SRX 220 h2

Thank you Steve.

It's an ADSL connection.

Regarding the following, are the items in Red correct?

set interfaces at-1/0/0 sl1-options operating-mode auto
set interfaces at-1/0/0 unit 0 pop-options pap access-profile TestLine

↧

Re: SRX 550 no free space

January 23, 2018, 3:42 am

≫ Next: Does VRRP supports different Junos version on 2 SRX

≪ Previous: Re: SRX320 VDSL/ADSL Module Configuration

Hi,

Please provide the output of below mentioned command:

ls -lrth /cf/var/db

↧

Does VRRP supports different Junos version on 2 SRX

January 23, 2018, 4:04 am

≫ Next: Re: Does VRRP supports different Junos version on 2 SRX

≪ Previous: Re: SRX 550 no free space

Hi,

We have 2 SRX 340 in packet mode with different Junos version.

Can i configure VRRP for both SRX. Is there any impact on failover

Thank you..

↧

Re: Does VRRP supports different Junos version on 2 SRX

January 23, 2018, 4:12 am

≫ Next: v15 vs v17 software, which one?

≪ Previous: Does VRRP supports different Junos version on 2 SRX

Hi,

yes, you can configure VRRP, the JUNOS version doesn't matter.

Just ensure you're not running eol(end of life) JUNOS.

↧

v15 vs v17 software, which one?

January 23, 2018, 4:17 am

≫ Next: Re: v15 vs v17 software, which one?

≪ Previous: Re: Does VRRP supports different Junos version on 2 SRX

For a beginner like me I'm confused as to why there are 2 versions of JunOS listed in the downloads section for my SRX320 devices. Before I go ahead and update all 23 units, can someone summarise in a nutsehell why I'd chose v15 over v17 and vice versa please?

↧

Re: v15 vs v17 software, which one?

January 23, 2018, 4:34 am

≫ Next: Re: v15 vs v17 software, which one?

≪ Previous: v15 vs v17 software, which one?

You should probably go for v17 (JUNOS 17.3R1-S2 or JUNOS 17.4R1)

As are they're the latest build inline, with the most recent bug fixes.

↧

Re: v15 vs v17 software, which one?

January 23, 2018, 4:48 am

≫ Next: Re: v15 vs v17 software, which one?

≪ Previous: Re: v15 vs v17 software, which one?

For SRX300 series I would still recommend Junos 15.1X49

Junos 17 is not full-featured yet. Eg. Junos 17.3R1 matches features of 15.1X49-D80 and 17.4R1 matches features of 15.1X49-D100.

If you need eg. LTE mPIM support, you should stick with 15.1X49-D110 or later. Personally I would go with 15.1X49-D120 for now.

↧

Re: v15 vs v17 software, which one?

January 23, 2018, 5:00 am

≫ Next: Re: v15 vs v17 software, which one?

≪ Previous: Re: v15 vs v17 software, which one?

15.1X49-D110, due to below reasons.

1. Its the JTAC recommended release for SRX320- ref https://kb.juniper.net/KB21476

2. 17.3 is based on 15.1X49-D75, which means latest features are not available on these versions for now. NCP based VPN is an example, there are more features added in 15.1X49-D90 and D100

↧

Re: v15 vs v17 software, which one?

January 23, 2018, 6:01 am

≫ Next: OSPF areas in a mixed ScreenOS & JunOS network

≪ Previous: Re: v15 vs v17 software, which one?

So, the question is, why are there 2 parallel versions of the software?

↧

OSPF areas in a mixed ScreenOS & JunOS network

January 23, 2018, 6:08 am

≫ Next: Re: AutoDiscovery VPN SRX (ADVPN IPsec )

≪ Previous: Re: v15 vs v17 software, which one?

We have a network consisting of approx. 28 ScreenOS devices i.e. NS5GT, SSG5, SSG20 anSSG-320M. We have OSPF areas numbered as follows 10, 20, 30, 40 etc. I have read that areas are numbered differently in JunOS e.g. 0.0.0.1. The plan is to gradually replace the ScreenOS devices with SRX320 and SRX340 models, but can this be done in a controlled fashion given the different ways OSPF areas are referenced?

↧

Re: AutoDiscovery VPN SRX (ADVPN IPsec )

January 23, 2018, 6:42 am

≫ Next: Re: AutoDiscovery VPN SRX (ADVPN IPsec )

≪ Previous: OSPF areas in a mixed ScreenOS & JunOS network

just that we have?

↧

Re: AutoDiscovery VPN SRX (ADVPN IPsec )

January 23, 2018, 6:41 am

≫ Next: Re: OSPF areas in a mixed ScreenOS & JunOS network

≪ Previous: Re: AutoDiscovery VPN SRX (ADVPN IPsec )

there is only theory? why we can find a configuration example?

↧

Re: OSPF areas in a mixed ScreenOS & JunOS network

January 23, 2018, 6:42 am

≫ Next: Re: AutoDiscovery VPN SRX (ADVPN IPsec )

≪ Previous: Re: AutoDiscovery VPN SRX (ADVPN IPsec )

OSPF area number is a 32-bit number, the srx displays it in IP-format

but 10 is 0.0.0.10 only for example 300 is 0.0.1.44,

but as far as I know you ca enter the number as number , only display is the IP-format

regards

↧

Re: AutoDiscovery VPN SRX (ADVPN IPsec )

January 23, 2018, 8:15 am

≫ Next: ADVPN or GroupVPN

≪ Previous: Re: OSPF areas in a mixed ScreenOS & JunOS network

Kindly refer to below link for understanding ADVPN and config example.

↧

ADVPN or GroupVPN

January 23, 2018, 2:32 pm

≫ Next: Re: NAT on multiple network interfaces on server removes internet!

≪ Previous: Re: AutoDiscovery VPN SRX (ADVPN IPsec )

I have a private WAN from our ISP that I don't entirely trust. I would like to encrypt all traffic over this WAN. To this end, I have a new SRX1500 at the main site, a SRX1500 for the DR site, and a SRX340 for each remote (4 spokes) site. I will be using OSPF to dynamically advertise the internet routes behind the two mains sites (SRX1500) to the remote sites (SRX340). I have never used ADVPN or GroupVPN and seem to be going in circles about which to use. While I could just use the old IPSEC setup per connection, setup of a mesh seems overly complicated. The spoke sites will talk directly, but the majority of traffic will be to the main and DR site. Any recommendations/help would be appreciated.

Thanks,

Todd

↧