Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - screenie.

Pages: 1 2 3 4 [5] 6 7 8 9 10 ... 66
You're wellcome! And there's no such thing as stupid questions!


I think I know what's wrong. The MIP made the ssg respond to an arp request I think. A static route pointing to .50 in the internetrouter should solve this. Also static arp's in the router could solve this.
Proxy arping on the ssg can also work. In older versions we configured a DIP on the address we wanted an proxy arp for. In the latest version you can configure proxy arp. You can try to proxy arp the addresses on your /29 net on the untrust (e0 I believe) interface.

Hope this is clear.

From the 6.3 manual:

get interfaceinterface proxy-arp-entry
get proxy-arp-entry [ all ]
set interface interface proxy-arp-entry ip_min ip_max
unset interface interface proxy-arp-entry ip_min ip_max
Imports traffic destined for an IP address range using this interface. Specify
the IP range as follows:
■ ip_min—Specify the minimum IP address in the IP address range.
■ ip_max—Specify the maximum IP address in the IP address range.
The <proxy-arp-entry> option can only be configured on the Layer 3
interface in Layer 3 mode. The administrator can configure no more than
256 proxy ARP entries per interface.
The security device responds to ARP requests that arrive at this interface and
the destination is in the proxy ARP entry IP range.
TIP: Use <proxy-arp-entry> along with a destination translation policy.

Hi Sordet,

does your routing table show the correct connected routes? (get route proto con) ?

If correct can you debug a session?


"packet dropped: for self but not interested"

I think you have management on 443 enabled system wide, but not enabled as management service on interface. That would generate this message.

Your def route is XXX.XXX.10.193.
You have a MIP from XXX.XXX.3.41 to
So if host connects to the outside it source will show XXX.XXX.3.41 to the outside worl right ?

Does the upstream route now to route XXX.XXX.3.41 to the firewall ???

I don't think this config is possible. You need to configure the outbound interface when settingup a vpn. The termination point (and with this the IP address the other side has to connect to) will be the promary IP address of this interface.
Appart from that I don't see the need for this config. Many VPN's can connect to the same interface/IP.

NetScreen and SSG/ISG Series Firewalls / Re: SSG 550M port redundancy
« on: September 15, 2009, 03:38:18 pm »
Hi captain.

I'd create a rudundant interface for this. add two ports, ip settings on redundant interface and ready....

NetScreen and SSG/ISG Series Firewalls / Re: Juniper SSG520 Screening
« on: September 11, 2009, 03:37:24 pm »
Time for an upgrade!

NetScreen and SSG/ISG Series Firewalls / Re: Juniper SSG520 Screening
« on: September 09, 2009, 01:05:25 pm »
Best way is to define a separate policy and configure a sesion limit on policy. This feature is added in 6.1 I believe.

That's what I mean!

For all of you who use snmp: There are MIB's on the dowload pages!

SRX Platform and J-series / Re: SSH V1 and SSl V 3.0 on SRX-240
« on: September 05, 2009, 07:56:14 am »
For anyone in trouble: Default the international version is shiped. SSH v2 and and encryption more then DES is in the domestic version.

SRX Platform and J-series / Re: Interface NAT and Policy Based VPN
« on: September 05, 2009, 07:54:30 am »
Just a thought:

add a rule above rule1. Source any destination source-nat: from a pool with internall addresses.

Nat in security policy is pre JUNOS 9.5. in 9.5/9.6 you have to nat everything under security nat.

Without the rekey the traffic from monitoring won't keep the vpn up. With rekey the vpn does stays up.

Ok now fill in permited ip only first internall prefix and you're there! Wireless can't manage any more. See in gui configuration -> admin -> permitted ip's

You misusing sub int I think. They are there for dealing with tagged traffic. But: why bot set blocking on trust zone, give accesspoint IP in secondary range you create on trust interface? Clients on wireless can't route over the firewall to wired hosts now....

But did you specify reth0 as outgoing interface?

If there's something there definitly under chassis settings. Try set chassis ? as a starting point.



what does show log kmdlog tells you about what's going wrong?

NetScreen and SSG/ISG Series Firewalls / Re: ScreenOS Rollback Feature
« on: August 27, 2009, 01:17:59 pm »
Save your config to last-known-good every time you want to crate a new roolback config. When some goes wrong call sombode and let him/here type in exec rollback. That's In my opnion the easiest way when you're not using NSM. 

Pages: 1 2 3 4 [5] 6 7 8 9 10 ... 66