Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kontra

Pages: [1] 2 3 4 5 6 ... 16
1
Routers / Re: Cofigure tacacs to Juniper MX-80
« on: October 19, 2011, 01:49:52 pm »
you need to create the remote account everything else looks ok.


set system login user remote full-name "Remote Access Account"
set system login user remote uid 2001
set system login user remote class super-user
set system login user remote authentication encrypted-password

2
SRX Platform and J-series / Re: Open specific port on SRX 240
« on: October 19, 2011, 01:45:54 pm »
under applications

[example]
set applications application tcp-8085 protocol tcp
set applications application tcp-8085 destination-port 8085

3
There is a tool on juniper site  for converting IOS configuration files into Juniper JUNOS format


view juniper KB13220 for more info.


http://kb.juniper.net/InfoCenter/index?page=content&id=KB13220&smlogin=true

4
SRX Platform and J-series / Re: SRX image for VM
« on: October 19, 2011, 01:29:46 pm »
you can use Olive and download the j-series image or flow base code vs packet base . which will give you the firewall features . But i heard of some problems with firewalling with Olive.

5
SRX Platform and J-series / Re: Initial configuration Questions
« on: October 19, 2011, 01:26:05 pm »
can you post the config file ?

6
SRX Platform and J-series / Re: Routing Between two local network
« on: October 19, 2011, 01:08:15 pm »
Can you please give more information on the design . Do you mean you are using virtual-routers and want to route leak between the two networks ?



7
Cool looking at the local-config file again.Recall that policy lookup is always from top to bottom. Place the tunnel policy before the “permit” policy with the insert command



policies {

        from-zone trust to-zone untrust {

            policy trust-to-untrust {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

            policy vpnpolicy-trust-untrust-cfgr {

                match {

                    source-address net-cfgr_192-168-1--24;

                    destination-address net-cfgr_172-20-1-0--24;

                    application any;

                }

                then {

                    permit {

                        tunnel {

                            ipsec-vpn ipsec-vpn-cfgr;

                            pair-policy vpnpolicy-untrust-trust-cfgr;

                        }




if you are still having issue's can you please post another traceoption with the packet-filters set.




set packet-filter remote-to-local source-prefix x.x.x.x/32
set packet-filter remote-to-local destination-prefix x.x.x.x/32

8
can you also post your routing table ? Because even if it's a policy base vpn you need to add a route to the destination.
 


9
NetScreen and SSG/ISG Series Firewalls / Re: Configuration issue
« on: April 17, 2011, 03:52:14 pm »
So you have a MIP for the dst-nat translation . You could just create an address group in the untrust zone for the src-ip's . and map that to policy all other traffic will be drop by default hitting the global deny policy .


 

10
You need to allow ipsec in the policy and IKE . Because the first part of creating a vpn is the phase 1 which starts the IKE process then phase 2 creates IPSEC tunnel.

also what does the log show on remote end ?





11
did you do another debug with the packet-filters set for src and dst ?  what type of traffic are you pushing across the tunnel ?

12
Looks like someone or a bot connecting to SSH to your SRX. you need to create an input firewall filter on the lo0 interface .


set  policy-options prefix-list accept-ssh-traffic x.x.x.x/x

set  firewall filter ssh-traffic term 1 from source-prefix-list accept-ssh-traffic
set  firewall filter ssh-traffic term 1 from protocol tcp
set  firewall filter ssh-traffic term 1 from destination-port ssh
set  firewall filter ssh-traffic term 1 then accept
set  firewall filter ssh-traffic term 2 from destination-port ssh
set  firewall filter ssh-traffic term 2 then count discard
set  firewall filter ssh-traffic term 2 then log
set  firewall filter ssh-traffic term 2 then reject
set  firewall filter ssh-traffic term 3 then accept

set interfaces lo0 unit 0 family inet filter input filter

or disable ssh access


    system-services {

                            ping;

                            ssh;

                            traceroute;

                            tftp;

13
one more thing check you add set security flow traceoptions packet-filter for the src and dst for the traffic
then push traffic from the remote end to the debugging device.

14
The debug is just showing alot of tcp rst's .

add these commands.

set security flow tcp-session no-syn-check
set security flow tcp-session no-syn-check-in-tunnel
set security flow tcp-session no-sequence-check
then
commit full

Also I think it's always a good idea to disable ALG settings.


set security alg dns disable
set security alg ftp disable
set security alg h323 disable
set security alg mgcp disable
set security alg msrpc disable
set security alg sunrpc disable
set security alg real disable
set security alg rsh disable
set security alg rtsp disable
set security alg sccp disable
set security alg sql disable
set security alg talk disable
set security alg tftp disable
set security alg pptp disable

15
SRX Platform and J-series / Re: Wrong DST Port on J4350
« on: April 13, 2011, 04:21:17 am »
Hi


the version of code you are using is flow base . So it's following the ScreenOS process for creating a session in the session table . So the scr-port can be totally random.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

16
can you enable debug commands ?

set security flow traceoptions file debug-basic
set security flow traceoptions flag basic-datapath


I don't see anything that stands out .

17
Did you resolve this ?

18
Routers / Re: recovering corrupt /cf on a J2300
« on: March 17, 2011, 03:13:26 pm »
use physdiskwrite-0.5.2 to load the image onto the compact flash .

19
Routers / Re: recovering corrupt /cf on a J2300
« on: March 17, 2011, 01:13:22 pm »
First off so we are clear when you say recovery ? meaning you want to restore the router with the same config etc. Or
just install a new system\config all together.  if you just want to being the system back online with a new image and config off the USB stick please make sure the stick is listed below or not being than 1GB. best option would be to buy a 1GB flash card and install the new  image using -


http://www.juniper.net/techpubs/en_US/junos9.3/information-products/topic-collections/release-notes/9.3/topic-23949.html#table_usb



20
Routers / Re: Confusion on Source-NAT with NS204
« on: March 11, 2011, 02:29:45 pm »
Hey you know what you don't have an default route for the trust zone traffic .



IPv4 Dest-Routes for <untrust-vr> (5 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------
*  16          0.0.0.0/0           eth3    10.0.0.1  SP   20      1     Root
*   2      10.0.0.10/32           eth3         0.0.0.0   H    0      0     Root
*   1      10.0.0.0/28           eth3         0.0.0.0   C    0      0     Root
*  14  194.1.1.194/32         eth3.1         0.0.0.0   H    0      0     Root
*  13  194.1.1.194/32         eth3.1         0.0.0.0   C    0      0     Root

IPv4 Dest-Routes for <trust-vr> (2 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------
*   2     192.168.1.1/32           eth1         0.0.0.0   H    0      0     Root
*   1     192.168.1.0/24           eth1         0.0.0.0   C    0      0     Root



should look like this.




IPv4 Dest-Routes for <trust-vr> (60 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        68          0.0.0.0/0            n/a      untrust-vr   S   20      1   

Pages: [1] 2 3 4 5 6 ... 16