Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - fcar

Pages: [1] 2
1
This site so good love replying to myself - whats happend to all the juniper guru's ???? are there any on here.

I now have working configs from a cisco asa to a junos policy based and route based.

Thanks for all the input.
Frank

2
take note of setting the st0.1 and st0.2 as point-to-point in the changed config, if it is set to multi-point it will try to generate routes and normally will overide all your static routes and break all your vpns.

to check that the vpn is up
do a show route if you see the following

10.10.10.0/24 as the remote network and should go to 172.100.100.1 there will be a route to something like st0.1 etc in the routing table.
also to check the next hop tunnel binding you can do
show security ipsec next-hop- use the tab key to complete the command you should you dont want to see an auto route statiing 0.0.0.0/0 st0.x

Frank



3
all working now, had to modify the St0 arrangment

    }
    st0 {
        unit 1 {
            point-to-point;
            family inet {
                next-hop-tunnel 1.1.1.1 ike-vpn;
                address 172.100.100.1/24;
            }
        }
        unit 2 {
            point-to-point;
            family inet {
                next-hop-tunnel 3.3.3.3 ike-vpn1;
                address 172.200.200.1/24;
            }
        }
    }
}

also had to create two new rules to allow the traffic as the Any Any in my rulebase did not work, I think using the rulebase generated the proxy-id that the cisco and checkpoint was expecting.

thank god it works.

4
Hi All,

been trying to get two VPN's up and running from a Junos J-series running 10.4.r6.5 firmware,
I get Phase1 completed and Phase 2 on botgh VPN's my issue is that i can't create Static NHTB routes on the Junos box, or i have got them completely wrong can someone take a look at my config please and advise.

I have attached a drawing hope that explains the topology.

here is the config from my juniper which seem to work well, other than looking in kmd i get warnings about not being abole to create NHTB routes


## Last changed: 2012-01-23 08:53:06 GMT
version 10.4R6.5;
system {
    host-name ist;
    domain-name nerc-swindon.ac.uk;
    time-zone Europe/London;
    root-authentication {
        encrypted-password "can't tell you this ";
    }
    name-server {
        192.171.170.1;
    }
    login {
        user nsmuser {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "nore this";
            }
        }
    }
    services {
        ssh {
            protocol-version v2;
            rate-limit 5;
        }
        netconf {
            ssh;
        }
        outbound-ssh {
            client nsm- {
                device-id 6A95C1;
                secret "and this";
                services netconf;
                 port 7804;
            }
        }
        web-management {
            https {
                system-generated-certificate;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
        file default-log-messages {
            any any;
            structured-data;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 193.62.22.66;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 2.2.2.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.254/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input management-filter;
                }
            }
        }
    }
    st0 {
        unit 0 {
            multipoint;
            family inet {
                next-hop-tunnel 1.1.1.1 ipsec-vpn ike-vpn;
                next-hop-tunnel 3.3.3.3 ipsec-vpn ike-vpn1;
                address 172.100.100.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.200.200.254;
        route 192.168.19.0/24 next-hop 3.3.3.3;
        route 10.10.10.0/24 next-hop 1.1.1.1;
    }
}
security {
    ike {
        proposal AES256-SHA1G2-PRE {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 86400;
        }
        proposal AES256-SHA1 {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha1;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 28800;
        }
        policy ike-policy1 {
            mode main;
            proposals AES256-SHA1G2-PRE;
            pre-shared-key ascii-text "$9$daV2aZGi.fzDiORSeXxDikqmT";
        }
        policy ike-policy2 {
            proposals AES256-SHA1;
            pre-shared-key ascii-text "$9$FlYu3CuOBEyeWIEYoGif5IEcSrv";
        }
        gateway ike-gate1 {
            ike-policy ike-policy1;
            address 1.1.1.1;
            external-interface ge-0/0/0.0;
        }
        gateway ike-gate2 {
            ike-policy ike-policy2;
            address 3.3.3.3;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal 3DES-MD5-NOPFS_1 {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        proposal 3DES-SHA1_1 {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy vpn-policy1 {
            proposals 3DES-MD5-NOPFS_1;
        }
        policy vpn-policy2 {
            proposals 3DES-SHA1_1;
        }
        vpn ike-vpn {
            bind-interface st0.0;
            ike {
                gateway ike-gate1;
                ipsec-policy vpn-policy1;
            }
            establish-tunnels immediately;
        }
        vpn ike-vpn1 {
            bind-interface st0.0;
            ike {
                gateway ike-gate2;
                proxy-identity {
                    local 192.168.1.0/24;
                    remote 192.168.19.0/24;
                }
                ipsec-policy vpn-policy2;
            }
            establish-tunnels immediately;
        }
    }
    log {
        mode event;
        event-rate 1000;
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ssh;
                    https;
                    ike;
                    ping;
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone trust {
            address-book {
                address local-net 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone vpn {
            address-book {
                address remote-net 10.10.10.0/24;
                address ciscoremotnet 192.168.19.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
    }
    policies {
        from-zone untrust to-zone trust {
            policy any-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
        from-zone trust to-zone untrust {
            policy 4 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
        from-zone trust to-zone vpn {
            policy vpn-tr-vpn {
                match {
                    source-address local-net;
                    destination-address [ remote-net ciscoremotnet ];
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
        from-zone vpn to-zone trust {
            policy vpn-vpn-tr {
                match {
                    source-address [ remote-net ciscoremotnet ];
                    destination-address local-net;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
}
firewall {
    filter management-filter {
        term 1 {
            from {
                source-address {
                    192.171.0.0/16;
                    1.1.1.1/32;
                }
            }
            then {
                log;
                accept;
            }
        }
        term 2 {
            from {
                protocol udp;
                port [ ntp 500 ];
            }
            then {
                log;
                accept;
            }
        }
        term 3 {
            then {
                log;
                discard;
            }
        }
    }
}

if someone can advise...

been told by a Juniper Engineer to try newer firmaware  ??

Thanks
Frank

5
This is a link to the juniper site fo the deactivate command.

https://www.juniper.net/techpubs/en_US/junos11.3/topics/reference/command-summary/deactivate.html

Frank

6
Hi,

can you not use the deactivate command to get the config to be ignored ?

Frank

7
NSM / Re: No traffic logs on NSM
« on: August 31, 2011, 03:57:34 am »
sure the machine got the correct ip address and default gateway?

 :?

8
Hi,

I am having a problems with getting traffic to flow using port 32445 to use utorrent via my ns5xp

i have done a debug on set ff src-port and am getting the following.

****** 00799.0: <Untrust/untrust> packet received [95]******
  ipid = 17044(4294), @000d504e
  packet passed sanity check.
  untrust:97.114.115.113/36089->86.21.67.211/32445,17<Root>
  self check, not for us
  chose interface untrust as incoming nat if.
  packet dropped: for self but not interested
****** 00800.0: <Untrust/untrust> packet received [48]******
  ipid = 7465(1d29), @000d904e
  packet passed sanity check.
  untrust:83.251.97.192/63056->86.21.67.211/32445,6<Root>
  self check, not for us
  chose interface untrust as incoming nat if.
  packet dropped: for self but not interested
****** 00800.0: <Untrust/untrust> packet received [95]******
  ipid = 2608(0a30), @000da04e
  packet passed sanity check.



I nat on the netscreen to a vip ip,. but can't seem to allow 32445 access from my can anyone help me in working out what the rule should be to allow this to work correctly please.

Cheers
Frank

9
Great thanks for the info and the Reply :-)

Does the ns5xp untrust int auto-negotiate be default or do i need to set this.

The strange thing is that i force the ns5 to 10mbfull and the netgear comes up at 10mb half duplex. weird.

I can try to set my ns5xp to auto to see what happens ? and hard code it to see if it works,

I was thinking of using a linksys wrt54gl because my netgear does not give me many options to configure the interface speed.

Thanks Again Kcullimo

Frank

10
hi there what's c&e ?


11
NetScreen and SSG/ISG Series Firewalls / Re: using untrust-vr and VPN
« on: July 21, 2009, 06:40:00 am »
vlan1 is also the endpoint of a vpn if it is in layer2, Im thinking you can configure the interface and set the vpn to there it is also used for management,

try the following http://kb.juniper.net/index?page=content&id=KB5136&actp=search&searchid=1248179684014

or look on there site to see if it can do what you want, or go for it and see what happens.


What is the VLAN Zone?
Knowledge Base ID: KB7035
Version: 2.0
Published: 07 Oct 2008
Updated: 07 Oct 2008
Categories:  NS-5GT
 NS-5XP
 NS-5XT
 NS-25
 NS-50
 NS-204
 NS-208
 ScreenOS
 

Synopsis:

What is the VLAN Zone?

Problem:

transparent mode VLAN Zone VLAN interface


Solution:

The VLAN Zone is new in ScreenOS 5.0.  This zone hosts the VLAN1 interfaces, which is used to manage the device and terminate VPN traffic when the device is in Transparent mode.   Firewall options can be set on this zone to protect the VLAN1 interface from various attacks.

Recall in ScreenOS 4.0 the VLAN1 interfaces were in the MGT Zone.

Here is the problem or goal:

What is the VLAN Zone?
Problem Environment:

transparent mode
VLAN Zone
VLAN interface
Applicable Products:

NetScreen-5XP
NetScreen-5XT
NetScreen-5GT
NetScreen-25
NetScreen-50
NetScreen-204
NetScreen-208
Applicable ScreenOS:

5.0.0
5.0.0 A/V

I am not sure you can use it though if you are not in transparent mode! sorry never tested it myself!


Thanks
Frank

12
Found out the problem that I am having is that the Netgear wan port is auto negotiation at 10mb half duplex, and the netscreen is working at 10mb full duplex.

It works, but very slowly all i can think off is the replacing my wifi box with another to see if it negoatiate correctly.

Thanks for all your help!!

13
Hi,

I'm trying to attach an NS5xp to my netgear wifi router but when i do i can't get on the internet.

Virginmodem 86.xxx.xxx.xxx connects to my ns5xp untrust int and issue ip 86.xxx.xxx.xxx and it get's all the correct settings, If i plug directly to the untrust int on 10.10.10.1 and i am on 10.10.10.2 i can goto the internet fine.

I have all the rules in place on the netscreen src any dest any service any nat to egress port.
problem is.....
Virginmodem 86.xxx.xxx.xxx connects to ns5xp untrust int 86.xxx.xxx.xxx. int trust connects to wifi via dhcp settings and recieve 10.10.10.2/24 default route 10.10.10.1(trust int) i then connect a pc and try to get to google and i get page cannot be displayed, i can connect to the admin web page of my netgear and my ns5xp but no internet.

pc                  wifirouter         nat             ns5xp               nat                   virginmodem
192.168.0.2     192.168.0.1   10.10.10.2     10.10.10.1         86.xxx.xxx.xxx         86.xxx.xxx.xxx
DG192.168.0.1  DG10.10.10.1                    DG 86.xxx.xxx.xxx

do i need to tell my wifi router it's default route and is it having a problem with using a private ip as it internet ip address ?
my wifi is a netgear egt624 if that helps ?
Anyone ever connected wifi router to an netscreen firewall ?



Cheers
Frank

14
NetScreen and SSG/ISG Series Firewalls / Re: using untrust-vr and VPN
« on: July 20, 2009, 12:30:34 pm »
Have you tried using vlan1 int instead and setting the vpn to this ?

might be worth shot ?




15
Left it plugged in for a while and now it seems to be picking up the correct ip settings from isp.


16
Hi If anyone can help please.

I got my ns5xp working with my ntl modem now and i can connect if i plug directly to the trust interface.

My issue seems now, that when i connect my netgear wifi router to the ns5-xp trust side, it picks up the correct ip address and dns, gateway etc..

but i can't seem to get traffic to work correctly, what i got is the netgear using 192.168.0..0/24 for machines connecting on the wifi network, then from the netscreen to netgear it is a 10.10.10.0/24 and the netgear seems to be fine connecting and reciveing traffic.

I noticed that the link came up at 10mb halfduplex so i tried to force the netscreen port to full duplex so I now have a missmatch there ?? i do not understand this anyone seen this before ?

I can't seem to go from a machine on 192.168.0.2 to the internet and dns is not working on the machine.

what i think should be happening is 192.168.0.2>netgear192.168.0.254>10.10.10.1ns-5xp>86.xxx.xxx.xxx internet

but it's not working i can connect directly to the trust int with a cable and internet is fine, so it's the wifi netgear that is the issue and can't think what is wrong ? anyone configure a netscreen and added wifi router to the trust int ?

Cheers
Frank

17
Hi all,

I was wondering if anyone know's how to solve this issue.

I am trying to setup an ns5-xp to use dhcp on the untrust int, this is to get an ip address and default route from the isp.

I can't seem to get this to work no matter what i do.

I have looked at http://kb.juniper.net/index?page=content&id=KB5652&actp=search&searchid=1247838089447
Which did not work for me.

here's my config, please help..

set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.0.253/24
set interface trust nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option gateway 192.168.0.253
set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server ip 192.168.0.1 to 192.168.0.252
set interface untrust dhcp-client enable
set interface untrust dhcp-client settings autoconfig
set flow tcp-mss
set hostname fwhome
set dns host dns1 62.253.162.237
set dns host dns2 194.168.4.237
set ippool "homenet" 192.168.0.1 192.168.0.254
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit log

set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log
set policy id 3 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route

I can hardcode the ip address's and everything works, just can't get dhcp to work!.

Thanks everyone.

Frank :mrgreen:

18
Hi all,

I was wondering if someone can tell me what i am doing wrong or if there is any procedures for doing what i want.

I have an NTL modem that has a public ip address going into the untrust int of the ns5-xp which i have setup as dhcp on boot on the trust side i have setup 192.168.0.253/24 this then plugs into my wifi route netgear

NTL modem ip 89.x.x.x
ns-5xp utrust dhcp trust 192.168.0.253/24
netgear wifi router plugged into trust in on 192.168.0.254/24 default route 192.168.0.253/24

i have set a basic default permit all policy on the juniper fw but can not seem to get traffic going through this or coming back my pc ip is 192.168.0.5/24 default route 192.168.0.254.

i will post the config tomorrow on the this page but if any has any ideas what it can be can you please advise me,

Thanks
Frank

19
IDP / Re: Problem in adding Attacks in policy rule.
« on: July 06, 2009, 04:49:38 am »
hi there,

even easier right click on the attack in the log and select exempt.

20
NetScreen and SSG/ISG Series Firewalls / Re: IDP in transparent mode
« on: July 01, 2009, 08:03:58 am »
Hi There

More detail is needed before we can help, where is the idp placed in your network, what will it monitor on your network ?

We implented idp 2years ago and tried to monitor the whole network, but this caused to many issue we now monitor just the public facing servers and anything in our DMZ.

send me your email address and i can dig up some documents i used to creat our policy.

Pages: [1] 2