Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - guslazarte

Pages: [1] 2
1
We have Internet from 2 ISPs, We want to set up a VPN tunnel utilizing our backup WAN connection. The reason, the VPN traffic is DR and if is down it does not need to affect their main Internet traffic.

I can send traffic via the backup interface utilizing source routing and backup WAN a higher routing metric than the primary. Is there a way to get the Backup WAN IP available from the internet to set up a VPN tunnel?

Thanks

2
NetScreen and SSG/ISG Series Firewalls / GRE tunnel
« on: July 21, 2015, 06:32:00 pm »
We are trying to monitor a remote network with not sensitive data using a tunneling protocol.

Will GRE work on this case?

Both firewalls are SSG 520s

On SSG1

We set up a Tunnel Interface 

Zone: Untrust(trust-rv)

Unumbered Ethernet0/0(Untrust-VR)

Tunnel GRE
 Encap GRE
localinterface: ethernet 1/6.10   (Interface facing the source traffic)
Destination IP: Remote Firewall IP

We added the route to the interface and did the same on the SSG2 (Reverse values)

I can see the policy traffic being send, but no response. Change the MTU on the tunnel  to 1400 and changed the interfaces to Route mode.

any thoughts?



3
Hello,

I just set up a client with a SSG 320M and he is running a streaming engine (just one server) behind it. The Firewall is routing trffic and has a NAT that sends traffic ti the server

He is trying to contact a server to do the content management. generating about 2,000 calls and he is getting packet errors at the receiving end.

the error we are seing in our end is Can't allocate NAT cookie (Cause is probably too many calls).

Any suggestions?

4
SRX Platform and J-series / Reload STRM 500, launch command
« on: September 14, 2010, 04:07:42 pm »
We did not set the right values the first time we set up the new STRM 500 unit.



We reflash the unit with the thumb USB and we are able to login using the default root password.



What command do we need to enter to launch the setup configuration utility. We are in the unit but I cannot launch the unit to set the IP addresses.



Thanks  :mrgreen:

5
NetScreen and SSG/ISG Series Firewalls / SSL VPN configuration
« on: December 22, 2009, 08:54:16 am »
My network is in "see-thru" mode. we are going to use a SA700 to help us with the ssl vpn access. I have two interfaces. Do we use both interfaces or just one. All the tutorials are about setting a a network with routed mode firewalls.

 

How can I configure the Unit to work in our enviroment. I do not have a Windows domain controller in our network so we will use the local database of the sa 700 for access.

 

 

Thanks

6
Remote Access SSL VPN/UAC/MAG, Pulse, and SBR / Setting Up SA 700
« on: December 01, 2009, 03:55:22 pm »
I have a juniper ser up as see-thru mode in front of my network. What would be the best way to  set up my sa 700 if I want to set up file sharing and remote desktop connections? Can I set up the
SA 700 in the same mode as my firewall?(see-thru) since I do not have an internal network
I also do not have an authentications server in my network. Should i create credential on all the servers for my ssl vpn users?

Thanks

7
Remote Access SSL VPN/UAC/MAG, Pulse, and SBR / SA 700
« on: November 24, 2009, 05:35:42 pm »
Hello ,
I have a sa 700 unit to help me secure my local network. Currently we have a firewall in drop in mode in front of our network. We do not have AD or any auth server so we will use local users.
Where would be the best place to set up the SA 700?
side to side with the firewall? or behind it?
We would like to use it so people can PC anywhere/RD securely from home. Thanks

8
IDP / Can i block Cross Script attack with the IDP 75
« on: October 09, 2009, 01:07:26 pm »
Hello,

We just got audited, and we are looking for a solution for the Cross-Script Audit.

Will the IDP75 be able to stop it?

Thanks

9
Routers / Static route
« on: April 12, 2009, 06:44:16 pm »
First time configuring new Router
I am trying to set a router with 2 interfaces.
Interface 0/0/0.0 will have the upstream conection 10.10.10.2/30 DG 10.10.10.1/30
Interface 0/0/1.0 will have the 10.10.2.1/24 interface
I had it set up and  was not able to ping any of the interfaces. Do I need to enable something else before I use the J2300 router? I tried to issue a default-configuration command and I am getting a error message too when I try to commit the change. The default route 0.0.0.0/0 is 10.10.10.1. Do I assume the changes happen only after I issue a commit command? thanks
Am I missing something, or do I need to register something with juniper?

THanks

10
NetScreen and SSG/ISG Series Firewalls / SSG 520 PPTP VPN
« on: December 05, 2008, 07:26:53 pm »
I ma trying to get incoming connection to a PPTP VPN server behind my firewall I am using screen OS 6.1.

Should I just enable the PPTP service for that server inbound and outbound thru a MIP? Is that it ?
thanks

11
Hello,
I am using a Juniper-Netscreen20 to connect to a CISCO asa with a VPN tunnel.
I am using a routed mode VPN on my Netscreen and I am trying to connect to the cofiguration below
My Tunnel interface is setup as 10.2.300.224 255.255.255.224. When I try to connect to the remote cisco gateway
I pass pahse 1 and right after phase 2 I get the following message
<*.*.*.*>Received notification message for DOI <1><18> <INVALID -ID-NOTIFICATION>, that message makes me think
that my proxy ID values are not matching. as you know I only have one place to enter the remote network address on the Juniper
 
How could I match the remote Proxy ID information with the infor below?

I see 192.168.3.XX and 172.16.2.XX


Acls for interesting traffic;
access-list client-vpn-2-us permit tcp host 192.168.3.54 10.2.300.224 255.255.255.224 eq 1433
access-list client-vpn-2-us permit tcp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 1433
access-list client-vpn-2-us permit tcp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 1433
access-list client-vpn-2-us permit tcp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 1433
access-list client-vpn-2-us permit tcp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 1433
access-list client-vpn-2-us permit tcp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit tcp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 139
access-list client-vpn-2-us permit tcp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 445
access-list client-vpn-2-us permit udp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit udp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 138
access-list client-vpn-2-us permit tcp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit tcp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 139
access-list client-vpn-2-us permit tcp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 445
access-list client-vpn-2-us permit udp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit udp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 138
access-list client-vpn-2-us permit tcp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit tcp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 139
access-list client-vpn-2-us permit tcp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 445
access-list client-vpn-2-us permit udp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit udp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 138
access-list client-vpn-2-us permit tcp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit tcp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 139
access-list client-vpn-2-us permit tcp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 445
access-list client-vpn-2-us permit udp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit udp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 138
access-list client-vpn-2-us permit tcp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit tcp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 139
access-list client-vpn-2-us permit tcp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 445
access-list client-vpn-2-us permit udp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 137
access-list client-vpn-2-us permit udp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 138
Crypto map etc
crypto ipsec transform-set client-strong esp-3des esp-sha-hmac
crypto map client-vpn 5 match address Client-vpn-2-US
crypto map client-vpn 5 set peer 28.9.111.129
crypto map client-vpn 5 set transform-set Client-strong
crypto map client-vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800


12
NetScreen and SSG/ISG Series Firewalls / Cisco CEF
« on: November 30, 2007, 07:13:30 am »
Anything on the Juniper compares to the cisco IOS 12.0 CEF?
I know Juniper has a HA capabilities but does it have anything similar to packet fowarding load balance?

Thanks

13
NetScreen and SSG/ISG Series Firewalls / ssg 520
« on: October 15, 2007, 12:27:49 pm »
got and ssg 520 and I am trying to replace a Cisco router and a firewall,
the current network work the following way
router
e0 zz.zz.zz.128/30
e1 yy.yy.yy.125/27
Firewall
e0 yy.yy.yy.126/27
e1 xx.xx.xx.1/24
I understand that i am going to need MIP to translate from yy.yy.yy to xx.xx.xx but I am not too sure how I am adding the zz.zz.zz.128/30 network gets added to the firewall. I need to have zz.zz.zz.128/30 added to the firewall so I can get the feed from our ISP.

Thank you very much
 


14
NetScreen and SSG/ISG Series Firewalls / Backup up config script
« on: September 12, 2007, 11:31:35 am »
I am trying to do once a week config backups of our netscreeen firewalls. I know that I get to run the "save config to tftp X.X.X.X" command I have it. Is there a standard way to do this on netscreen firewalls? What script can I run to log in and run the command?

15
NetScreen and SSG/ISG Series Firewalls / SSG routing question
« on: February 28, 2007, 12:40:27 pm »
I am replacing a PIX with a Juniper ssg500

here the routing information that I got from the ISP

Public IP Block
Public IP Address 10.10.10.160/29
Customer Router Port IP 10.10.1.210/30
ISP Router IP 10.10.1.209/30

Trusted/internal network

192.168.10.0/24

currently 10.10.10.161 NAT-> 192.168.10.10 Live and Working

I have accomplish this with 2 devices, (1 firewall, 1 load balancer doing the NAT)
and a hp procuve switch/router (playing with vlans)

there is a NAT that cannot be changed 10.10.10.161->192.168.10.10, so 10.10.10.161 is the Untrust interface, 192.168.10.10 on the trust. How do I add 10.10.1.210 to my firewall so I can DG to 10.10.1.209?

THanks

16
NetScreen and SSG/ISG Series Firewalls / Routing question SSG
« on: February 28, 2007, 12:13:21 pm »
I am replacing a PIX with a Juniper ssg500

here the routing information that I got from the ISP

Public IP Block
Public IP Address 10.10.10.160/29
Customer Router Port IP 10.10.1.210/30
ISP Router IP 10.10.1.209/30

Trusted/internal network

192.168.10.0/24

currently 10.10.10.161 NAT-> 192.168.10.10 Live and Working

I have accomplish this with 2 devices, (1 firewall, 1 load balancer doing the NAT)
and a hp procuve switch/router (playing with vlans)

there is a NAT that cannot be changed 10.10.10.161->192.168.10.10, so 10.10.10.161 is the Untrust interface, 192.168.10.10 on the trust. How do I add 10.10.1.210 to my firewall so I can DG to 10.10.1.209?

THanks

17
NetScreen and SSG/ISG Series Firewalls / Route VPN incoming dst-NAT
« on: December 26, 2006, 10:36:01 am »
Hello,

I got a routed VPN tunnel coming from Internal IP 204.27.186.x to 172.29.1.212. I set up dst-NAT to 192.168.10.20 to point to our printer. For some reason the packed is getting dropped
I am able to connect to their network doing a src-NAT from 172.29.1.211. My question is why is not changing to 192.168.10.20?

here is the debug flow all for the session. any ideas ? thanks
 
existing session found. sess token 3
  flow got session.
  flow session id 14689
  vsd 1 is active
--- more ---
o: PIO. Tunnel id 04000020
ipsec decrypt prepare done
ipsec decrypt set engine done
ipsec decrypt engine released, auth check pass!
  packet is decrypted
ipsec decrypt done
  tunnel.1:204.27.186.54/1468->172.29.1.212/9100,6<Root>
  chose interface tunnel.1 as incoming nat if.
  search route to (204.27.186.54->172.29.1.212) in vr trust-vr for vsd-1/flag-0/
ifp-null
  route 172.29.1.212->0.0.0.0, to tunnel.1
  routed (172.29.1.212, 0.0.0.0) from tunnel.1 (tunnel.1 in 1) to tunnel.1
  policy search from zone 1-> zone 1
  Searching global policy.
  packet dropped, deny by zone block
  packet dropped, null policy.

  packet dropped, denied by policy
 first pak no session
get 1 pak from queue 0x6b0d7f0 ethernet2.
****** 99943.0: <Untrust/ethernet2:1> packet received [184]******
  ipid = 8315(207b), @c7d3a910
  packet passed sanity check.
--- more ---
t3.
****** 99968.0: <Untrust/ethernet2:1> packet received [634]******
  ipid = 47022(b7ae), @c7d31910
  packet passed sanity check.

18
NetScreen and SSG/ISG Series Firewalls / Policy VPN NAT dst
« on: December 22, 2006, 01:12:02 am »
Hello,
I got the outbound VPN traffic solved. (I am doing a site to site VPN tunnel with an cisco sa) . To prevent overlapping network issues on the Cisco ca network they set their VPN tunnels remote networks from  172.29.1.X/28 to their internal network. I was able to send traffic from my netscreen NAT dst to 172.29.1.211 and to their internal network. On the incoming VPN traffic they are going to connect to 172.29.1.212 and 172.29.1.213, i need to translate that traffic to 172.29.1.212 to 192.168.100.212 and 172.29.1.213 to 192.168.100.213. My question is on setting the NAT dst on the policy VPN or any other way to solve this problem

19
I got this route VPN set up. I am having problems pinging and getting the policies to work correctly. The Phase 1 and 2 of the tunnel are set up and working correctly

The requirements were for to connect to the 204.27.186.0/24 network with a DIP (5) to show at the end of their tunnel as 172.29.1.211. so I did the following.

Created the interface tunnel.1 172.29.1.209/28 and created a dip 172.29.1.211. Selected In same subnet as the interface IP....

Created a route 204.27.186.0/24 attached to tunnel.1 gateway IP 0.0.0.0.

My policy is from MY local network to 204.27.186.0/24 service any action permit Advanced-> Source translation DIP 5.

It look that when I trace to 204.27.186.37 I am not using the vpn tunnel to get to my destination.

Any recomentations ?

thanks

20
Hello Again,

I been trying to make this VPN tunnel work between our netscreen 25 and a cisco AGA.
The cisco engineers want me to change the source of my traffic to a network they assigned me 172.29.1.208/28 (because of the high volume of vpn connections they have). I wanted to make it a policy based VPN so I created a DIP on my untrusted interface so when i creatd the policy I will select advanced->source translation and select the IP I should be coming from (172.29.1.209) from my pool. The network I should be showing as does not match my untrusted interface so I selected In the same subnet as the extended IP and added 172.29.1.208/28. Is not working, it fails right after the Phase 2 withthefollowing message
IKE<216.83.164.11>: Received a notification message for DOI <1> <14> <NO_PROPOSAL_CHOSEN>.
when i catch the ike detail stream I get the following
## 16:55:58 : IKE<16.83.164.11  >   local  172.29.1.211/32 prot<0> port<0> type
<1>
        remote 204.27.186.32/32 prot<0> port<0> type<4>

## 16:55:58 : IKE<16.83.164.11  >   Policy have separate SA. Use P2 ID from pol
icy sa (67108868).
## 16:55:58 : IKE<16.83.164.11  >   Initiator P2 ID built: 172.29.1.211/32 prot
<0> port<0> type<1>
## 16:55:58 : IKE<16.83.164.11  >   Responder P2 ID built: 204.27.186.32/27 pro
t<0> port<0> type<4>

this is the value that does not look correct
  remote 204.27.186.32/32 prot<0> port<0> type<4>
Let em know if you have any recommendation

thanks
## 16:55:58 : IKE<16.83.164.11  > Construct [NONCE] for IPSec
 






Pages: [1] 2