Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - screenie.

Pages: 1 [2] 3 4 5 6 7 ... 66
21
Routers / Re: 1 MPLS, 1 VPN to the same branch office, how to auto change routes
« on: April 12, 2011, 04:48:05 pm »
I asume the MPLS is on a separated interface. You can configure monitoring on the interfaces. This makes the interface go down when the MPLS fails, even if the etherlink to your mpls router stays up. Then you configure to static routes. The primary as allways, the secondary with a higher preference number (> 20). The second link will only be active when first one goes down this way.

22
Routers / Re: Multiple ISPs and VLANs
« on: April 12, 2011, 04:41:56 pm »
You could upgrade tp 5.4 and use PBR or source based routing to override the destination routing. 5.4 is (from memory) the first version with policy based routing. For ECMP to work all internet interfaces must be in the same zone.

23
NetScreen and SSG/ISG Series Firewalls / Re: SSG5- Source interface for monitor track-ip
« on: March 28, 2011, 05:18:41 pm »
You should configure manager-ip on the interface. This address is used as source for tracking, even when the interface is down tracking still works. So the interface comes back up when destination is reachable again.

24
Switches / Re: MX-series TWAMP configuration
« on: March 23, 2011, 05:08:18 pm »
Does the service card show up in show chassis hardware?

25
SRX Platform and J-series / Re: HELP Error SRX210b 10.0.4
« on: March 13, 2011, 06:56:46 am »
You're mixing things up.  

set interfaces interface-range uplink_trunk unit 0 family ethernet-switching vlan members vlan1006-trust
set interfaces interface-range uplink_trunk member  ge-0/0/0

So ge0-0/0/0 is by interface-range definition in L2-mode (family ethernet switching) That's why you can't assign an IP address to it. Two ways to fix this:

Place ge-0/0/0 in family inet  or place a L3 interface in the vlan ge-0/0/0 is a member of to do the L3 stuff.

26
JunoSpace / Re: what exactly is JUNOS SPACE?
« on: March 09, 2011, 07:08:55 am »
Indeed What?
Space is more than replacement of NSM. It got tools to convert your logical view on networks (not devices) into configs. You add a bunch off lets say switches. Define a vlan end to end. Endpoint get access ports and on in between switches vlan is added to trunk. Same with secuirty policies etc. Lot's of info on juniper.net/partners.

27
NetScreen and SSG/ISG Series Firewalls / Re: JNCIS -FWV exam fees
« on: March 09, 2011, 04:40:34 am »
look at prometric site for the fee! http://www.prometric.com/Juniper/default.htm

You can take the specialist without taking associate first for ScreenOS. For the new JUNOS tracks you have to certify junos associate before getting certified on any specialist Junos certification.

28
Routers / Re: Confusion on Source-NAT with NS204
« on: March 05, 2011, 01:22:24 pm »
Interface base NAT only works when the ingress interface is in in NAT mode AND:

1 in a single VR from trust zone to untrust zone

2 In miltiple VR any VR to untrust VR

Never mind: make all your interface ROUTED and nat in yout POLICIES.

29
Suggestions/Feedback / Re: Thank You (for reporting spam)
« on: March 04, 2011, 06:39:35 am »
I totally agree!

30
NetScreen and SSG/ISG Series Firewalls / Re: Iter-vlan traffic Slow Performace
« on: January 23, 2011, 03:50:11 pm »
Did you look in the interface counters for faulty packets?
Did you ran a debug session?
Something to see in the policy logs?

Any thing to get a clue?

31
Routers / Re: Telnet port 25 block NS50
« on: January 23, 2011, 03:47:20 pm »
When in doubt where the problems lays there are two things you can do:

First:

Enable logging at the begining of a session on the inbounf policy. Then look at the the close reason for a session. That should make clear hether or not the session was allowed by the firewall. If it show age-out, rst or something like that, it was allowed but closed afterwards.

If this don't help use the real pwer tool: debug:

set a flow filter:

set ff dst-ip <outside address> dst-port 23

start the debug:

debug flow basic

Clear the debug output buffer:

clear db

Now try the telnet session.

Stop the debugging:

undebug all (or simply press the ESC button on the keyboard)

Read the output with:

get db stream.

If it isn't clear: post the output, we're here to help you!

32
SRX Platform and J-series / Re: Admin Recovery on (newer) SRX-210
« on: January 08, 2011, 08:12:48 am »
You're to early in the bootloader I think. This sounds like the bios boot. You need to interupt the os boot, second phase. Otherwise try pressing the reset button for 10 secs. But this might delete configs, so you might need an exernal config to restore.

33
NetScreen and SSG/ISG Series Firewalls / Re: Multiple VPNs on single Tunnel interface
« on: January 03, 2011, 10:21:10 am »
Inta zone policies are only usefull when intrazoneblock on this zone is in place! Check with get zone <name> if block is set you need them. Block is default off in trust, on on every other zone. One tricky thing: setting any global policy overwrites the off setting. In other words when configuring just one global policy you allaws need policies for intrazone traffic.

34
NetScreen and SSG/ISG Series Firewalls / Re: NS-204 Streaming Video IPTV
« on: January 02, 2011, 12:08:33 pm »
QOS on the policies maybe?

35
SRX Platform and J-series / Re: SRX-240: 10s delays on POP3 and FTP connections
« on: January 02, 2011, 11:07:13 am »
No problem!

36
SRX Platform and J-series / Re: SRX-240: 10s delays on POP3 and FTP connections
« on: December 31, 2010, 05:06:59 am »
Try a security flow trace and look what's going on!

set security flow trace-options flag basic-datapath
set sec flow  trace-options packfilter just-a -name destintion prefix <dest-ip>
 set security flow trace-options file filename
commit
generate traffic
run show log filename

37
NetScreen and SSG/ISG Series Firewalls / Re: How to combinate SSG140 + Squid Proxy for access internet manage ???
« on: December 31, 2010, 04:53:55 am »
Hi,

that's any easy one. Since the squid is proxy it send out traffic with it's own IP address. So this will work

pol form trust to untrust <ip-squid> any HTTP+HTTPS permit
pol from trust to intrust any any HTTP+HTTPS reject log

Traffic from squid will hit rule one, any other rule two.
Of course this must come before an permit all rule.

38
NetScreen and SSG/ISG Series Firewalls / Re: How to combinate SSG140 + Squid Proxy for access internet manage ???
« on: December 30, 2010, 04:11:06 pm »
fastest way: block http from every source except the squid. users have to use the proxy this way. Otherwise (didn't try) use policy based routing and route every http packet to the squid, except comming from there of course. Don't know if the squid handles trafiic send to it this way ok. It's worth a try though.

39
NetScreen and SSG/ISG Series Firewalls / Re: SNAT in SSG-140
« on: December 30, 2010, 10:56:10 am »
I'm a bit out of ideas. Maybe combine source and destination natting in policies, let go of mip and vip ?

40
NetScreen and SSG/ISG Series Firewalls / Re: SNAT in SSG-140
« on: December 28, 2010, 10:21:14 am »
Yes, I was think overlapping a MIP with a DIP might be seen as subnet conflict. Carefull when you set ignore, device stop checking conflicts when configuring it.

Pages: 1 [2] 3 4 5 6 7 ... 66