41
NetScreen and SSG/ISG Series Firewalls / Re: SNAT in SSG-140
« on: December 28, 2010, 07:45:34 am »
Yes, but is dirty. Try setting ingnore subnet conflict on trust-vr.
News:
Tapatalk enabled for mobile browsing and alerts. Search for Tapatalk in the Android Market or the App Store. Support for Blackberry, iPhone, and Android.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
42
NetScreen and SSG/ISG Series Firewalls / Re: SNAT in SSG-140
« on: December 27, 2010, 12:22:22 pm »
Can't you define a dip pool with one address overlaping with the MIP? Never tried.
43
NetScreen and SSG/ISG Series Firewalls / Re: SNAT in SSG-140
« on: December 27, 2010, 08:16:43 am »
Best is to put the second SMTP server on an other address with a second MIP and put a second MX record for this in your DNS tables.
44
NetScreen and SSG/ISG Series Firewalls / Re: Reverse Natting ssg140
« on: December 26, 2010, 03:54:55 am »
You can do a range translation, but I never tried what happens with highr range. Son't know about resourve alocation. I think you need a source nat with a range reading your description.
PS just removed the spame post you're answering to in the second post.
PS just removed the spame post you're answering to in the second post.
45
Switches / Re: Juniper Ex 4200 switch....
« on: December 20, 2010, 05:03:29 pm »
Create two routing tables and place the vlan interfaces in it! That's all I think.
root# show routing-instances
routing-instances
{
instance-type virtual-router;
interface vlan.101;
}
From top level in edit mode: set routing-instances vlan101 instance-type virtual-router interface vlan.101
Repeat for other vlan and commit.
root# show routing-instances
routing-instances
{
instance-type virtual-router;
interface vlan.101;
}
From top level in edit mode: set routing-instances vlan101 instance-type virtual-router interface vlan.101
Repeat for other vlan and commit.
46
NetScreen and SSG/ISG Series Firewalls / Re: Ipsec VPN with MIPS
« on: December 19, 2010, 01:36:30 pm »
It's allways the other end isn't it ?
47
SRX Platform and J-series / Re: Proxy IGMP on SRX100
« on: December 19, 2010, 01:34:57 pm »
Hi,
I found something on page 114 in this guide: http://www.juniper.net/techpubs/en_US/junos10.4/information-products/topic-collections/security/software-all/routing/junos-security-swconfig-routing-protocols-and-policies.pdf . On top of this you should add igmp as allowed hist-inbound-traffic on zone ot interface level I read somewhere else. Can't give more detailed info I'm afraid, didn't play with it myself.
I found something on page 114 in this guide: http://www.juniper.net/techpubs/en_US/junos10.4/information-products/topic-collections/security/software-all/routing/junos-security-swconfig-routing-protocols-and-policies.pdf . On top of this you should add igmp as allowed hist-inbound-traffic on zone ot interface level I read somewhere else. Can't give more detailed info I'm afraid, didn't play with it myself.
48
SRX Platform and J-series / Re: STATIC NAT
« on: December 13, 2010, 01:40:41 pm »
You can configure this under security nat static. Set proxy arp and it should work! Don't forget to set security policies as well.
49
SRX Platform and J-series / Re: STATIC NAT
« on: December 08, 2010, 04:27:55 pm »
destination nat rules frp, trust to untrust and proxy arp for .10 .20 .30 should do it if I understand you well.
50
NetScreen and SSG/ISG Series Firewalls / Re: ScreenOS Updates
« on: December 06, 2010, 03:59:22 pm »
Yes: you need a support contract to obtain it legaly.
51
NetScreen and SSG/ISG Series Firewalls / Re: Howto: Easy route-based VPN configuration
« on: December 06, 2010, 03:58:25 pm »
If only B is a juniper you're in trouble. You need to match the proxy-ID to the source addresses in that case I think.
52
NetScreen and SSG/ISG Series Firewalls / Re: Howto: Easy route-based VPN configuration
« on: December 03, 2010, 06:31:23 am »
No, that should be it. Only thing to remark is to leave the proxy id's alone. On routebased juniper to routebased juniper you don't fill thim in. When both sides are all zeros they match and phase II can party. Don't know what happens when you do use proxy id's and the source is not within the range of the proxy id. Interesting to find out!!
53
NetScreen and SSG/ISG Series Firewalls / Re: Howto: Easy route-based VPN configuration
« on: December 02, 2010, 08:07:54 am »
A needs set a route to reach C to B and C needs to set a rout to reach A to B. on B you you need a policy to allow the traffic. A and C need both to be route based VPN for this config to work.
54
NetScreen and SSG/ISG Series Firewalls / Re: redundant interface on SSG5
« on: December 02, 2010, 07:50:36 am »
I think only the ISG;s and NS 5K support this. Alternative might be L3 redudancy. OSPF with different costs or VRRP. Didn't try the last one, dont't know if it's possible to place two interfaces from one device in a VRRP group.
55
SRX Platform and J-series / Re: Branch series upgrade
« on: November 29, 2010, 04:36:54 pm »
You can force a status per redudancy group. Something like set chassis cluster redundancygroup nr ......
Forgot the exact syntac, no srx available right now.
Forgot the exact syntac, no srx available right now.
56
SRX Platform and J-series / Re: SRX-240 firewalling in routed mode?
« on: November 29, 2010, 04:34:31 pm »
Sure you can, The SRX is beside a firewall, a feature rich router! It's all a bout planning the subnets. Layer2 mode (transparent) is * not * supported.
57
NSM / Re: enabling Multicast in ISG2000 using NSM
« on: November 23, 2010, 03:36:40 pm »
What does a debug flow basic says about this?
58
Routers / Re: Telnet port 25 block NS50
« on: November 23, 2010, 03:31:48 pm »
Set policy from zone to zone any any smtp permit should allow the traffic. Maybe you can post a debug output:
set ff dst-ip <ip smtp server>
debug flow basic
try a connection
undebug all
get db stream
set ff dst-ip <ip smtp server>
debug flow basic
try a connection
undebug all
get db stream
59
SRX Platform and J-series / Re: Traffic shaping SRX 210
« on: November 10, 2010, 02:09:16 pm »
Sure you can as long as you can "capture" the traffic in packet filters. Well known destination port or somthing. Or bij source prefix or destination address, etc. And yes you can limit traffic by asigning a policer. So much you can do, but is quitte a lot to explain in a quick post I'm afraid.
Some usefull links:
http://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-swconfig-interfaces-and-routing/default-cos-settings.html
http://www.juniper.net/techpubs/software/junos-security/junos-security10.3/junos-security-swconfig-interfaces-and-routing/cos-chapter.html
And the best:
http://forums.juniper.net/t5/Configuration-Library/Configuration-Example-class-of-service/td-p/56786
Some usefull links:
http://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-swconfig-interfaces-and-routing/default-cos-settings.html
http://www.juniper.net/techpubs/software/junos-security/junos-security10.3/junos-security-swconfig-interfaces-and-routing/cos-chapter.html
And the best:
http://forums.juniper.net/t5/Configuration-Library/Configuration-Example-class-of-service/td-p/56786
60
SRX Platform and J-series / Re: Traffic shaping SRX 210
« on: November 10, 2010, 01:21:56 pm »
Traffic shaping can be done on a 210, but not in the sec policies. You need to configure:
- firewall rules (stateless: "packetfilter") wich assgns queue
- COS settings
Please google jonos cos for examples. When something not clear drop a new post
- firewall rules (stateless: "packetfilter") wich assgns queue
- COS settings
Please google jonos cos for examples. When something not clear drop a new post