Hi everybody

I am trying to configure a JUNIPER srx 210 firewall and I'm stuck on one problem. My ROUTING-INSTANCE configuration is not working. Let me to explain you:

The firewall srx 210 has two conections:
-The first one is a VPN conection.
-The second one is a INTERNET conection.


The main routing-table has the default-route to the VPN conection (ST0.1 interface).

The routing-instance is type forwarding and has only a default-route. The default-route permit ...

Hi everybody

I trying to configure a JUNIPER srx 210 firewall and I'm stuck on one problem. I can't access the internet from lan interface network vlan.11. I think that I'm missing something, I can ping everything from the srx but nothing from lan interface network vlan.11 using the comand:
ping 8.8.8.8 interface vlan.11

I think my NAT configuration is not working.
Thanks in advance

My configuration:

## Last changed: 2016-06-06 03:21:06 UTC
version 12.1X46-D45.4; ...

Juniper SRX NAT64 option natv6v4 no-v6-frag-header

NAT64, like all the other NAT technologies, translates IP headers. This particular NAT technology translates IPv6 headers to IPv4 headers and back (return traffic).

Since IPv6 header contains different fields than IPv4 header, RFC 6145 was created to define translation guidelines between the two protocols. One particular interesting guideline on translating IPv6 to IPv4 and back is “4. Translating from IPv4 to IPv6”. Quote:

Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic

If NAT64 is used on Juniper SRX with action “static-nat inet”, then IPv4 traffic hitting the security zone of NAT64 towards destinations from other zone, will be dropped due to an internal miss-behavior of the SRX.

Enabling SRX flow traces will show The packet destination ip is not same as source ip version, drop it. This means that SRX tries to apply a NAT46 action on ...

This is is 90% of the cases caused by the fact that GRE/IPIP or other SRX destined traffic input interface is not assigned to any security zones.

One of the other 10% of the cases is when GRE tunnels with loopback endpoints are configured over IPSEC tunnel. Read more here: SRX GRE with loopback endpoints over Ipsec tunnel does not pass traffic.

How to use your Juniper SRX firewall and BGP RTBH to fight some of the spam/bad traffic

I own a small (free) web/mail hosting solution for personal and close friends' websites. It is unbelievable how much junk even hosting ~10 domains can attract... about 2000 spam emails / week.

Up until recently, big IP blocks (/24) that were used to deliver spam were added to firewall's blacklist security policy. Due to big amount of spam ...

Following commit error can occur on the srx:



This is because one of my security policies contained the same target subnet/IPs in source/destination:

Junos - SRX - communicating with the loopback lo0 interface of a remote device

The structure of Junos on the SRX platforms is a little more complicated from all other platforms due to security zones and policies.

Communication flow path with the IP address of an SRX (running in flow mode) loopback lo0.0 interface starting with Junos 11 iirc, is changed due to the fact that loopback needs to be assigned to a security zone. ...

Probably you know how to enable srx to run in packet mode (due to MPLS header being just after the ethernet header, it applies to inet family also).

To check the mode that an SRX box is running under:
# run show security flow status
Flow forwarding mode:
Inet forwarding mode: packet based
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status ...

Unicast reverse path filtering is a router/firewall/switch feature that allows ISPs to counteract spoofing attempts.

On Junos, it can be activated per interface and for each incoming packet it will check the source IP against the FIB (Forward Information Base) if the source IP and incoming interface match.


Example of activating reverse path filter on an RVI interface:
LaR3@samantha# show interfaces vlan.22 | display set
set interfaces vlan unit 22 family inet rpf-check
set interfaces ...