Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sun Aug 20, 2017 6:18 pm


News News of Security, NAT, Policies, Screen, Flow, TCP

Site map of Security, NAT, Policies, Screen, Flow, TCP » Forum : Security, NAT, Policies, Screen, Flow, TCP


 [ Total topics 13 Go to page 1, 2

Message
 Post subject: ROUTING INSTANCE is not working on firewall srx210
PostPosted: Tue Jun 14, 2016 6:00 pm 
Hi everybody

I am trying to configure a JUNIPER srx 210 firewall and I'm stuck on one problem. My ROUTING-INSTANCE configuration is not working. Let me to explain you:

The firewall srx 210 has two conections:
-The first one is a VPN conection.
-The second one is a INTERNET conection.


The main routing-table has the default-route to the VPN conection (ST0.1 interface).

The routing-instance is type forwarding and has only a default-route. The default-route permit ...

Read more : ROUTING INSTANCE is not working on firewall srx210 | Views : 744 | Replies : 4

Top
 Post subject: NAT's CONFIGURATION IS NOT WORKING srx210
PostPosted: Mon Jun 06, 2016 12:54 am 
Hi everybody

I trying to configure a JUNIPER srx 210 firewall and I'm stuck on one problem. I can't access the internet from lan interface network vlan.11. I think that I'm missing something, I can ping everything from the srx but nothing from lan interface network vlan.11 using the comand:
ping 8.8.8.8 interface vlan.11

I think my NAT configuration is not working.
Thanks in advance

My configuration:

## Last changed: 2016-06-06 03:21:06 UTC
version 12.1X46-D45.4; ...

Read more : NAT's CONFIGURATION IS NOT WORKING srx210 | Views : 556 | Replies : 4

Top
 Post subject: Juniper SRX NAT64 behavior in relation to DF (Don’t Fragment) bit on incoming IPv4 packets
PostPosted: Thu Mar 10, 2016 11:31 am 
Juniper SRX NAT64 option natv6v4 no-v6-frag-header

NAT64, like all the other NAT technologies, translates IP headers. This particular NAT technology translates IPv6 headers to IPv4 headers and back (return traffic).

Since IPv6 header contains different fields than IPv4 header, RFC 6145 was created to define translation guidelines between the two protocols. One particular interesting guideline on translating IPv6 to IPv4 and back is “4. Translating from IPv4 to IPv6”. Quote:

Quote:
4. Translating from IPv4 ...

Read more : Juniper SRX NAT64 behavior in relation to DF (Don’t Fragment) bit on incoming IPv4 packets | Views : 511 | Replies : 0

Top
 Post subject: Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic
PostPosted: Thu Mar 10, 2016 10:56 am 
Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic

If NAT64 is used on Juniper SRX with action “static-nat inet”, then IPv4 traffic hitting the security zone of NAT64 towards destinations from other zone, will be dropped due to an internal miss-behavior of the SRX.

Enabling SRX flow traces will show The packet destination ip is not same as source ip version, drop it. This means that SRX tries to apply a NAT46 action on ...

Read more : Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic | Views : 701 | Replies : 2

Top
 Post subject: Juniper SRX firewall debug: packet dropped: for self but not interested
PostPosted: Mon Jun 23, 2014 3:52 am 
This is is 90% of the cases caused by the fact that GRE/IPIP or other SRX destined traffic input interface is not assigned to any security zones.

One of the other 10% of the cases is when GRE tunnels with loopback endpoints are configured over IPSEC tunnel. Read more here: SRX GRE with loopback endpoints over Ipsec tunnel does not pass traffic.

Read more : Juniper SRX firewall debug: packet dropped: for self but not interested | Views : 1822 | Replies : 0

Top
 Post subject: BGP Blackhole (RTBH) with Juniper SRX firewall
PostPosted: Thu May 29, 2014 6:45 am 
How to use your Juniper SRX firewall and BGP RTBH to fight some of the spam/bad traffic

I own a small (free) web/mail hosting solution for personal and close friends' websites. It is unbelievable how much junk even hosting ~10 domains can attract... about 2000 spam emails / week.

Up until recently, big IP blocks (/24) that were used to deliver spam were added to firewall's blacklist security policy. Due to big amount of spam ...

Read more : BGP Blackhole (RTBH) with Juniper SRX firewall | Views : 3206 | Replies : 0

Top
 Post subject: SRX security policies: error: Failed to build dop for policy receive error: configuration check-out
PostPosted: Fri Jun 28, 2013 7:23 am 
Following commit error can occur on the srx:

Code:
# commit
error: Failed to build dop for policy receive
error: configuration check-out failed


This is because one of my security policies contained the same target subnet/IPs in source/destination:

Code:
from-zone untrust to-zone vr1 {
    policy receive {
        match {
            source-address remote-net;
            destination-address remote-net;  <--HERE
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn vr1-to-vr1;
                    pair-policy send;
                }
            }
        }
    }
}

Read more : SRX security policies: error: Failed to build dop for policy receive error: configuration check-out | Views : 1163 | Replies : 0

Top
 Post subject: Junos 11.4 - SRX flow mode - traffic destined for loopback lo0 interface
PostPosted: Thu May 30, 2013 9:20 am 
Junos - SRX - communicating with the loopback lo0 interface of a remote device

The structure of Junos on the SRX platforms is a little more complicated from all other platforms due to security zones and policies.

Communication flow path with the IP address of an SRX (running in flow mode) loopback lo0.0 interface starting with Junos 11 iirc, is changed due to the fact that loopback needs to be assigned to a security zone. ...

Read more : Junos 11.4 - SRX flow mode - traffic destined for loopback lo0 interface | Views : 3276 | Replies : 0

Top
 Post subject: Juniper SRX packet mode switch back to flow mode (verification)
PostPosted: Tue May 28, 2013 9:57 am 
Probably you know how to enable srx to run in packet mode (due to MPLS header being just after the ethernet header, it applies to inet family also).

To check the mode that an SRX box is running under:
# run show security flow status
Flow forwarding mode:
Inet forwarding mode: packet based
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status ...

Read more : Juniper SRX packet mode switch back to flow mode (verification) | Views : 3213 | Replies : 1

Top
 Post subject: Configuring and verifying unicast reverse path filter (uRPF) on Juniper SRX
PostPosted: Fri Feb 01, 2013 12:05 pm 
Unicast reverse path filtering is a router/firewall/switch feature that allows ISPs to counteract spoofing attempts.

On Junos, it can be activated per interface and for each incoming packet it will check the source IP against the FIB (Forward Information Base) if the source IP and incoming interface match.


Example of activating reverse path filter on an RVI interface:
LaR3@samantha# show interfaces vlan.22 | display set
set interfaces vlan unit 22 family inet rpf-check
set interfaces ...

Read more : Configuring and verifying unicast reverse path filter (uRPF) on Juniper SRX | Views : 2655 | Replies : 1

Top
 [ Total topics 13 Go to page 1, 2


Last 10 active topics


Shell Scripting and Programming

No new posts AWK: How to replace a newline with actual \n
View the latest post
No new posts How to use $variable in conditional sentences?
View the latest post
No new posts Scan IP range using nmap
View the latest post
No new posts Password generator with user inputs bash script
View the latest post

Virtualization

No new posts SSH Login to Vmware ESXi with ssh keys
View the latest post
No new posts How to retrieve Vmware ESXi license from ssh shell command line
View the latest post

TCP/IP Networking

No new posts TCP ack after two packets
View the latest post

Junos Tips & Tricks

No new posts MTR / My traceroute in Junos
View the latest post

VPS Hosting & Security

No new posts Host a gmod server on a vps or shared host?
View the latest post

Juniper virtual MX (vMX)

No new posts Juniper Virtual MX (vMX) 14.2R5.3 Phase 2 (RE and MPC on different VMs)
View the latest post

Login

Username:   Password:   Log me on automatically each visit  

Statistics

Statistics

Total posts 601 | Total topics 970 | Total members 1193



News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO