Shamuntoha's Blog

Tizen Linux for mobile tablet smartphone will takeover the world. Backed by Intel, Samsung, Linux foundation. Good luck.

- Android is less important in such case

- IPhone also

Q. How do i update my SRX210 to latest firmwire? 
A. Go to IRC first, meet genius friends, follow this now:

## USB connected
root@% umass1: vendor 0x13fe USB DISK 2.0, rev 2.00/1.00, addr 4
da1 at umass-sim1 bus 1 target 0 lun 0
da1: < USB DISK 2.0 PMAP> Removable Direct Access SCSI-0 device 
da1: 40.000MB/s transfers
da1: 1910MB (3911680 512 byte sectors: 255H 63S/T 243C)

root@% ls /dev/da*
/dev/da0        /dev/da0s1a     /dev/da0s1e     /dev/da1
/dev/da0s1      /dev/da0s1c     /dev/da0s1f     /dev/da1s1

root@% mount /dev/da1s1 /mnt
mount: /dev/da1s1 : Invalid argument

## Mount usb
root@% mount_msdosfs /dev/da1s1 /mnt
root@% cd /mnt
root@% ls
.Trash-500                              junos-srxsme-11.1R3.5-domestic.tgz

## Copy new to old (Backup it!)
root@% cp -R junos-srxsme-11.1R3.5-domestic.tgz /var/tmp/
root@% cli

## Install request
root> request system software add no-validate no-copy unlink /var/tmp/junos-srxsme-11.1R3.5-domestic.tgz
Installing package '/var/tmp/junos-srxsme-11.1R3.5-domestic.tgz' ...
Verified junos-boot-srxsme-11.1R3.5.tgz signed by PackageProduction_11_1_0
Verified junos-srxsme-11.1R3.5-domestic signed by PackageProduction_11_1_0
Available space: 204128 require: 25022
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-11.1R3.5.tgz
JUNOS 11.1R3.5 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING:     Use the 'request system reboot' command
WARNING:         when software installation is complete
Saving state for rollback ...
Removing /var/tmp/junos-srxsme-11.1R3.5-domestic.tgz

Removing /var/tmp/junos-srxsme-11.1R3.5-domestic.tgz

root> request system reboot   
Reboot the system ? [yes,no] (no) yes 

Shutdown NOW!
[pid 4746]

root>                                                                                
*** FINAL System shutdown message from root@ ***                             
System going down IMMEDIATELY                                                  
                                                               


set version 11.1R3.5
set system root-authentication encrypted-password "PAPA   MAMA"
set system name-server 195.130.130.1
set system name-server 195.130.131.1
set system services ssh
set system services telnet
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp propagate-settings ge-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces interface-range interfaces-trust member ge-0/0/1
set interfaces interface-range interfaces-trust member fe-0/0/2
set interfaces interface-range interfaces-trust member fe-0/0/3
set interfaces interface-range interfaces-trust member fe-0/0/4
set interfaces interface-range interfaces-trust member fe-0/0/5
set interfaces interface-range interfaces-trust member fe-0/0/6
set interfaces interface-range interfaces-trust member fe-0/0/7
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/0 mac 08:00:69:02:01:fc
set interfaces ge-0/0/0 unit 0 family inet dhcp
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat destination pool dst-nat-pool-1 address 192.168.1.2/32
set security nat destination rule-set rs1 from zone untrust
set security nat destination rule-set rs1 rule r1 match destination-address 0.0.0.0/0
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.100/32 to 1.1.1.101/32
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy server-access match source-address any
set security policies from-zone untrust to-zone trust policy server-access match destination-address server-1
set security policies from-zone untrust to-zone trust policy server-access match application any
set security policies from-zone untrust to-zone trust policy server-access then permit
set security zones security-zone trust address-book address server-1 192.168.1.2/32
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set vlans vlan-trust vlan-id 3          
set vlans vlan-trust l3-interface vlan.0
                                        
[edit]
root#

root>request system software add http://10.1.20.1/junos-srxsme-10.1R1.8-domestic.tgz reboot

Try:

set applications application junos-telnet inactivity-timeout

This following will put a hostname, allow outside to inside ping, and ssh, finger and basic NAT/Port forwarding:

## Wan interface requires DHCP client to get from DSL/ISP ip
set interfaces ge-0/0/0 unit 0 family inet dhcp

## we allow outside ping and permit all 
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security policies default-policy permit-all

##Port forwarding 1720 2253 5060 49152 49500 49501 51234
set security nat destination pool server1 address 192.168.1.127/32
set security nat destination rule-set ruleset1 from zone untrust

## 1
set security nat destination rule-set ruleset1 rule rule1 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule1 match destination-port 1720
set security nat destination rule-set ruleset1 rule rule1 then destination-nat pool server1

## 2
set security nat destination rule-set ruleset1 rule rule2 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule2 match destination-port 2253
set security nat destination rule-set ruleset1 rule rule2 then destination-nat pool server1

## 3
set security nat destination rule-set ruleset1 rule rule3 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule3 match destination-port 5060
set security nat destination rule-set ruleset1 rule rule3 then destination-nat pool server1

## 4
set security nat destination rule-set ruleset1 rule rule4 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule4 match destination-port 49152
set security nat destination rule-set ruleset1 rule rule4 then destination-nat pool server1


## 5
set security nat destination rule-set ruleset1 rule rule5 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule5 match destination-port 49500
set security nat destination rule-set ruleset1 rule rule5 then destination-nat pool server1


## 6
set security nat destination rule-set ruleset1 rule rule6 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule6 match destination-port 49501
set security nat destination rule-set ruleset1 rule rule6 then destination-nat pool server1


## 7
set security nat destination rule-set ruleset1 rule rule7 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule7 match destination-port 51234
set security nat destination rule-set ruleset1 rule rule7 then destination-nat pool server1

References:

Doc: http://www.juniper.net/techpubs/en_US/junos10.4/information-products/topic-collections/security/software-all/security/index.html?topic-52842.html

Tools: http://www.juniper.net/customers/support/configtools/vpnconfig.html

Generated Configuration (Route-based):

## Configure interface IP and route for tunnel traffic
set interfaces st0.0 family inet address 10.2.2.2/24
set routing-options static route 192.168.1.0/24 next-hop st0.0
set routing-options static route 192.168.3.0/24 next-hop st0.0
set routing-options static route 192.168.4.0/24 next-hop st0.0

## Configure security zones, assign interfaces to the zones & host-inbound services for each zone
set security zones security-zone vpn interfaces st0.0
#set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike

## Configure address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_192-168-2-0--24 192.168.2.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-1-0--24 192.168.1.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-3-0--24 192.168.3.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-4-0--24 192.168.4.0/24

## Configure IKE policy for main mode
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "ihateyou"

## Configure IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address 98.0.0.1
set security ike gateway ike-gate-cfgr external-interface ge-0/0/0

## Configure IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
#set security ipsec vpn ipsec-vpn-cfgr vpn-monitor optimized

## Configure security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-2-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-1-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-3-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-4-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit

## Configure security policies for tunnel traffic in inbound direction
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-1-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-3-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-4-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-2-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit

1. show log messages | match fail

1. Enter the load factory-default command.

root@host# load factory-default

2. Use the set system root-authentication plain-text-password command to set a new root password for the device.

root@host# set system root-authentication plain-text-password

3. Enter the root password, and enter it again for confirmation.

New password:
Retype new password:


Caution: Before you commit changes, if you do not assign an IP address for the ge-0/0/0 interface, create a local user account, and enter routing information, either from CLI configuration or using DHCP, the SRX device is no longer remotely accessible. To manage the SRX device, you must connect a PC or laptop to the physical console, or attach the PC or laptop to a subnet that is directly connected to the ge-0/0/0 interface, which is assigned an IP address of 192.168.2.1.

4. Use the commit and-quit command to commit the configuration and exit from configuration mode if the configuration contains no errors and the commit succeeds.

root@host# commit and-quit

5. Use the request system reboot command to reboot the device.

root@host> request system reboot

After the reboot, the factory default configuration is the running configuration.

1) No port range allowed. INVALID as following:
show security nat destination pool server address port 5060-65000
show security nat destination pool server address port 5060/65000
show security nat destination pool server address port 5060~65000

Solution is to do one by one.
show security nat destination pool server address port 5060
show security nat destination pool server address port 5061
….
show security nat destination pool server address port 65000

2) Does not come with UC-RS232 cable (my laptop has only USB)

3) If you reboot and first time start, does not start withing few seconds. Please wait for 7 minutes to expect something positive.

4) Rollback allowed only for 5 (not 50 nor 100), be sure you do local backup.

Cheat Sheet for the CLI Commands – Baseline Operations Guide

How to connect?

[sun@example ~]$ ssh root@192.168.1.1
root@192.168.1.1's password:
--- JUNOS 10.0R3.10 built 2010-04-16 08:47:35 UTC
root@srx210%
Juniper has Unix? (FreeBSD/CentOS fashion), play it 
root@srx210>exit
root@srx210% uname -a
JUNOS srx210 10.0R3.10 JUNOS 10.0R3.10 #0: 2010-04-16 08:47:35 UTC     
builder@ormonth.juniper.net:/volume/build/junos/10.0/release/10.0R3.10/obj-octeon/bsd/sys/compile/JSRXNLE
 mips
root@srx210% ifconfig -a | grep fe-0/0/2
fe-0/0/2:       encaps: ether; framing: ether
fe-0/0/2.0:     flags=0x8000 <UP|MULTICAST>
root@srx210%

How the network language concept works? See follow tree:

parent {

parent_child1 {   parent_grand_children { }           }

parent_child2 {   parent_grand_children { }           }

}

Crack it: set parent parent_child1 parent_grand_children XYZ [press tab] [finally press enter]

How to reset or recover the passwrod:

1. boot 2. press s  OR try to press once the reset button for couple of longer seconds until the led shows red.

How to save my settings as backup?

$ save backup1.txt
$ load override backup1.txt
OR

rollback 4

How can i monitor traffic real time?

$ monitor traffic matches “host 192.168.1.1″

OR

root@srx210> monitor traffic interface ge-0/0/0
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0, capture size 96 bytes

Reverse lookup for 94.224.207.255 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

09:56:20.849081  In IP 94-224-195-xx.access.telenet.be.17500 > 94.224.207.255.17500: UDP, length 109
09:56:20.849352  In IP 94-224-195-xx.access.telenet.be.17500 > 94.224.207.255.17500: UDP, length 109
^CReverse lookup was interrupted (check DNS reachability).
Use <no-resolve> to avoid reverse lookups on IP addresses.

4 packets received by filter
0 packets dropped by kernel

root@srx210>

How can i delete a settings?

$ delete security nat

Advanced commands:

Table 9: CLI Configuration Mode Commands

Basic commands:

And all extra included as following:

• JUNOS/Juniper EX-series Cheat Sheet
• JUNOS Cheat-Sheet PDF pdf
• Juniper NetScreen Policy Configuration Cheat Sheet
• JUNOS Juniper EX Cheat Sheet