Archive

Archive for June, 2011

How to upgrade JunOS to latest versions for my SRX210 limitation to avoid?

June 26, 2011 Leave a comment
root>request system software add http://10.1.20.1/junos-srxsme-10.1R1.8-domestic.tgz reboot
Categories: Juniper, SRX210

How to extend the timeout of SRX210 from Juniper Junos

June 26, 2011 Leave a comment

Try:

set applications application junos-telnet inactivity-timeout

Categories: Juniper, SRX210

How to configure my Juniper SRX210 quickly to do basic?

June 26, 2011 1 comment

This following will put a hostname, allow outside to inside ping, and ssh, finger and basic NAT/Port forwarding:

## Wan interface requires DHCP client to get from DSL/ISP ip
set interfaces ge-0/0/0 unit 0 family inet dhcp

## we allow outside ping and permit all 
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security policies default-policy permit-all

##Port forwarding 1720 2253 5060 49152 49500 49501 51234
set security nat destination pool server1 address 192.168.1.127/32
set security nat destination rule-set ruleset1 from zone untrust

## 1
set security nat destination rule-set ruleset1 rule rule1 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule1 match destination-port 1720
set security nat destination rule-set ruleset1 rule rule1 then destination-nat pool server1

## 2
set security nat destination rule-set ruleset1 rule rule2 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule2 match destination-port 2253
set security nat destination rule-set ruleset1 rule rule2 then destination-nat pool server1

## 3
set security nat destination rule-set ruleset1 rule rule3 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule3 match destination-port 5060
set security nat destination rule-set ruleset1 rule rule3 then destination-nat pool server1

## 4
set security nat destination rule-set ruleset1 rule rule4 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule4 match destination-port 49152
set security nat destination rule-set ruleset1 rule rule4 then destination-nat pool server1


## 5
set security nat destination rule-set ruleset1 rule rule5 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule5 match destination-port 49500
set security nat destination rule-set ruleset1 rule rule5 then destination-nat pool server1


## 6
set security nat destination rule-set ruleset1 rule rule6 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule6 match destination-port 49501
set security nat destination rule-set ruleset1 rule rule6 then destination-nat pool server1


## 7
set security nat destination rule-set ruleset1 rule rule7 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule7 match destination-port 51234
set security nat destination rule-set ruleset1 rule rule7 then destination-nat pool server1
Categories: Juniper, SRX210

How to create site-to-site IPSec VPN tunnel with Juniper SRX210

June 26, 2011 1 comment

References:

Doc: http://www.juniper.net/techpubs/en_US/junos10.4/information-products/topic-collections/security/software-all/security/index.html?topic-52842.html

Tools: http://www.juniper.net/customers/support/configtools/vpnconfig.html

Generated Configuration (Route-based):

## Configure interface IP and route for tunnel traffic
set interfaces st0.0 family inet address 10.2.2.2/24
set routing-options static route 192.168.1.0/24 next-hop st0.0
set routing-options static route 192.168.3.0/24 next-hop st0.0
set routing-options static route 192.168.4.0/24 next-hop st0.0

## Configure security zones, assign interfaces to the zones & host-inbound services for each zone
set security zones security-zone vpn interfaces st0.0
#set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike

## Configure address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_192-168-2-0--24 192.168.2.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-1-0--24 192.168.1.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-3-0--24 192.168.3.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-4-0--24 192.168.4.0/24

## Configure IKE policy for main mode
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "ihateyou"

## Configure IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address 98.0.0.1
set security ike gateway ike-gate-cfgr external-interface ge-0/0/0

## Configure IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
#set security ipsec vpn ipsec-vpn-cfgr vpn-monitor optimized

## Configure security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-2-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-1-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-3-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-4-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit

## Configure security policies for tunnel traffic in inbound direction
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-1-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-3-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-4-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-2-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit
Categories: Juniper, SRX210

How to check the logs from Juniper SRX210?

June 26, 2011 Leave a comment

1. show log messages | match fail

 

Categories: Juniper, SRX210

How to reset my Juniper SRX210 to factory default?

June 26, 2011 Leave a comment
  1. Enter the load factory-default command.
root@host# load factory-default
  1. Use the set system root-authentication plain-text-password command to set a new root password for the device.
root@host# set system root-authentication plain-text-password
  1. Enter the root password, and enter it again for confirmation.
New password:
Retype new password:

Caution: Before you commit changes, if you do not assign an IP address for the ge-0/0/0 interface, create a local user account, and enter routing information, either from CLI configuration or using DHCP, the SRX device is no longer remotely accessible. To manage the SRX device, you must connect a PC or laptop to the physical console, or attach the PC or laptop to a subnet that is directly connected to the ge-0/0/0 interface, which is assigned an IP address of 192.168.2.1.

  1. Use the commit and-quit command to commit the configuration and exit from configuration mode if the configuration contains no errors and the commit succeeds.
root@host# commit and-quit
  1. Use the request system reboot command to reboot the device.
root@host> request system reboot

After the reboot, the factory default configuration is the running configuration.

 

 

Categories: Juniper, SRX210

What is impossible with Juniper Junos SRX series?

June 24, 2011 1 comment

1) No port range allowed. INVALID as following:
show security nat destination pool server address port 5060-65000
show security nat destination pool server address port 5060/65000
show security nat destination pool server address port 5060~65000

Solution is to do one by one.
show security nat destination pool server address port 5060
show security nat destination pool server address port 5061
….
show security nat destination pool server address port 65000

2) Does not come with UC-RS232 cable (my laptop has only USB)

3) If you reboot and first time start, does not start withing few seconds. Please wait for 7 minutes to expect something positive.

 

4) Rollback allowed only for 5 (not 50 nor 100), be sure you do local backup.