Archive

Archive for the ‘Juniper’ Category

Tizen Linux for mobile tablet smartphone will takeover the world. Backed by Intel, Samsung, Linux foundation. Good luck.

February 26, 2012 1 comment

Tizen Linux for mobile tablet smartphone will takeover the world. Backed by Intel, Samsung, Linux foundation. Good luck.

– Android is less important in such case

– IPhone also

 

Advertisements

How do i update my SRX210 to latest firmwire?

July 9, 2011 Leave a comment
Q. How do i update my SRX210 to latest firmwire? 
A. Go to IRC first, meet genius friends, follow this now:

## USB connected
root@% umass1: vendor 0x13fe USB DISK 2.0, rev 2.00/1.00, addr 4
da1 at umass-sim1 bus 1 target 0 lun 0
da1: < USB DISK 2.0 PMAP> Removable Direct Access SCSI-0 device 
da1: 40.000MB/s transfers
da1: 1910MB (3911680 512 byte sectors: 255H 63S/T 243C)

root@% ls /dev/da*
/dev/da0        /dev/da0s1a     /dev/da0s1e     /dev/da1
/dev/da0s1      /dev/da0s1c     /dev/da0s1f     /dev/da1s1

root@% mount /dev/da1s1 /mnt
mount: /dev/da1s1 : Invalid argument

## Mount usb
root@% mount_msdosfs /dev/da1s1 /mnt
root@% cd /mnt
root@% ls
.Trash-500                              junos-srxsme-11.1R3.5-domestic.tgz

## Copy new to old (Backup it!)
root@% cp -R junos-srxsme-11.1R3.5-domestic.tgz /var/tmp/
root@% cli

## Install request
root> request system software add no-validate no-copy unlink /var/tmp/junos-srxsme-11.1R3.5-domestic.tgz
Installing package '/var/tmp/junos-srxsme-11.1R3.5-domestic.tgz' ...
Verified junos-boot-srxsme-11.1R3.5.tgz signed by PackageProduction_11_1_0
Verified junos-srxsme-11.1R3.5-domestic signed by PackageProduction_11_1_0
Available space: 204128 require: 25022
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-11.1R3.5.tgz
JUNOS 11.1R3.5 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING:     Use the 'request system reboot' command
WARNING:         when software installation is complete
Saving state for rollback ...
Removing /var/tmp/junos-srxsme-11.1R3.5-domestic.tgz

Removing /var/tmp/junos-srxsme-11.1R3.5-domestic.tgz

root> request system reboot   
Reboot the system ? [yes,no] (no) yes 

Shutdown NOW!
[pid 4746]

root>                                                                                
*** FINAL System shutdown message from root@ ***                             
System going down IMMEDIATELY                                                  
                                                               


set version 11.1R3.5
set system root-authentication encrypted-password "PAPA   MAMA"
set system name-server 195.130.130.1
set system name-server 195.130.131.1
set system services ssh
set system services telnet
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp propagate-settings ge-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces interface-range interfaces-trust member ge-0/0/1
set interfaces interface-range interfaces-trust member fe-0/0/2
set interfaces interface-range interfaces-trust member fe-0/0/3
set interfaces interface-range interfaces-trust member fe-0/0/4
set interfaces interface-range interfaces-trust member fe-0/0/5
set interfaces interface-range interfaces-trust member fe-0/0/6
set interfaces interface-range interfaces-trust member fe-0/0/7
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/0 mac 08:00:69:02:01:fc
set interfaces ge-0/0/0 unit 0 family inet dhcp
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat destination pool dst-nat-pool-1 address 192.168.1.2/32
set security nat destination rule-set rs1 from zone untrust
set security nat destination rule-set rs1 rule r1 match destination-address 0.0.0.0/0
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.100/32 to 1.1.1.101/32
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy server-access match source-address any
set security policies from-zone untrust to-zone trust policy server-access match destination-address server-1
set security policies from-zone untrust to-zone trust policy server-access match application any
set security policies from-zone untrust to-zone trust policy server-access then permit
set security zones security-zone trust address-book address server-1 192.168.1.2/32
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set vlans vlan-trust vlan-id 3          
set vlans vlan-trust l3-interface vlan.0
                                        
[edit]
root#
Categories: Juniper

How to upgrade JunOS to latest versions for my SRX210 limitation to avoid?

June 26, 2011 Leave a comment
root>request system software add http://10.1.20.1/junos-srxsme-10.1R1.8-domestic.tgz reboot
Categories: Juniper, SRX210

How to extend the timeout of SRX210 from Juniper Junos

June 26, 2011 Leave a comment

Try:

set applications application junos-telnet inactivity-timeout

Categories: Juniper, SRX210

How to configure my Juniper SRX210 quickly to do basic?

June 26, 2011 1 comment

This following will put a hostname, allow outside to inside ping, and ssh, finger and basic NAT/Port forwarding:

## Wan interface requires DHCP client to get from DSL/ISP ip
set interfaces ge-0/0/0 unit 0 family inet dhcp

## we allow outside ping and permit all 
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security policies default-policy permit-all

##Port forwarding 1720 2253 5060 49152 49500 49501 51234
set security nat destination pool server1 address 192.168.1.127/32
set security nat destination rule-set ruleset1 from zone untrust

## 1
set security nat destination rule-set ruleset1 rule rule1 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule1 match destination-port 1720
set security nat destination rule-set ruleset1 rule rule1 then destination-nat pool server1

## 2
set security nat destination rule-set ruleset1 rule rule2 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule2 match destination-port 2253
set security nat destination rule-set ruleset1 rule rule2 then destination-nat pool server1

## 3
set security nat destination rule-set ruleset1 rule rule3 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule3 match destination-port 5060
set security nat destination rule-set ruleset1 rule rule3 then destination-nat pool server1

## 4
set security nat destination rule-set ruleset1 rule rule4 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule4 match destination-port 49152
set security nat destination rule-set ruleset1 rule rule4 then destination-nat pool server1


## 5
set security nat destination rule-set ruleset1 rule rule5 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule5 match destination-port 49500
set security nat destination rule-set ruleset1 rule rule5 then destination-nat pool server1


## 6
set security nat destination rule-set ruleset1 rule rule6 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule6 match destination-port 49501
set security nat destination rule-set ruleset1 rule rule6 then destination-nat pool server1


## 7
set security nat destination rule-set ruleset1 rule rule7 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule7 match destination-port 51234
set security nat destination rule-set ruleset1 rule rule7 then destination-nat pool server1
Categories: Juniper, SRX210

How to create site-to-site IPSec VPN tunnel with Juniper SRX210

June 26, 2011 1 comment

References:

Doc: http://www.juniper.net/techpubs/en_US/junos10.4/information-products/topic-collections/security/software-all/security/index.html?topic-52842.html

Tools: http://www.juniper.net/customers/support/configtools/vpnconfig.html

Generated Configuration (Route-based):

## Configure interface IP and route for tunnel traffic
set interfaces st0.0 family inet address 10.2.2.2/24
set routing-options static route 192.168.1.0/24 next-hop st0.0
set routing-options static route 192.168.3.0/24 next-hop st0.0
set routing-options static route 192.168.4.0/24 next-hop st0.0

## Configure security zones, assign interfaces to the zones & host-inbound services for each zone
set security zones security-zone vpn interfaces st0.0
#set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike

## Configure address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_192-168-2-0--24 192.168.2.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-1-0--24 192.168.1.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-3-0--24 192.168.3.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-4-0--24 192.168.4.0/24

## Configure IKE policy for main mode
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "ihateyou"

## Configure IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address 98.0.0.1
set security ike gateway ike-gate-cfgr external-interface ge-0/0/0

## Configure IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
#set security ipsec vpn ipsec-vpn-cfgr vpn-monitor optimized

## Configure security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-2-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-1-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-3-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-4-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit

## Configure security policies for tunnel traffic in inbound direction
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-1-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-3-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-4-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-2-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit
Categories: Juniper, SRX210

How to check the logs from Juniper SRX210?

June 26, 2011 Leave a comment

1. show log messages | match fail

 

Categories: Juniper, SRX210