Archive

Archive for the ‘SRX210’ Category

Tizen Linux for mobile tablet smartphone will takeover the world. Backed by Intel, Samsung, Linux foundation. Good luck.

February 26, 2012 1 comment

Tizen Linux for mobile tablet smartphone will takeover the world. Backed by Intel, Samsung, Linux foundation. Good luck.

– Android is less important in such case

– IPhone also

 

How to upgrade JunOS to latest versions for my SRX210 limitation to avoid?

June 26, 2011 Leave a comment
root>request system software add http://10.1.20.1/junos-srxsme-10.1R1.8-domestic.tgz reboot
Categories: Juniper, SRX210

How to extend the timeout of SRX210 from Juniper Junos

June 26, 2011 Leave a comment

Try:

set applications application junos-telnet inactivity-timeout

Categories: Juniper, SRX210

How to configure my Juniper SRX210 quickly to do basic?

June 26, 2011 1 comment

This following will put a hostname, allow outside to inside ping, and ssh, finger and basic NAT/Port forwarding:

## Wan interface requires DHCP client to get from DSL/ISP ip
set interfaces ge-0/0/0 unit 0 family inet dhcp

## we allow outside ping and permit all 
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security policies default-policy permit-all

##Port forwarding 1720 2253 5060 49152 49500 49501 51234
set security nat destination pool server1 address 192.168.1.127/32
set security nat destination rule-set ruleset1 from zone untrust

## 1
set security nat destination rule-set ruleset1 rule rule1 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule1 match destination-port 1720
set security nat destination rule-set ruleset1 rule rule1 then destination-nat pool server1

## 2
set security nat destination rule-set ruleset1 rule rule2 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule2 match destination-port 2253
set security nat destination rule-set ruleset1 rule rule2 then destination-nat pool server1

## 3
set security nat destination rule-set ruleset1 rule rule3 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule3 match destination-port 5060
set security nat destination rule-set ruleset1 rule rule3 then destination-nat pool server1

## 4
set security nat destination rule-set ruleset1 rule rule4 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule4 match destination-port 49152
set security nat destination rule-set ruleset1 rule rule4 then destination-nat pool server1


## 5
set security nat destination rule-set ruleset1 rule rule5 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule5 match destination-port 49500
set security nat destination rule-set ruleset1 rule rule5 then destination-nat pool server1


## 6
set security nat destination rule-set ruleset1 rule rule6 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule6 match destination-port 49501
set security nat destination rule-set ruleset1 rule rule6 then destination-nat pool server1


## 7
set security nat destination rule-set ruleset1 rule rule7 match destination-address 0.0.0.0/0
set security nat destination rule-set ruleset1 rule rule7 match destination-port 51234
set security nat destination rule-set ruleset1 rule rule7 then destination-nat pool server1
Categories: Juniper, SRX210

How to create site-to-site IPSec VPN tunnel with Juniper SRX210

June 26, 2011 1 comment

References:

Doc: http://www.juniper.net/techpubs/en_US/junos10.4/information-products/topic-collections/security/software-all/security/index.html?topic-52842.html

Tools: http://www.juniper.net/customers/support/configtools/vpnconfig.html

Generated Configuration (Route-based):

## Configure interface IP and route for tunnel traffic
set interfaces st0.0 family inet address 10.2.2.2/24
set routing-options static route 192.168.1.0/24 next-hop st0.0
set routing-options static route 192.168.3.0/24 next-hop st0.0
set routing-options static route 192.168.4.0/24 next-hop st0.0

## Configure security zones, assign interfaces to the zones & host-inbound services for each zone
set security zones security-zone vpn interfaces st0.0
#set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike

## Configure address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_192-168-2-0--24 192.168.2.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-1-0--24 192.168.1.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-3-0--24 192.168.3.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-4-0--24 192.168.4.0/24

## Configure IKE policy for main mode
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "ihateyou"

## Configure IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address 98.0.0.1
set security ike gateway ike-gate-cfgr external-interface ge-0/0/0

## Configure IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
#set security ipsec vpn ipsec-vpn-cfgr vpn-monitor optimized

## Configure security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-2-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-1-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-3-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-4-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit

## Configure security policies for tunnel traffic in inbound direction
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-1-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-3-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-4-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-2-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit
Categories: Juniper, SRX210

How to check the logs from Juniper SRX210?

June 26, 2011 Leave a comment

1. show log messages | match fail

 

Categories: Juniper, SRX210

How to reset my Juniper SRX210 to factory default?

June 26, 2011 Leave a comment
  1. Enter the load factory-default command.
root@host# load factory-default
  1. Use the set system root-authentication plain-text-password command to set a new root password for the device.
root@host# set system root-authentication plain-text-password
  1. Enter the root password, and enter it again for confirmation.
New password:
Retype new password:

Caution: Before you commit changes, if you do not assign an IP address for the ge-0/0/0 interface, create a local user account, and enter routing information, either from CLI configuration or using DHCP, the SRX device is no longer remotely accessible. To manage the SRX device, you must connect a PC or laptop to the physical console, or attach the PC or laptop to a subnet that is directly connected to the ge-0/0/0 interface, which is assigned an IP address of 192.168.2.1.

  1. Use the commit and-quit command to commit the configuration and exit from configuration mode if the configuration contains no errors and the commit succeeds.
root@host# commit and-quit
  1. Use the request system reboot command to reboot the device.
root@host> request system reboot

After the reboot, the factory default configuration is the running configuration.

 

 

Categories: Juniper, SRX210