Quantcast
Channel: ScreenOS Firewalls (NOT SRX) topics
Viewing all 763 articles
Browse latest View live

SSG20 Assistance with VPN Tunnel

August 21, 2018, 9:52 am
$
0
0

We have been asked to create a VPN tunnel between a vendor and a site of ours.  The vendor is claiming our internal address is already taken by another client.  For arguments sake, we will say it is 192.168.2.0\24.  They are requesting we present 10.10.10.0\24 to the tunnel as our address and let our firewall translate it to the correct local IP address.

 

I have never done this before and I am  not sure where to begin or even the proper terminology to google a solution.

 

I am only familiar with the ScreenOS and not console into the device.  Any assistance in direction would be appreciated.

Search

Options for obtaining SSG550 Software

August 29, 2018, 4:53 pm
$
0
0
Apparently the SSGs we have, which were purchased before I took over, are not registered to our company and as such we are unable to purchase support to get access to software downloads.

Does anyone have any suggestions as to a route we could take to obtain software? Upgrading to a newer platform is not feasible at this time due to the size of the configuration (4500+ lines) and man hours it would take to convert.

Thanks!

unable to ping/ssh slave ssg firewall through vpn

September 10, 2018, 8:18 am
$
0
0

Hi All,

I have Netscreen 140 active-slave setup, I am able to ping both firewall management ip addresses from each other and the internal Switches and other devices.

We have a site to site VPN with other vendor, from where they are unable to ping/ssh/anything to the slave firewall. When they access any of our internal devices, then from there everything is working fine.

After a troubleshooting I found that, when they try to access the slave device, i turned on the debug and analysed get db stream and get event. This shown that there is an ip spoof log generated for each connection request.

When remote pc starts a ping, ssg will record the ip as 171.7x.13x.30.

 

routes:-

---------

set route 171.7x.13x.0/24 gateway 172.23.25.10
set route 171.7x.13x.128/25 interface tunnel.3
set route 171.7x.13x.0/24 interface tunnel.3 preference 5 description "newtun"

 

Could some one assist me how to fix this.

Attached is the part of the debug and get event logs..

 

regards

Rajesh

migrate config from ISG1000 to SRX345

September 11, 2018, 10:07 pm
$
0
0
Hello, We have two ISG1000s in an active-passive NSRP configuration. We are replacing them with two SRX345s. Is there any easier way of migrating the configuration of the firewalls, including IPsec VPNs to the new devices?

SSG500M Multiple search domains

September 18, 2018, 11:51 pm
$
0
0

Hello,

 

Is it possible to setup multiple search domains for DHCP server configured for specific port??

I am able to enter only one search domain.

NS 208 port forwarding

September 25, 2018, 4:45 pm
$
0
0
I have a NS208 I setup a long time ago that the customer has now requested port forwarding. I haven't touched a Juniper device in years so I'm very rusty. I need to forward ports 81, 8554, and 37777 to an internal server. I did a bunch of googling but nothing seems to be working and it could be just that I don't know what I'm doing.

I have ethernet3 as my ISP in a untrust zone with an IP address assigned from the ISP (static).

I have ethernet1 as my internal 192.168.0.1 network in a trust zone.

I have setup a VIP on ethernet3 with an IP address (does this address matter? I've currently set it one digit higher than my ISP) This points to my internal server IP 192.168.0.108

I setup a custom service (3 technically) to forward these 3 ports

I created a policy from untrust to trust between "any" source to the VIP address using all 3 services.

Nothing is working what am I missing?

How to Migrate Netscreen SSG20 to JunOS SRX320

November 13, 2018, 7:48 pm
$
0
0

Hi Support, 

How can i migrate netscreen SSG20 "Firmware Version: 6.2.0r5.0 (Firewall+VPN)" to JunOX SRX320 device? 

Interoperability Fortigate and Netscreen ISG1000

November 13, 2018, 7:31 pm
$
0
0

Dear all,

 

I have an ISG1000 and a Fortigate be configured VPN site-to-site.  The operation is good but recently, traffic cannot pass via Tunnel VPN (Tunnel still up) so my customer needs to run the command "clear sa" on ISG1000 then it is OK. I checked the configuration on ISG1000 which has a command VPN monitor so I suggest they unset this part. VPN operates 1 week is ok but yesterday, the traffic cannot pass happened again. I do not have any idea in this case (route, policy is good for Tunnel).

 

Kindly support me to solve this problem.

 

Attached config Tunnel on ISG and Fortigate.

 

---------------------Fortigate----------------------------

config vpn ipsec phase1-interface
edit "VPN_ISG1000"
set interface "port20"
set dhgrp 2
set keylife 86400
set proposal 3des-sha1
set dpd disable
set comments "VPN_ISG1000"
set remote-gw x.x.x.x
set psksecret ENC bWFpbmMrWQE4JfORGGSDOyLJDFx0zLUkQGH12ApEmhQsgXIM8C83X9lClc0lct3BnTULV2xK0VS1c7lzxxwHpJwn7MeIADWwmlb15/zWsiftdNydN5d8LgdGoJZynwWaSNLFAWTldnQ2StjW9UHwcLkRlts8eXUZSiUr/nf73xa4qXe/0S4ONtJNy1ERnKR/NPTFSw==
next
end
config vpn ipsec phase2-interface
edit "VPN_ISG1000_Phase2"
set auto-negotiate enable
set comments "VPN_ISG1000_Phase2"
set pfs disable
set phase1name "VPN_ISG1000"
set proposal 3des-sha1
set keylifeseconds 3600
next
end

-----------------------------------------------------------------------------------

---------------------------------ISG1000---------------------------------------

set ike p1-proposal "PHASE1_VPN_TANZANIA_DCN" preshare group2 esp 3des sha-1 second 86400

set ike p2-proposal "PHASE2_VPN_TANZANIA_DCN" no-pfs esp 3des sha-1 second 3600

set ike gateway "GW_VPN_TANZANIA_DCN" address y.y.y.y Main outgoing-interface "ethernet1/3" preshare "WD88b30zNFmRQBsHWWCRtjNgf2npx6jImLGMXWJ1GF/0qGmtpSHI59A=" proposal "PHASE1_VPN_TANZANIA_DCN"
set ike gateway "GW_VPN_TANZANIA_DCN" cert peer-ca all
set ike gateway "GW_VPN_TANZANIA_DCN" nat-traversal
unset ike gateway "GW_VPN_TANZANIA_DCN" nat-traversal udp-checksum
set ike gateway "GW_VPN_TANZANIA_DCN" nat-traversal keepalive-frequency 0
set vpn "VPN_TANZANIA_DCN" gateway "GW_VPN_TANZANIA_DCN" no-replay tunnel idletime 0 proposal "PHASE2_VPN_TANZANIA_DCN" 

set vpn "VPN_TANZANIA_DCN" id 0x86 bind interface tunnel.41
set vpn "VPN_TANZANIA_DCN" dscp-mark 0

Search

Issue with route based VPN tunnel with MIP between SSG140 and Cisco ASA device

November 14, 2018, 2:26 pm
$
0
0

I am having an issue with a route based VPN tunnel between a SSG140 and a Cisco ASA device (both sides are doing MIP translation from the original IP address to a different IP address, from 10.100.0.58->208.86.147.170 on my side, and the tunnel is just routing a single address on each side).  The tunnel comes up just fine but if the ASA initiates the tunnel, the ASA never sees return traffic from the SSG140.  I can see traffic initiated by the ASA come through the tunnel and it looks like the SSG140 is sending it back thru the tunnel back the ASA person says they don't see it.  If I initiate traffic (after the ASA brings up the tunnel), again it looks like it goes into the tunnel but the ASA person says they don't see it.  However, if the SSG140 initiates the tunnel, then the packets flow back and forth in the tunnel just fine. I have done some debug traces and I from what I can tell it looks like everything should work.  Below are the basic commands on the SSG140 side that relate to the tunnel.  I attached a debug flow that shows a packet coming from the ASA (after it brings up the tunnel) to the SSG140 and a return packet coming back to the SSG140.

set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/2" zone "Untrust"
set interface "tunnel.2" zone "Untrust"
set interface tunnel.2 ip unnumbered interface ethernet0/2
set interface "tunnel.2" mip 208.86.147.170 host 10.100.0.58 netmask 255.255.255.255 vr "trust-vr"
set address "Trust" "vsql01 in" 10.100.0.58 255.255.255.255
set address "Untrust" "discol 164-82-7-51" 164.82.7.51 255.255.255.255

set ike p1-proposal "discolp1"....
set ike p2-proposal "discolp2"....
set ike gateway ikev2 "discol gateway" address 164.82.6.11 outgoing-interface "ethernet0/2" preshare "...." proposal "discolp1"
set vpn "discol-164-82-7-51" gateway "discol gateway" no-replay tunnel idletime 0 proposal "discolp2"
set vpn "discol-164-82-7-51" id 0x63 bind interface tunnel.2
set vpn "discol-164-82-7-51" dscp-mark 0
set vpn "discol-164-82-7-51" proxy-id local-ip 208.86.147.170/32 remote-ip 164.82.7.51/32 "ANY"
set policy id 412 from "Untrust" to "Trust"  "discol 164-82-7-51" "MIP(208.86.147.170)" "ANY" permit log
set policy id 412
set log session-init
exit
set policy id 407 from "Trust" to "Untrust"  "vsql01 in" "discol 164-82-7-51" "ANY" permit log
set policy id 407
set log session-init
exit
set route 164.82.7.51/32 interface tunnel.2

 

Upgrade SSG550 failed

November 19, 2018, 10:05 am
$
0
0

Dear all,

 

We need to upgrade an SSG550M from 6.1.0r2.0 to 6.2.0r19.0. We did not upgrade bootloader because as the document of Juniper (not required). After upgraded the key successful, we loaded firmware as the instruction of Juniper (use TFTP):

save soft from tftp ip_addr screenos_filename to flash . About 5 mins after, we have seen the log as below:

-------------------------------------------------------------------------------------------

 

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 25, cpu = 12, version = 18
update new flash image (0206ca70,15240197)
platform = 25, cpu = 12, version = 18
offset = 20, address = 5800000, size = 15240117
date = 8b25, sw_version = 800031, cksum = d90a903a
Unknown platform type (19)
Wrong software, ignore it.
Done

----------------------------------------------------------------------------------------------

We do not know why, the image is downloaded on the Juniper official.

Kindly help me solve this issue.

 

Thanks,

ThinhND

Tunnel Interface in Trust Zone - Security Poblem?

November 21, 2018, 7:34 am
$
0
0

Hello,

 

we have  VPNs with Tunnel interfaces. One of them is in the security zone - trust (See screenshot). The VPN tunnel works. Is this a security problem? 

In the documentation i found no hint.

https://www.juniper.net/documentation/software/screenos/screenos6.3.0/630_ce_all.pdf

 

Some informations:

- We use the standard zone untrust and trust for our network.

- In the Policy for this VPN with the trust tunnel interface - the foreign side only speaks public IP addresses through the VPN on our side.

 

Anyone have a idea?

 

Thanks and best regards Smiley Happy

 Holger

SSG -140 gig interface dropping when changed to 1000 full

November 26, 2018, 10:21 am
$
0
0

We recently upgraded our internet service from 100 to 200mbps.   I moved us to interfaces 8 and 9 (gig) so we could realize these higher speeds.  Everything went fine except when the upgrade was complete and I changed int 9 (our external interface) to 1000 full then our internet connection drops, when I change it back to 100 it is fine.  I confirmed with our provider that the interface the firewall is connected to is hardcoded 1000 full.  Does anyone know why its not working at 1000mbps?

SSG20 site to site dynamic vpn dont work issue

December 10, 2018, 5:18 am
$
0
0

Dear All,

i tired all senarios to make two SSG 20 to have site to site vpn using dynmaic ip address in site B, not no worthy. It works when both sites have fixed ip address but when Site B has dynamic ip address it doesnt work.

Site A public ip address 82.114.183.222 and its lan is 192.168.2.0/24.

Site B has dynamic public ip address and its lan is 192.168.4.0/24.

What is the wrong in the attached configuration???

Could you please share the best worked and guarnted configuration example?? i did exactly using juniper resources but doesnt work.!!!?

thanks to all.

slow Internet connection

December 18, 2018, 7:05 am
$
0
0

Hi,

My Internet connection is very slow, my provider is able to see many traffic that fill the bandwidth.
On Juniper, Is it possible to have information about this traffic, (client IP, protocol, time etc) in order to analize the problem?

My Hardware Version: REV 12(0)    Firmware Version:6.3.0r21.0 (Firewall+VPN)

thank you

VPN tunnel going up and down (how to check if ISP has block ESP traffic)

December 20, 2018, 11:03 pm
Search

Unexpected traffic getting through SSG-350M to DMZ

December 21, 2018, 6:59 am
$
0
0

I have had very little experience with Junipers and inherited my firewall from my predecessor.  I have a server in my DMZ that has been responding to port requests to 445, when I expected it to be blocking that traffic. 

 My concern is that I am making some false assumptions and am allowing traffic through that I am not aware of and am looking for some guidance on whether that concern is valid as well as the reason the traffic was going through. 

 

 My guess is that this should be done with a VIP instead of MIP.

 

MIP interface:

set interface "loopback.1" mip 100.101.102.103 host 10.9.8.7 netmask 255.255.255.255 vr "trust-vr"

 

Service setup:

set service "microsoft-ds" protocol tcp src-port 0-65535 dst-port 445-445

 

Policy (that was allowing TCP/445):

set policy id 362 name "UBNT" from "Untrust" to "DMZ"  "Any" "MIP(100.101.102.103)" "ICMP-ANY" permit log

set policy id 362

set service "TCP/5067"

set service "TCP/8267"

exit

 

Policy that blocked 445 (above previous policy):

set policy id 370 name "UBNT" from "Untrust" to "DMZ"  "Any" "MIP(100.101.102.103)" "microsoft-ds" deny log

set policy id 370

exit

 

My assumption was, before this hole was found, only those ports that were named in policy 362 would be allowed (false assumptoin).   I have a good number of other MIPs setup and want to make sure that the system secure.

 

Any suggestions and/or thoughts are apreciated.

 

SSG350M - Firmware 6.3 - Dual ISP - Routing Issue - Failover

January 6, 2019, 1:55 am
$
0
0

Hi All,

 

After setting up a SSG350M active/passive cluster, I am running into the problem, that I´m not able to figure out, how to configure a dual ISP routing configuration. Both ISPs are bound to UNTRUST eth0/2.5 and eth0/2.6 with default routes configured...

 

 

What´s the best sample config to make eth0/2.5 the primary route and eth0/2.6 the backup, if eth0/2.5 fails?

All TRUST segments are bound to sub-interfaces eth0/0.x.

 

But when two default routes are configured with different preferences, the primary keeps active and does not switch to the backup route... :-(

 

Configuration:

get interface

Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
eth0/0 0.0.0.0/0 Trust 0010.dbff.2000 - U 0
eth0/0.10 10.0.10.254/24 Trust 0010.dbff.2000 10 U 0
eth0/1 0.0.0.0/0 DMZ 0010.dbff.2050 - U 0
eth0/2 0.0.0.0/0 Untrust 0010.dbff.2060 - U 0
eth0/2.5 212.60.218.50/28 Untrust 0010.dbff.2060 5 U 0
eth0/2.6 192.168.61.21/24 Untrust 0010.dbff.2060 6 D 0
eth0/3 0.0.0.0/0 HA 288a.1c4e.ca67 - U -
vlan1 0.0.0.0/0 VLAN 0010.dbff.20f0 1 D 0
null 0.0.0.0/0 Null N/A - U 0

 

get route

IPv4 Dest-Routes for <trust-vr> (8 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 4 212.60.218.50/32 eth0/2.5 0.0.0.0 H 0 0 Root
* 7 0.0.0.0/0 eth0/2.5 212.60.218.49 S 50 1 Root
* 8 0.0.0.0/0 eth0/2.6 192.168.61.254 S 20 1 Root
* 3 212.60.218.48/28 eth0/2.5 0.0.0.0 C 0 0 Root
* 6 192.168.61.21/32 eth0/2.6 0.0.0.0 H 0 0 Root
* 5 192.168.61.0/24 eth0/2.6 0.0.0.0 C 0 0 Root
* 2 10.0.10.254/32 eth0/0.10 0.0.0.0 H 0 0 Root
* 1 10.0.10.0/24 eth0/0.10 0.0.0.0 C 0 0 Root

 

get config | incl route

set vrouter trust-vr sharable
set vrouter "untrust-vr"
set vrouter "trust-vr"
unset auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set interface ethernet0/2.5 route
set interface ethernet0/2.6 route
unset flow reverse-route clear-text
set flow reverse-route tunnel always
set vrouter "untrust-vr"
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2.5 gateway 212.60.218.49 preference 50 tag 5 description "QSC UPLINK"
set route 0.0.0.0/0 interface ethernet0/2.6 gateway 192.168.61.254 preference 20 tag 6 description "T-COM UPLINK"
set vrouter "untrust-vr"
set vrouter "trust-vr"

 

Any suggestions?

Is Junos Policy is bi-directional?

January 10, 2019, 8:22 pm
$
0
0

I have a SRX with policy "from-zone TRUST to-zone UNTRUST" which allow any source-address, desination-address and application.

 

Now I have initiated a ping from TRUST zone to UNTRUST zone.

 

My doubt is why ping is successfully happening?

 

My expectation is that as there is not policy that allows traffic from UNTRUST to TRUST. ICMP reply message from UNTRUST zone should be dropped by SRX.

 

Correct me if my understanding is wrong.

 

   

SSG5 DHCP Relay not working after tunnel cycles

January 11, 2019, 8:04 am
$
0
0

We have an office location that has been having a problem with their provider going down. When it goes down, of course the tunnel drops. When the provider network comes back up, the SSG5 reconnects the tunnel as it should and all static devices on the other side come back online. What doesn't work is DHCP. The only way I have found to get the relay back is to reboot the device. Any ideas?

 

Firmware 6.3.0r25.0 

Is Junos Policy is bi-directional?

January 10, 2019, 8:22 pm
Viewing all 763 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>