Posts

Showing posts from May, 2014

Mutiple subnets in SRX routed based VPN

-
      By default, the proxy-id is 0.0.0.0/0 when it is not explicitly configured on SRX routed based VPN. This is an issue when remote peer is the third party devices such as Cisco ASA. When there is only one network at remote and one network at local, configure an explicit proxy-id can resolve the issue. When there are multiple subnets at either remote or local, until recent released SRX firmware which starts to support multiple proxy-id with a feature called Traffic Selector, the older version SRX can't be configured with multiple proxy-id. Here I focus on the older version SRX which doesn't support Traffic Selector.          When there are multiple networks at local side, the first thing need to try is to supernet these networks, then discuss with the peer administrator if he/she can use the supernet as the proxy-id, in Cisco world, this means remote ASA needs to use the supernet in the interesting traffic ACL (also called VPN ACL), its interface ACL should continue to use
1 comment
Read more

Packet Capture on SRX

-
Use firewall Filter to capture the packet to a file. 1. Configure forwarding options: set forwarding-options packet-capture file filename MyCapture size 1000000 set forwarding-options packet-capture maximum-capture-size 1500 2. Configure firewall filter for packet capture set firewall filter PCAP term 1 from source-address 192.168.2.88/32 set firewall filter PCAP term 1 from destination-address 192.168.2.182/32 set firewall filter PCAP term 1 from protocol tcp set firewall filter PCAP term 1 then sample set firewall filter PCAP term 1 then accept set firewall filter PCAP term 2 from source-address 192.168.2.182/32 set firewall filter PCAP term 2 from destination-address 192.168.2.88/32 set firewall filter PCAP term 2 from protocol tcp set firewall filter PCAP term 2 then sample set firewall filter PCAP term 2 then accept set firewall filter PCAP term Allow-ALL-Else then accept 3. Apply firewall fIlter to desired interface then commit it. set interfaces fe-0/0/0 unit
Post a Comment
Read more

Policy Template Group

-
Policy Template Group Use security policy template group to make sure a policy is always at bottom, this can be used for the implicit deny policy as below or for dynamic VPN policy. #Create a policy template group set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match source-address any set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match application any set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny then deny set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny then log session-init #Apply the policy template group to zone based policy set security policy from-zone untrust to-zone trust apply-grou
Post a Comment
Read more

SRX Commands

-
SRX Commands #. Find a match security policy for a specific connection: show security match-policies from-zone untrust to-zone trust source-ip 192.168.2.100 source-port 4000 destination-ip 192.168.2.88 destination-port 22 protocol tcp # Check available storage: > show system storage Filesystem              Size       Used      Avail  Capacity   Mounted on /dev/da0s2a              617M       146M       422M       26%   / .... # Set VPN DF-BIT to copy When a host send a packet over the VPN tunnel, the packet DF bit by default is not copied to the outer VPN header. In case the packet from a host has DF bit is set, in normal circumstance, a network device on the path see this  DF-bit set packet but can't send it without fragment it, the network devices will send ICMP message back to the host to ask the host to re-send a smaller packet. In case a VPN, if the DF-bit set packet can't copy this bit to outer VPN IP header, the network device on the path may fragment it,
Post a Comment
Read more

SRX Dynamic VPN Deployment

-
SRX Dynamic VPN Deployment 1. Configure VPN tunnel: #Use aggressive mode set security ike policy ike-dyn-vpn-policy mode aggressive set security ike policy ike-dyn-vpn-policy proposal-set standard #Use pre-shared keys set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$9$iqP5At0RhrtpvWn" set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy set security ike gateway dyn-vpn-local-gw dynamic hostname trustynet.com set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id #The connection limit should not be larger than the number of installed licenses set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10 #Specify the interface to listen for connections set security ike gateway dyn-vpn-local-gw external-interface fe-0/0/0.0 #Xauth profile determines how to authenticate the user, assign addresses and access parameters set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn
Post a Comment
Read more