Category Archives: Juniper

VPN Troubleshooting | Juniper (Netos)

https://kb.juniper.net/InfoCenter/index?page=content&id=KB6283

Paris-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001 1.1.1.1 500 esp:3des/sha1 883ebdb7 expir unlim I/I 1 0

Paris-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001 1.1.1.1 500 esp:3des/sha1 883ebdb8 3596 unlim A/- 1 0

In the case of multiple VPN Tunnels, search through the Gateway column for the IP address of the Remote Gateway of the tunnel in question.

The Sta field shows two things:

The first character displays whether the VPN tunnel is Active or Inactive.
The second character (after the slash) displays the Link status thru the VPN Monitor feature.
Here are the possible values of the sta field:

I/I: VPN tunnel is Inactive
A/-: VPN tunnel is Active, and VPN Monitor is not configured
A/U: VPN tunnel is Active, and the link (detected thru VPN Monitor) is UP
A/D: VPN tunnel is Active, but the link (detected thru VPN Monitor) is DOWN. VPN Monitor is not getting a response to its pings. This could be happening because the device that is being pinged is down or has ping disabled. This could also be happening if the other side of the VPN is not a NetScreen/Juniper Firewall.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB6134

Advertisements

Juniper Firewall NAT

Juniper Network Address Translation (NAT) Methods

  1. Mapped IP –  is a static one-to-one and bidirectional translation.
  2. Dynamic IP – is a unidirectional source to destination translation.
  3. Virtual IP – is a unidirectional destination to source translation.

## Configuration
nat

MIP :

ScreenOS
set int e0/0 mip 211.3.3.3 host 192.168.1.1
set pol from untrust to trust any mip(211.3.3.3) http permit

Verify: Get mip

JunosOS
set security nat proxy-arp interface ge-0/0/0 address 211.3.3.3/32
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule rule1 match destination-address 211.3.3.3
set security nat static rule-set static-nat rule rule1 then static-nat prefix 192.168.1.1
set security zones security-zone trust address-book address webserver 192.168.1.1
set security policies from-zone untrust to-zone trust policy static-nat match
source-address any destination-address webserver application junos-http
set security policies from-zone untrust to-zone trust policy static-nat then permit

Verify: Show security nat static rule all

DIP:

ScreenOS
set int e0/0 dip 4 211.3.3.3 211.3.3.10
set policy id 1 from trust to untrust any any any nat src dip-id 4 permit
ScreenOS
set security nat source pool pool-1 address 211.3.3.3 to 211.3.3.10
set security nat source rule-set pool-nat from zone trust
set security nat source rule-set pool-nat to zone untrust
set security nat source rule-set pool-nat rule rule1 match source-address 0.0.0.0/0
destination-address 0.0.0.0/0
set security nat source rule-set pool-nat rule rule1 then source-nat pool pool-1
set security nat proxy-arp interface ge-0/0/0 address 211.3.3.3 to 211.3.3.10
set security policies from-zone trust to-zone untrust policy permit-all match
source-address any destination-address any application any
set security policies from-zone trust to-zone untrust policy permit-all then permit

Means that the source IP address is translated to an IP address in the pool-1 pool.

VIP:

Verify: Get vip

ScreenOS
set int e0/0 vip 211.3.3.3 80 http 192.168.1.1
set int e0/0 vip 211.3.3.3 110 pop3 192.168.1.10
set policy from untrust to trust any vip(211.3.3.3) http permit
ScreenOS
set security nat proxy-arp interface ge-0/0/0.0 address 211.3.3.3
set security nat destination pool dnat-pool-1 address 192.168.1.1/32
set security nat destination pool dnat-pool-2 address 192.168.1.10/32
set security nat destination rule-set dst-nat from zone untrust
set security nat destination rule-set dst-nat rule rule1 match destination-address
211.3.3.3/32
set security nat destination rule-set dst-nat rule rule1 match destination-port 80
set securitynatdestinationrule-setdst-nat rulerule1 thendestination-natpooldnat-pool-1
set security nat destination rule-set dst-nat rule rule2 match destination-address
211.3.3.3/32
set security nat destination rule-set dst-nat rule rule2 match destination-port 110
set security nat destination rule-set dst-nat rule rule2 then destination-nat pool
dnat-pool-2
set security zones security-zone trust address-book address webserver 192.168.1.1
set security zones security-zone trust address-book address mailserver 192.168.1.10
set security zones security-zone trust address-book address-set servergroup address
webserver
set security zones security-zone trust address-book address-set servergroup address
mailserver
set security policies from-zone untrust to-zone trust policy static-nat match
source-address any destination-address servergroup application junos-http
set security policies from-zone untrust to-zone trust policy static-nat match application
junos-pop3
set security policies from-zone untrust to-zone trust policy static-nat then permit

Verify: Show security nat destination summary
Means that the destination address w/ port 80 will translated to the address in the dnat-pool-1pool and port 110 will be translated to dnat-pool-2pool .

 

“NAT type precedence

When it comes to NAT is that you can only have one type of NAT for both source and destination. Static NAT is bidirectional so it applies to both the source and destination IP or ports, whereas source or destination NAT is unidirectional, for its respective type of NAT. Static NAT always takes precedence over destination or source NAT if an entry is present. If there is no entry found for static NAT, then the destination NAT rulebase will be examined. The same is true for static NAT on the Source fields; if there is an entry, it will take precedence over source NAT. The NAT that is performed on the Source and Destination fields are mutually exclusive. It can be summarized as follows:

  1. Static NAT transform on destination address if matching static NAT rule is present.

  2. If no static NAT entry is matched for the destination address, then check for a match in the destination NAT ruleset and perform the transform if an entry is found.

  3. Static NAT transform on source address if matching static NAT rule is present.

  4. If no static NAT entry is matched for the source address, then check for a match in the source NAT ruleset and perform the transform if an entry is found.

The following would be valid examples:

  • Static NAT

  • Source NAT only

  • Destination NAT only

  • Source and destination NAT

In the scenario when you have static + source NAT or static + destination NAT, the static entry would always take precedence over the source or destination NAT if there is an overlapping entry. This is because if there is a static NAT for the destination or source, we will bypass the respective lookup for the destination or source NAT. The system will still let you configure this example; it will just be shadowed. We’re going to go much deeper into NAT examples throughout this chapter, so don’t worry if you don’t entirely follow the differences here, just make sure that you understand that there is precedence and which NAT takes precedence.” – Juniper

Configuring Juniper firewall for Active/Passive HA (NSRP).

High Availability can be achieved by using NetScreen Redundancy Protocol.

I. Configuring Juniper firewall for Active/Passive High Availability (NSRP).

juniper

Minimum software and hardware requirements for configuring Active/ Passive NSRP:

  1. Firewall’s with identical ScreenOS versions and license keys
  2. Firewall’s with identical hardware
  3. At least one interface on each firewall to be configured in the HA zone, which will be used for carrying control channel information.
We will configure it on CLI, But we can also use GUI or NSM.

II. Configuration Details.

  1. Both firewall should use same cluster ID.
  2. Rto-mirror sync used to synchronize real time session.
  3. Lower priority wins. (Default: 100)
  4. Secondary-path is a back path if HA link goes down.
  5. Monitor the interface state. If one of the interface goes down Active Firewall will initiate fail over to Backup Firewall.
Device A (Active) Device B (Backup)
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp vsd-group master-always-exist
set nsrp vsd-group id 0 priority 50
set nsrp vsd-group id 0 preempt
set nsrp vsd-group id 0 preempt hold-down 5
set nsrp arp 8
set nsrp secondary-path ethernet0/0
set nsrp monitor interface ethernet0/0
set nsrp monitor interface ethernet0/1
set nsrp monitor interface ethernet3/0
set nsrp ha-link probe interval 5
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp vsd-group master-always-exist
set nsrp vsd-group id 0 priority 100
set nsrp vsd-group id 0 preempt hold-down 5
set nsrp arp 8
set nsrp secondary-path ethernet0/0
set nsrp monitor interface ethernet0/0
set nsrp monitor interface ethernet0/1
set nsrp monitor interface ethernet3/0
set nsrp ha-link probe interval 5

Verify: Get nsrp cluster or Get nsrp monitor