Packet capture on SRX for pass through traffic

Specify the file name and size of the file:

set forwarding-options packet-capture file filename pcap_on_srx
set forwarding-options packet-capture maximum-capture-size 150

Specify the source and destination which you want to capture:

set firewall filter PCAP term 1 from source-address 192.168.1.1/32
set firewall filter PCAP term 1 from destination-address 192.168.2.1/32
set firewall filter PCAP term 1 then sample
set firewall filter PCAP term 1 then accept
set firewall filter PCAP term 2 from source-address 192.168.2.1/32
set firewall filter PCAP term 2 from destination-address 192.168.1.1/32
set firewall filter PCAP term 2 then sample
set firewall filter PCAP term 2 then accept
set firewall filter PCAP term 3 then accept
Note last command is important as this will allow all other traffic 
if you don't use the last command then all other traffic will be dropped
by SRX. Note that command should be at bottom.

Apply the filters on the interface:

set interfaces ge-0/0/1 unit 0 family inet filter input PCAP
set interfaces ge-0/0/1 unit 0 family inet filter output PCAP
Posted in Juniper SRX | Tagged , , | Leave a comment

Route based VPN on SRX

vpn-route-based-srx

Create Tunnel interface:
set security zones security-zone external interfaces st0.1
set routing-options static route 172.16.1.1/32 next-hop st0.1

set security ike proposal phase1-proposal-route-based authentication-method pre-shared-keys
set security ike proposal phase1-proposal-route-based dh-group group2
set security ike proposal phase1-proposal-route-based encryption-algorithm 3des-cbc
set security ike proposal phase1-proposal-route-based lifetime-seconds 3600

set security ike policy phase1-policy-route-based mode main
set security ike policy phase1-policy-route-based proposals phase1-proposal-route-based
set security ike policy phase1-policy-route-based pre-shared-key ascii-text "$9$RbBSyK-ds4JDres4"

set security ike gateway gateway-route-based ike-policy phase1-policy-route-based
set security ike gateway gateway-route-based address 2.2.2.2
set security ike gateway gateway-route-based external-interface ge-0/0/1.0

set security ipsec proposal phase2-proposal-route-based protocol esp
set security ipsec proposal phase2-proposal-route-based authentication-algorithm hmac-sha1-96
set security ipsec proposal phase2-proposal-route-based encryption-algorithm 3des-cbc
set security ipsec proposal phase2-proposal-route-based lifetime-seconds 3600

set security ipsec policy phase2-policy-route-based perfect-forward-secrecy keys group2
set security ipsec policy phase2-policy-route-based proposals phase2-proposal-route-based

set security ipsec vpn vpn-route-based bind-interface st0.1
set security ipsec vpn vpn-route-based ike gateway gateway-route-based
set security ipsec vpn vpn-route-based ike ipsec-policy phase2-policy-route-based
set security ipsec vpn vpn-route-based establish-tunnels immediately

Proxy ID: Need in case of other side doesn't support route based vpn.
set security ipsec vpn vpn-route-based traffic-selector Proxy-ID-1 local-ip 192.168.1.1/32
set security ipsec vpn vpn-route-based traffic-selector Proxy-ID-1 remote-ip 172.16.1.1/32

Note you will need security policy to allow traffic from internal to external and external to internal zone to allow the traffic to and from vpn.

Posted in Juniper SRX | Tagged , | Leave a comment

NAT in SRX

Following is the topology:

SRX-NAT-Topology

Source NAT:

set security nat source pool source-nat-pool address 10.2.2.3/32
set security nat source rule-set source-nat-rule-set from zone internal
set security nat source rule-set source-nat-rule-set to zone external
set security nat source rule-set source-nat-rule-set rule rule-1 match source-address 10.1.1.1/32
set security nat source rule-set source-nat-rule-set rule rule-1 match destination-address 10.2.2.2/32
set security nat source rule-set source-nat-rule-set rule rule-1 then source-nat pool source-nat-pool

Destination NAT:

set security nat destination pool real-ip-pool address 10.1.1.1/32
set security nat destination rule-set dst-nat-rule-set from zone external
set security nat destination rule-set dst-nat-rule-set rule rule-1 match source-address 10.2.2.2/32
set security nat destination rule-set dst-nat-rule-set rule rule-1 match destination-address 10.2.2.3/32
set security nat destination rule-set dst-nat-rule-set rule rule-1 then destination-nat pool real-ip-pool

Destination NAT will need security policy to allow the traffic from users to server check security policy given in page.

Static NAT:
In static NAT the source zone will be the zone from which you will access the server and the destination address will be the NATed address. You can say static nat is configured from outside to inside.

set security nat static rule-set static-nat-rule-set from zone external
set security nat static rule-set static-nat-rule-set rule rule-1 match source-address 10.2.2.2/32
set security nat static rule-set static-nat-rule-set rule rule-1 match destination-address 10.2.2.3/32 
set security nat static rule-set static-nat-rule-set rule rule-1 then static-nat prefix 10.1.1.1/32

Static NAT will need security policy to allow the traffic from users to server check security policy given in page.

Security rule for destination, static NAT:

set security policies from-zone external to-zone internal policy DST-NAT-RULE match source-address 10.2.2.2/32
set security policies from-zone external to-zone internal policy DST-NAT-RULE match destination-address Real-IP-10.1.1.1/32
set security policies from-zone external to-zone internal policy DST-NAT-RULE match application any
set security policies from-zone external to-zone internal policy DST-NAT-RULE then permit
set security policies from-zone external to-zone internal policy DST-NAT-RULE then log session-init
set security policies from-zone external to-zone internal policy DST-NAT-RULE then log session-close
Posted in Juniper SRX | Tagged | Leave a comment

IPSec between ASA and SRX Policy based

Following is the topology:

SRX-ASA-Policy-Based

12.12.12.0/24 is behind ASA and 192.168.4.0/24 is behind SRX.

SRX configuration:

set security ike proposal phase-1-proposal authentication-method pre-shared-keys
set security ike proposal phase-1-proposal dh-group group2
set security ike proposal phase-1-proposal authentication-algorithm md5
set security ike proposal phase-1-proposal encryption-algorithm des-cbc
set security ike proposal phase-1-proposal lifetime-seconds 86400

set security ike policy phase1-policy mode main
set security ike policy phase1-policy proposals phase-1-proposal
set security ike policy phase1-policy pre-shared-key ascii-text "$9$1Gjhcl7Nb2oGSrb2"

set security ike gateway peer-gateway ike-policy phase1-policy
set security ike gateway peer-gateway address 11.11.11.1
set security ike gateway peer-gateway external-interface ge-0/0/1.0

set security ipsec proposal phase2-proposal protocol esp
set security ipsec proposal phase2-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal phase2-proposal encryption-algorithm des-cbc

set security ipsec policy phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy phase2-policy proposals phase2-proposal

set security ipsec vpn phase-1-and-phase-2 ike gateway peer-gateway
set security ipsec vpn phase-1-and-phase-2 ike ipsec-policy phase2-policy
set security ipsec vpn phase-1-and-phase-2 establish-tunnels immediately

Proxy ID on SRX

set security address-book global address Core-Linux 192.168.4.0/24
set security address-book global address Router-R1 12.12.12.0/24

set security policies from-zone internal to-zone external policy Permit-VPN match source-address Core-Linux
set security policies from-zone internal to-zone external policy Permit-VPN match destination-address Router-R1
set security policies from-zone internal to-zone external policy Permit-VPN match application any
set security policies from-zone internal to-zone external policy Permit-VPN then permit tunnel ipsec-vpn phase-1-and-phase-2
set security policies from-zone internal to-zone external policy Permit-VPN then permit tunnel pair-policy Permit-VPN

set security policies from-zone external to-zone internal policy Permit-VPN match source-address Router-R1
set security policies from-zone external to-zone internal policy Permit-VPN match destination-address Core-Linux
set security policies from-zone external to-zone internal policy Permit-VPN match application any
set security policies from-zone external to-zone internal policy Permit-VPN then permit tunnel ipsec-vpn phase-1-and-phase-2
set security policies from-zone external to-zone internal policy Permit-VPN then permit tunnel pair-policy Permit-VPN

ASA configuration:

crypto ikev1 policy 1
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 enable outside

tunnel-group 192.168.3.2 type ipsec-l2l
tunnel-group 192.168.3.2 ipsec-attributes
 ikev1 pre-shared-key *****

crypto ipsec ikev1 transform-set TSET esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite

access-list proxy-id extended permit ip 12.12.12.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list proxy-id extended permit ip 192.168.4.0 255.255.255.0 12.12.12.0 255.255.255.0

crypto map CMAP 10 match address proxy-id
crypto map CMAP 10 set pfs
crypto map CMAP 10 set peer 192.168.3.2
crypto map CMAP 10 set ikev1 transform-set TSET
crypto map CMAP interface outside

Note no nat might be needed on SRX and ASA.

Posted in ASA, Juniper SRX | Leave a comment

Configure IPSec (IKEV1) on ASA 9.x

Configure phase 1 policy:

crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

Enable phase 1 on interface:
crypto ikev1 enable outside

Specify the preshared key:

tunnel-group 192.168.3.2 type ipsec-l2l
 tunnel-group 192.168.3.2 ipsec-attributes
 ikev1 pre-shared-key password123

Define proxy ID:

access-list proxy-id extended permit ip 12.12.12.0 255.255.255.0 192.168.4.0 255.255.255.0

Define crypto map:

crypto map CMAP 10 match address proxy-id
crypto map CMAP 10 set peer 192.168.3.2
crypto map CMAP 10 set ikev1 transform-set TSET
crypto map CMAP interface outside
crypto map CMAP 10 set pfs group5
crypto map CMAP 10 set security-association lifetime seconds 2880

Specify No NAT  as well if needed

Posted in ASA | Leave a comment

Cluster status is disabled SRX

In SRX if the cluster status is showing as disabled then it has to be resolved by a reboot.

{disabled:node1}
SRX> show chassis cluster status
Cluster ID: 1
Node                  Priority          Status    Preempt  Manual failover
Redundancy group: 0 , Failover count: 1
    node0                   100         primary        no       no
    node1                   1           disabled       no       no
Redundancy group: 1 , Failover count: 1
    node0                   100         primary        no       no
    node1                   1           disabled       no       no
Posted in Juniper SRX | Leave a comment

Bypass SSL inspection in zscaler

zscaler-SSL-bypass-1

zscaler-SSL-bypass-2

Posted in Uncategorized | Leave a comment