NETSCREEN: NAT DEST

Pour parler du DNAT, il existe en effet trois moyen de le faire:

- MIP: cette methode est la plus simple, mais aussi la plus gourmande car vous allez reservez une IP complete,
et en réalité on ne fait pas de PAT (port translation), juste du NAT (adresse translation).

- VIP: methode simplifié pour faire du PAT et du DNAT, mais si vous avez déjà une MIP configurée sur une addr ip,
vous ne pourrez pas configfurer la VIP

- Policy Based NAT: methode la plus compliqué mais aussi la plus souple, le DNAT requiert des regles strict:

- Interface based NAT: non applicable pour du DNAT.

La précédence des methodes est celle-ci:

MIP -> VIP -> Pol.NAT -> Int.NAT

cela veux dire, que si une IP X se trouve en même temps dans une règle MIP, et dans une Policy,
il n'y a que la MIP qui sera executé. Si une ip Y se trouve dans une VIP et dans une Polixy, seuleument la VIP sera executé.

Donc ne pourrez pas effectuer une translation de port sur une IP déjà utilisée dans un MIP. Si vous souhaitez vraiment le faire,

vous devrez déconfigurer la MIP, puis recreer toutes les translation avec du Policy Based NAT, avec en général des double policy,
car les MIP font du SNAT et du DNAT.

NOTE POUR LE DNAT:

Rappel pour ScreenOS: le process des packet se fait comme suit:

-1- session lookup
-2- route lookup
-3- policy lookup

Comme la validation de la route se fait avant la validation de la regle policy, il _FAUT_ qu'il y ai une route qui existe dans la zone de destination du packet.

Un exemple étant toujours plus parlant en voici un en utlisans le Pol-NAT:

Prenons une install comme suit:

Zone Trust:   interface e1/1, IP:10.1.20.1/24
Zone Untrust: interface e1/8, IP:1.1.10.1/24

On souhaite publier l'addresse d'une ressouce interne tels que:

Public Addr: 1.1.10.20
Private Addr: 10.1.20.5

Etapes pour ce faire:

1: Configurer Addr Book (addr public dans la zone privée ==> pretranslation)

    set address Trust MyPCPublic 1.1.10.20/32

2: Etre Joignable: On choisi soit la methode A soit la B:

2a: set interface e1/1 ip 1.1.10.1/24 secondary
2b: set route 1.1.10.20/32 int e1/1

3: Configurer la policy, avec translation de port:

set policy from untrust to trust any MyPCPublic http nat dest ip 10.1.20.5 port 8080 permit

4: on verifie le resultat apres avoir testé avec un 'get session'

Juniper: SRX / J-Serie: Configure syslog to enable web policy log

JUNOS J-Web Policy Log display
So, you've just intalled a new srx in place of your netscreen, so you go through Config / Security /Policy FW and add a new policy, you tick the check-box logging seesiion-init and session-close.
You start some traffic that match the policy, go again on j-web to view the policy logs....and found nothing ! Why ????
This is because you first need to configure the syslog in a special way so the j-web can display the logs.
As you know, or not, all components of junos config works internaly with XML. So you need to create an xml syslog file.
Two way to do so:
- directly with the jweb,
- manually with cli.

CLI Method
under cli, in configuration mode you have to configure this:
[edit system syslog]
root@gwoob#
file policy_session {
    user info;
    match RT_FLOW;
    archive size 1000k world-readable;
    structured-data;
}
by entering the command:
set system syslog file policy_session user info
set system syslog file policy_session match RT_FLOW
set system syslog file policy_session archive size 1000k
set system syslog file policy_session archive world-readable
set system syslog file policy_session structured-data

J-Web Method
If you have no log under Monitor / Event and Alarms / Security Event
You have to click on the button: Create log configuration in the middle panel. Same path ( Monitor / Event and Alarms / Security Event ).

Now you will be able to see the policy log's.

Phil.

Juniper: How to reset to factory default a SRX

SRX: different way to reset to factory-default

so, you may know the standard way, the teached way, i mean pushing during 15 secondes the reset micro-button. This method work fine on J-series, but not on somes SRX, not on MX series...

so, i will try to write down somes of the method i used to reset to factory default the juniperdevices.

Factory Default, really ?

First, i need, we need to define what exactly is a factory-default reset. Is it just putting back the configuration to its initial state ? just this ? and what do you do with all the logs files ? the debug files ? the configurations saved ?

It is a security breach to lets everything inside the box, so putting a device back to the factory-default state is not just the configuration, it is mainly everything, even the ssh key: we want to generate a new one, because the old is not trusted anymore.

Lets start.

Loose the root password.
the common process is the boot in single user mode:

at the boot, after the u-boot, when the bootstrap is loaded, you can hit the spacebar:

 

Hit [Enter] to boot immediately, or space bar for command prompt.

 

so you should see:

FreeBSD/MIPS U-Boot bootstrap loader, Revision 1.5
(builder@ormonth.juniper.net, Fri Oct  9 10:55:15 UTC 2009)
Memory: 1024MB
[0]Booting from nand-flash slice 2
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
Loading /boot/defaults/loader.conf
/kernel data=0x97d8ac+0xd70d0 syms=[0x4+0x79c50+0x4+0xadd2e] 

Hit [Enter] to boot immediately, or space bar for command prompt.

Loader>

Loader> watchdog disable

Loader> boot –s

root@host% cli

root@host> edit

root@host# set system root-authentication plain-text-password

New password: juniper1

Retype new password: juniper1

root@host# commit

commit complete

root@host# run request system reboot

Reboot the system ? [yes,no] (no) yes

Root passwd on SRX Platform
on SRX Branch platforms and JUNOS 10.0R1 or later, there is a condition in which the password recovery process does not work. After issuing recovery command, system never reaches the point where root password can be changed. System reboots instead. So we need to apply a specific procedure to recover root password for SRX Branch devices running on Junos version 10.0R1 or later. This involves disabling watchdog functionality to allow for system to properly boot into single-user mode.

 

Hit [Enter] to boot immediately, or space bar for command prompt.

Booting [kernel] in 9 seconds...

Loader>

Loader> watchdog disable

Loader> boot –s

change the root passwd, reboot, and don't forget to enable the watchdog, and boot in normal mode

 

Hit [Enter] to boot immediately, or space bar for command prompt.

Booting [kernel] in 9 seconds...

Loader>

Loader> watchdog enable

Loader> boot

Damned, HA is enabled

If you're lucky, your device is in master mode, so you can just diasble the HA:

{primary:node1}
root@titi> set chassis cluster disable reboot
Successfully disabled chassis cluster. Going to reboot now

But if you're not, lucky i mean, your device is on hold, and you're trying to reset the root passwd on single user mode, but you can't:

Starting CLI ...
{hold:node1}
root> edit
warning: Clustering enabled; using private edit
error: shared configuration database modified

Please temporarily use 'configure shared' to commit
outstanding changes in the shared database, exit,
and return to configuration mode using 'configure'

{hold:node1}
root>

Ok, so deleting all the interfaces in the configuration seems to allow me to finally commit.

Then reboot and disable the cluster :

root@>set chassis cluster disable

TRUE Factory default

so, to delete all the logs, the dumps, the rollback, the root password in the factory-default config, and even to reset the host ssh key, you need to zeroize the device:

root> request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes

warning: zeroizing re0

....

....

Local package initialization:.
starting local daemons:.
kern.securelevel: -1 -> 1
Creating JAIL MFS partition...
JAIL MFS partition created

Database Initialization Utility
RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com
Copyright (c) 1992-2006 Birdstep Technology, Inc.  All Rights Reserved.

secdb initialized

Database Initialization Utility
RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com
Copyright (c) 1992-2006 Birdstep Technology, Inc.  All Rights Reserved.

dfacache initialized

Boot media /dev/da0 has dual root support
** /dev/da0s2a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 58564 free (44 frags, 7315 blocks, 0.0% fragmentation)
Tue Mar 29 14:41:31 UTC 2011

Amnesiac (ttyu0)

login: root

--- JUNOS 10.2R3.10 built 2010-10-16 20:36:59 UTC

root@%

EX series TIPS

LINECARD

sometimes, your switch can be in the linecard state, which means that there is no routing engine running in it. So you first need to enable one.

Example off linecard prompt:

root@:LC:0% cli
{linecard:0}
root>

To enabled the RE mode:

root> request virtual-chassis reactivate

This member split from a virtual chassis. Please make sure that no active
switch belonging to this virtual chassis has conflicting configuration.

Do you want to continue ? [yes,no] (no) yes

{linecard:0}
root>
Amnesiac (ttyu0)

login:
Amnesiac (ttyu0)

login:
Amnesiac (ttyu0)

root@:RE:0%      

so now you can configure the switch.

 

MEMBER-ID is not 0

so, if your switch was member of a virtual-chassis, and it member-id was from 1 to 9, you can't let it as is, because all your interfafce configuration that belongs to ge-0/0/0-47 won't be enabled...

So you need to renumber your device:

{master:1}
root> request virtual-chassis renumber new-member-id 0 member-id 1

Note: change 1 with your actual id.

prompt changed:

{master:0}
root>

That's all for the moment.

Screenos: Anti-Spam: Adding custom SBL

The anti-spam portion uses a Spam Block List (SBL) which is more commonly known as a Relay Block List (RBL). The SBL/RBL that Juniper offers is updated and maintained by Symantec and contains the Top 100 known spammers.

G1S1-> set anti-spam profile ns-profile
G1S1(anti-spam:ns-profile)-> unset sbl msgsecurity.juniper.net
G1S1(anti-spam:ns-profile)-> set sbl sbl.spamhaus.org input-type ip
G1S1(anti-spam:ns-profile)-> set sbl dnsbl.sorbs.net input-type ip
G1S1(anti-spam:ns-profile)-> set sbl bl.spamcop.net input-type ip
G1S1(anti-spam:ns-profile)-> set sbl msgsecurity.juniper.net input-type ip

G1S1(anti-spam:ns-profile)-> get sbl
  *SBL Blacklist Server:
    sbl.spamhaus.org
    dnsbl.sorbs.net
    bl.spamcop.net
    msgsecurity.juniper.net
G1S1(anti-spam:ns-profile)-> exit

View the Status:

G1S1-> get anti-spam

  profile: ns-profile
  *Whitelists (0):
  *Blacklist (1): baddomain.com;
  *Blacklist[ip range] (0):
  *SBL Blacklist Server:
    sbl.spamhaus.org
  *Default setting:
    *Action: tag mail subject as ***SPAM***


DNS Server:
  Primary  :          10.1.75.111, Src Interface: Null
  Secondary:        172.16.165.22, Src Interface: Null
  Tertiary  :              0.0.0.0, Src Interface: Null


  Total connections:    8
  Total greetings:      8
  Total emails:         8

  Total permit emails:  1
  Total deny actions:   0
  Total tag emails:     7

  errors:               8
  timeouts:             8

  Statistics start time: 12/07/2010 09:43:21

With it with string:

G1S1-> exec anti-spam testscan baddomain.com
AS: anti spam result: action Tag email subject, reason: Match local blacklist

With IP:

G1S1-> exec anti-spam testscan 192.203.178.57
Please wait for a few seconds.
If the result does not display, please check the debug buffer with the "get dbuf stream" command.
G1S1->  anti spam result: action Pass, reason: Timeout
 

View the config:

JUNOS: vlan tagging

Junos: How to configure a tag for a L3 interface ?

<br />
So, you have a L3 interface an want to add an IEEE 802.1Q VLAN TAG,

here is how to do so:

root@s1> show configuration interfaces me0

description "MGMT INTERFACE - DO NOT DELETE";

vlan-tagging;

unit 101 {

    vlan-id 101;

    family inet {

        address 10.150.8.161/16;

    }

}

Junos: Config V9 sur junos v8

Compatibilité entre conf v8 et conf v9

security {
    zones {
        security-zone trust {
            interfaces {
                all {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        default-policy {
            permit-all;
        }
    }
}

Juniper - vpn proposal

IKE Phase 1 Proposal:


* Method: indicates whether preshared key (“pre”) or digital certificates (using “RSA”-Sig or “DSA”-Sig) are used as the authentication method

* DH Group: Indicates the Diffie-Hellman group used for the key generation or exchange (“g1”, “g2” or “g5”)

* Encrypt: Indicates the encryption algorithm (“3DES”, “DES” or “AES”)

* Auth: Indicates the hash algorithm (“MD5” or “SHA-1”)

Valeurs:
--------

(pre|dsa|rsa) (g1|g2|g5) (DES|3DES|AES) (MD5|SHA1)


Examples of a Phase 1 proposal include:
---------------------------------------

* pre-g1-des-md5
* dsa-g2-3des-sha1
* rsa-g5-aes128-md5
* or the current de-facto standard: pre-g2-3des-sha1


IPSEC Phase 2 Proposal:


* PFS: Indicates whether PFS is not being used (“nopfs”) or if it is, which DH group is being applied (“g1”, “g2” or “g5”).

* Encapsulation: Whether the ESP (“esp”) protocol is being used for encryption and authentication, or just the AH (“ah”) protocol.

* Encryption :  Indicates the encryption algorithm (“DES”, “3DES” or “AES”)

* Authentication:  Indicates  the hash algorithm (“MD5” or “SHA1”)

Valeurs:
--------

(nopfs|g1|g2|g5) (ESP|AH) (DES|3DES|AES) (MD5|SHA1)


Examples of a Phase 2 proposal include:
---------------------------------------

 nopfs-esp-des-md5
 g1-ah-null-sha1
 And the defacto standard: g2-esp-3des-sha1

NSMXpress: reset root password

Procedure for resetting the admin password in NSMXpress

In order to reset the password, please use the following procedure:
Connect a console device to the console port of the NSMXPress appliance.
Physically power off the NSMXpress appliance.
Power the NSMXpress appliance back on.
During the boot sequence the console will display an option to "press any key to enter the menu". Hit any key. When the boot sequence is interrupted, a menu will display on the console. Choose "Rescue".

When the rescue process starts, it will ask about configuring the network connections. Choose "No".

A message will display indicating that the system is trying to find your Linux installation. Choose "Continue".

A message will display indicating that your system has been mounted under /mnt/sysimage. Press "Return".

Enter the command: vi /mnt/sysimage/etc/shadow

Find the line that starts with "admin:" The value between the first and second " : " is the password.

In the example below, the password is $1$MaGuoSOG$iEA4IiLSP26eM2e99LJiZ/

Using vi commands, remove the existing password value (i.e. $1$MaGuoSOG$iEA4IiLSP26eM2e99LJiZ/ ) with the following value.

This is the password value for "netscreen":

$1$KYPDZ8Eg$D627p0JrMaVMYqkdVRxcw

Using vi commands, save the file and exit.

At the command prompt, enter exit

The system will reboot and the admin password will be changed to netscreen

NSMXpress: reset to factory default

You want to put your NSMXpress Juniper Appliances into a factory default state.

This howto will show you how:

Connect a console device to the console port of the NSMXPress appliance.
Physically power off the NSMXpress appliance.
Power the NSMXpress appliance back on.
During the boot sequence the console will display an option to "press any key to enter the menu". Hit any key. When the boot sequence is interrupted, a menu will display on the console. Choose Re-Install
then at the password prompt choose: "erase".

That's it, the Juniper NSMXpress Management console will format the harddrive.