SRX NAT KB’s

1 Comment

Hi,

I was making notes and wanted to quickly share with you guys about frequently accessed NAT KB articles

Please find them below. Its Not pretty per-se but should do the trick for quick revision.

SRX Resolution Guides –

NAT – http://kb.juniper.net/KB21922
Troubleshooting Source-NAT – http://kb.juniper.net/KB21611
Troubleshooting Destination-Nat – http://kb.juniper.net/KB21839
Troubleshooting Static Nat – http://kb.juniper.net/KB21892
Srx Nat Getting started – http://kb.juniper.net/KB15758
Srx Configuring Proxy-Arp – http://kb.juniper.net/KB21785
Verify Desination Rules in Order – http://kb.juniper.net/KB21866
FW-Filter to Count packets – http://kb.juniper.net/KB21872
Traceoptions/Trimming output – http://kb.juniper.net/KB16108
Interpret Traceoptions – http://kb.juniper.net/KB21757
Logs Collection – http://kb.juniper.net/KB21781
Verify source Nat Rules – http://kb.juniper.net/KB21709
Checking and re-ordering Nat Rules – http://kb.juniper.net/KB21783
Verify Static Nat rules – http://kb.juniper.net/KB21918
NAT for local proxy identity in VPN – http://kb.juniper.net/KB25928
Nat Not working – http://kb.juniper.net/KB21697
Static Nat using VR Instance- http://kb.juniper.net/KB23912
Support for Interface-Based Nat in Lsys – http://kb.juniper.net/KB28049
Why does static nat wont occur after reboot – http://kb.juniper.net/KB24310
Several Existing sessions drops during config Change – http://kb.juniper.net/KB30343
Mcast traffic not passing with source NAT – http://kb.juniper.net/KB28283
Source-Nat for self generated traffic – http://kb.juniper.net/KB26372
Interface-nat-ports for overloading port-utilization – http://kb.juniper.net/KB29591
Verify NAT if applied to VPN Traffic- http://kb.juniper.net/KB10139
Change the allocation for source nat pool (hidden) – http://kb.juniper.net/KB21263
address-persistant vs persistance-nat – http://kb.juniper.net/KB20711
when to use sourcenat-off statement – http://kb.juniper.net/KB24404
vpn doesnot comeup to IKE peer using static nat – http://kb.juniper.net/KB27815
Understanding persistance NAT – http://kb.juniper.net/KB29191
how to setup NAT Hair-pinning – http://kb.juniper.net/KB24639
Nat Rule-Limites on SRX – http://kb.juniper.net/KB14149
troubleshooting security policy not passing data – http://kb.juniper.net/KB10113

Regards

Rakesh M

 

Rulebase Exempt – Continuing from the Previous Post

No Comments

Hi,

Now that its pretty clear on how we define our IDP to detect attacks, let us also see how we can turn that off for specific set of applications/traffic/pattern if you wish for, be it the company policy or be it for any other reason (A custom application set which mimics a suspicious behavior and you want it to allow), to put it straight , anything if you think that is good (true-positive) but IDP senses bad and drops (false-positive)

Topology

1_toplogy

Initially the attack triggered is detected and scan could not get through, here are the outputs just for reference

2_idp

As we can see above attack was well detected by SRX and its blocking

3_srx_detecting

Lets add a rule-base exempt and see if that bypasses and SRX this time should not detect any of these attacks

4_rulebase-exempt-srx

Re-scanning will reveal that I am running a Ubuntu machine and scores of Vulnerability options that people might really be interested in πŸ™‚

5_bypassing_attack

Always weigh your options especially when you are bypassing anything from Normal IDP, that might prove to be very costly

Regards

Rakesh M

Using VSRX IDP to detect pre-triggered Attack – Metasploit Frame-Work – SCAN:MISC:HTTP:VTI-BIN-PROBE

No Comments

Hi,

I was studying about IDP and as always I wanted to test the feature out. First of all, Its VSRX , so do not expect that it detects everything out of the box, but it did fairly a nice job to start with.

Topology

1_topology

Exploit

2_Metasploit_frame_work_attack_search

SCAN:MISC:HTTP:VTI-BIN-PROBE

Description: This signature detects requests to a URL that can execute a denial of service (DoS) on Microsoft IIS with FrontPage extensions.

No attack detected as of yet and attack-Table is Empty

3_empty_attack_table

Configuring VSRX so that i has IDP capabilities, for more you can have look at the below post about installation Details

https://r2079.wordpress.com/2015/09/16/appsecure-suite-installing-license-evaluation-version-on-vsrx-firefly/

4_configuration

I have used Metasploit to attack my home lab device

5_attacking_lan

As we can clearly see, SRX has detected the attack and displayed the appropriate attack-Type.

6_srx_detecting_Attack

Regards

Rakesh M

Troubleshooting With Security Flow Traceoptions and options

No Comments

Hi,

Many people either have a blind eye to debug approach and some-others might not exactly know the belowΒ  feature in SRX , but in my Opinion, this has huge advantages. Mainly when your policies are not defined for traffic and you dont see a flow entry in your session table.

Topology

toplogy

Running Ping from other Router

ping_not_in_session_table

Now configuring the traceoptions

2_configuration_flow_traceoptions

Analyzing the trace-options

3_packet_drop_in_log

I found this method to be very handy and also used in live environments. How you write your filter is the key criteria to reduce the packet-match condition for the device.

Regards

Rakesh M

Quick Series 23 – IPV4 to IPV6 NAT

No Comments

Hi,

Previous post covered Ipv6-to-Ipv6 NAT. This post is aimed at IPV4-Island to IPV6-island.

Topology

Topology

Requirement is very simple, R2 has an Ipv4 address and it needs to reach Ipv6 address. We instruct SRX firewall to perform NAT from Ipv4 to Ipv6 for both source and Destination Address in this case, a Classic Double-Nat if I have to Say.

R2 tries to reach to end server of Ipv6 (2001:9:9:12::2), since it is ipv6, R2 is given an Ipv4 destination address of 9.9.12.3 in this case, an arbitrary address from the subnet pool. Similarly, SRX receives Ipv4 request, but it needs to forward it to IPV6, hence it uses an address of 2001:9:9:12::3 as it source

A quick look at policy and zones

securityzones_1

Destination Nat – First in the flow processing

destination_nat2

Source-Nat

source-nat_3

Nat Translation Hits

nat_translations_4

A Look at security-flow session output

output_5

Regards

Rakesh M

Quick Series 22 – IPV6 TO IPV6 NAT – Source-Pool/Interface-Based/Destination-Nat

No Comments

Hi,

Continuing from the previous post on several Nat scenarios, I have quickly show in the below post, how SRX pool-Based, Destination-Based and Interface Nat is configured.

Topology

Topology

Pool-Based Nat –

Most Important thing is proxy-ndp configuration

1_pool_based_nat

Interface-Based Source-Nat

2_interfaced_based

Destination-Based Nat

There is no to-zone as SRX Will figure it out.

3_destination_based_nat

Regards

Rakesh M

Hub and Spoke Vpn Implementation – SRX

2 Comments

Hi,

Implementing multipoint-to-point (Hub and spoke) vpn was tough on me. More has to do with my inexperience with proper policies and overlook, thanks to many hours troubleshooting, I should now be able to set it up without any errors.

Topology

topology

Requirement – R1 will be the Hub vpn site and R2 and R3 will be the spoke routers

Below diagram is a rough view

Attachment-1

verifying the connectivity between spokes and hub

2_hub_reachability_spoke_check

3_hub_ike_allow_check

configuring st0 interface as multipoint on hub router, not required on spokes

4_st_interface_config

Defining Ike Peers and Ipsec configuration- Notice two different vpns sections for two spokes

6_defining_respective_ipsec

5_defining_respective_ike_for_peers

Attachment-1

7_defining_st0_zone

8_vpn_zone_policy

8_verifing_ipsec

Nex posting would be on Configuring OSPF and BGP via this Hub-and-Spoke Vpn

Regards

Rakesh M

Vlan-Rewrite on SRX

No Comments

Hi,

Vlan Rewrite on any box is always a fascinating concept. You have tagged packets coming with a specific vlan and once they come in they are changed to some-other vlan for egress and vice-versa.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB23737

The above kb will give you an idea on how vlan-rewrite is configured for a sample scenario in srx, I made some enhancements as in adding aΒ  new irb interface on SRX and having a trunk-port with a sub-interface.

Topology

topology_1

Configuration is very straight forward

-> identify which vlan needs to be manipulated

-> Identify the ingress interface

-> Make sure your vlan-id-list does not include the vlan which needs to be converted to – Yes it is ‘Does Not’

2_bridge_domains

Here, Vlan 100 is not in the vlan-id-list of Trunk interface ge-0/0/8 which is the ingress point, it might be a misconception from many people to allow all the vlans which are configured on the interface, but the point which needs to be understood here is that , it is already being re-written to another vlan which interface has allowed, so we need not allow it again in interface vlan-id-list

3_ping_test

A policy needs to be written with layer-2 interfaces in place, unlike routed-mode firewall where we include Layer-3 interfaces, Transparent mode firewall needs layer-2 interfaces in Zones, i initially tried configuring irb interfaces in zones to understand that irb interfaces can never go into a security zone.

Regards

Rakesh M

APPSECURE SUITE – INSTALLING LICENSE – EVALUATION VERSION ON VSRX FIREFLY

4 Comments

Hi,

No one denies the fact of having a good lab if you are aiming at your expert level-exam. App-secure suite is one critical thing on Juniper VSRX which not only is important for exam but also for real-world implementations.

Appsecure suite canΒ  be installed with a 30 day Evaluation license from Juniper. Below are the details

Requirement

VSRX ( 12.1X47-D20.7 ) —-Β  Connected-to —- INTERNET

1_basic_reachability

Next , get the evaluation license from juniper

http://www.juniper.net/us/en/dm/free-vsrx-trial/

You require appropriate credentials i guess, i work for a partner so i do not have any login issues here.

2_trial_license_install

Checking the applications and downloading files from internet

3_downloading_files

Once you download, next is to install the files onto the system

4_installing_applications

Happy Labbing

Regards

Rakesh M

SRX FILTERBASED FORWARDING – USING STATIC DEFAULT ROUTE and RIB-Groups

1 Comment

Hi,

FBF or filter-based forwarding is a confusing concept at first, especially if you are new to concept of rib-groups. Lets see a very simple example

Reference – http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223 and Junos SRX

Topology

Topology

Requirement

METHOD 1 – Via static default route in Instance

Make sure Traffic fromΒ  172.25.1.0 takes path to isp-a and 172.25.0.0 takes path to isp-b when they are trying to access 7.7.7.7/32

First let us verify if SRX has the route to 7.7.7.7 and see it preference , looking at the output, srx is preferring isp-a

1_verify_bgp_routing

Let us verify from end-nodes by doing a trace route

2_verify_end_nodes

okay, we have a problem here

-> we can only choose one path in srx , either isp-a or isp-b, sure you can do load balancing but that will not fetch what we want

-> we need to instruct SRX to send traffic from 172.25.0.0 to isp-b and 172.25.1.0 to ispa , again this is a challenge as srx is only preferring isp-a as of now

Let us construct two routing-instance for this requirement, one for forwarding traffic to isp-a and one for forwarding traffic to isp-b and then apply a firewall filter to diver the traffic

3_routing_instances

4_firewall_filter

Apply it to the incoming interface from LAN

4.5_ffinterface

once we are done with this, we now have to make sure routing-instances are forwarding to correct-next hop, static routing makes it lot easier here.

5_static_routing

Remember we have till now have only done the forward-path, we have to make sure the return traffic when hits theΒ  routing-instance ispa it should be properly forwarded as well.

To make it clear, when you issue a show route , do you see routes populated in ispa and ispb instance ?

6_table_verification

Here comes rib-groups

7_Rib_groups_verification

Do not forget the policy for intra-zone traffic on SRX

8_sec_policies

Final Verification

Regards

Rakesh M

Older Entries

Close Bitnami banner
Bitnami