30 Levels of NAT Lab #2 – Juniper SRX100s

Well, I had the chance again to play with lots of Firewalls, so I did. A customer had ordered > than 30 SRX100s for clustered branch deployments so I took the opportunity to ask for permission to pull 30 of them out of boxes and reproduce my 30 levels of NAT lab. It’s never the same doing it alone so I put the word out to some nerd mates and got Mr Aijay Adams (@aijayadams) and Master Mitch Hewes (@mitcdh) to tag along and enjoy the extremly draining NAT filled day. The day included unboxing, ‘racking’ and cabling, configuring and then packing it all up. It was a long day, especially since we tried to get routing instances to NAT 10 times on each SRX … We were not successful, it seems LT interfaces are not NAT friendly (which is good, cause it’s stupid and I hate NAT).

Here is the logical layout:

Click for Larger image

Of course, for good measure, a quick video of our fun 🙂

So we set the SRX’s up identically to the PIX501s

Nat Lab 2
(not as neat – Time didn’t allow that :))

The results were similiar to the Cisco’s latency wise, but throughput was what I really expected originally (before I did the Cisco NAT LAB), the SRX100s were able to achieve the full 100mbit through the 30 levels of NAT.

After getting the same level of NAT achieved as the Cisco lab we set out to better it, by using routing-instances and lt interfaces, but it seems NAT from an lt-* interfaces is not supported in Junos (all be it a stupid requirement, still handy to know). If someone can see what I did wrong in the config below I would love to know. We had to call it quits after many hours trying to get the routing-instances to work, but we were so close!
P.S. I know I could of used all the physicals, I did not have enough patch cables !

Here is a screenshot of a traceroute of out NATHELL

With no throughput:

With 100mbit of throughput:

Nerdy Setup Details

1 NAT per Box Config:

[bash]
set system host-name NATLAB0
set system domain-name cooperlees.com
set system root-authentication encrypted-password "lab123"
set system name-server 192.168.83.6
set system name-server 192.168.83.5
set system name-server 8.8.8.8
set system services ssh
set system services dhcp pool 10.0.0.0/24 address-range low 10.0.0.10
set system services dhcp pool 10.0.0.0/24 address-range high 10.0.0.100
set system services dhcp pool 10.0.0.0/24 name-server 192.168.83.5
set system services dhcp pool 10.0.0.0/24 name-server 192.168.83.6
set system services dhcp pool 10.0.0.0/24 name-server 8.8.8.8
set system services dhcp pool 10.0.0.0/24 domain-search cooperlees.com
set system services dhcp pool 10.0.0.0/24 router 10.0.0.1
set interfaces interface-range ACCESS member-range fe-0/0/0 to fe-0/0/6
set interfaces interface-range ACCESS unit 0 family ethernet-switching
set interfaces fe-0/0/7 unit 0 family inet address 10.1.0.2/24
set interfaces vlan unit 0 family inet address 10.0.0.1/24
set routing-options static route 0.0.0.0/0 next-hop 10.1.0.1
set security nat source rule-set Outbound-NAT from zone NATHELL
set security nat source rule-set Outbound-NAT to zone LESSNAT
set security nat source rule-set Outbound-NAT rule egress-int-bitch match destination-address 0.0.0.0/0
set security nat source rule-set Outbound-NAT rule egress-int-bitch then source-nat interface
set security nat destination pool WEBSERVER address 10.0.0.2/32
set security nat destination rule-set Internet-PAT from zone LESSNAT
set security nat destination rule-set Internet-PAT rule WEBSERVER-PAT match destination-address 10.1.0.2/32
set security nat destination rule-set Internet-PAT rule WEBSERVER-PAT match destination-port 80
set security nat destination rule-set Internet-PAT rule WEBSERVER-PAT then destination-nat pool WEBSERVER
set security policies from-zone NATHELL to-zone LESSNAT policy allow-all-bitch match source-address any
set security policies from-zone NATHELL to-zone LESSNAT policy allow-all-bitch match destination-address any
set security policies from-zone NATHELL to-zone LESSNAT policy allow-all-bitch match application any
set security policies from-zone NATHELL to-zone LESSNAT policy allow-all-bitch then permit
set security policies from-zone NATHELL to-zone LESSNAT policy allow-all-bitch then log session-init
set security zones security-zone NATHELL host-inbound-traffic system-services all
set security zones security-zone NATHELL host-inbound-traffic protocols all
set security zones security-zone NATHELL interfaces vlan.0
set security zones security-zone LESSNAT host-inbound-traffic system-services all
set security zones security-zone LESSNAT host-inbound-traffic protocols all
set security zones security-zone LESSNAT interfaces fe-0/0/7.0
set vlans default l3-interface vlan.0
[/bash]

10 NATs per Box Attempt:

This config did not work with the NAT’ing between RI’s over the LT interfaces. The goal was:

Click for Larger

[bash]
set system host-name NATLAB1
set system domain-name cooperlees.com
set system root-authentication encrypted-password "$1$fU1Lb028$c/LeEFORggONDEgKovRyj."
set system name-server 192.168.83.6
set system name-server 192.168.83.5
set system name-server 8.8.8.8
set system services ssh
set system services dhcp pool 10.1.0.0/24 address-range low 10.1.0.10
set system services dhcp pool 10.1.0.0/24 address-range high 10.1.0.100
set system services dhcp pool 10.1.0.0/24 name-server 192.168.83.5
set system services dhcp pool 10.1.0.0/24 name-server 192.168.83.6
set system services dhcp pool 10.1.0.0/24 name-server 8.8.8.8
set system services dhcp pool 10.1.0.0/24 domain-search cooperlees.com
set system services dhcp pool 10.1.0.0/24 router 10.1.0.1
set interfaces interface-range ACCESS member-range fe-0/0/0 to fe-0/0/6
set interfaces interface-range ACCESS unit 0 family ethernet-switching
set interfaces lt-0/0/0 unit 0 encapsulation ethernet
set interfaces lt-0/0/0 unit 0 peer-unit 1
set interfaces lt-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces lt-0/0/0 unit 1 encapsulation ethernet
set interfaces lt-0/0/0 unit 1 peer-unit 0
set interfaces lt-0/0/0 unit 1 family inet address 10.1.1.2/24
set interfaces lt-0/0/0 unit 2 encapsulation ethernet
set interfaces lt-0/0/0 unit 2 peer-unit 3
set interfaces lt-0/0/0 unit 2 family inet address 10.1.2.1/24
set interfaces lt-0/0/0 unit 3 encapsulation ethernet
set interfaces lt-0/0/0 unit 3 peer-unit 2
set interfaces lt-0/0/0 unit 3 family inet address 10.1.2.2/24
set interfaces lt-0/0/0 unit 4 encapsulation ethernet
set interfaces lt-0/0/0 unit 4 peer-unit 5
set interfaces lt-0/0/0 unit 4 family inet address 10.1.3.1/24
set interfaces lt-0/0/0 unit 5 encapsulation ethernet
set interfaces lt-0/0/0 unit 5 peer-unit 4
set interfaces lt-0/0/0 unit 5 family inet address 10.1.3.2/24
set interfaces lt-0/0/0 unit 6 encapsulation ethernet
set interfaces lt-0/0/0 unit 6 peer-unit 7
set interfaces lt-0/0/0 unit 6 family inet address 10.1.4.1/24
set interfaces lt-0/0/0 unit 7 encapsulation ethernet
set interfaces lt-0/0/0 unit 7 peer-unit 6
set interfaces lt-0/0/0 unit 7 family inet address 10.1.4.2/24
set interfaces lt-0/0/0 unit 8 encapsulation ethernet
set interfaces lt-0/0/0 unit 8 peer-unit 9
set interfaces lt-0/0/0 unit 8 family inet address 10.1.5.1/24
set interfaces lt-0/0/0 unit 9 encapsulation ethernet
set interfaces lt-0/0/0 unit 9 peer-unit 8
set interfaces lt-0/0/0 unit 9 family inet address 10.1.5.2/24
set interfaces lt-0/0/0 unit 10 encapsulation ethernet
set interfaces lt-0/0/0 unit 10 peer-unit 11
set interfaces lt-0/0/0 unit 10 family inet address 10.1.6.1/24
set interfaces lt-0/0/0 unit 11 encapsulation ethernet
set interfaces lt-0/0/0 unit 11 peer-unit 10
set interfaces lt-0/0/0 unit 11 family inet address 10.1.6.2/24
set interfaces lt-0/0/0 unit 12 encapsulation ethernet
set interfaces lt-0/0/0 unit 12 peer-unit 13
set interfaces lt-0/0/0 unit 12 family inet address 10.1.7.1/24
set interfaces lt-0/0/0 unit 13 encapsulation ethernet
set interfaces lt-0/0/0 unit 13 peer-unit 12
set interfaces lt-0/0/0 unit 13 family inet address 10.1.7.2/24
set interfaces lt-0/0/0 unit 14 encapsulation ethernet
set interfaces lt-0/0/0 unit 14 peer-unit 15
set interfaces lt-0/0/0 unit 14 family inet address 10.1.8.1/24
set interfaces lt-0/0/0 unit 15 encapsulation ethernet
set interfaces lt-0/0/0 unit 15 peer-unit 14
set interfaces lt-0/0/0 unit 15 family inet address 10.1.8.2/24
set interfaces lt-0/0/0 unit 16 encapsulation ethernet
set interfaces lt-0/0/0 unit 16 peer-unit 17
set interfaces lt-0/0/0 unit 16 family inet address 10.1.9.1/24
set interfaces lt-0/0/0 unit 17 encapsulation ethernet
set interfaces lt-0/0/0 unit 17 peer-unit 16
set interfaces lt-0/0/0 unit 17 family inet address 10.1.9.2/24
set interfaces fe-0/0/7 unit 0 family inet address 10.2.0.2/24
set interfaces vlan unit 0 family inet address 10.1.0.1/24
set routing-options static route 0.0.0.0/0 next-hop 10.2.0.1
set security nat source rule-set Outbound-NAT from interface lt-0/0/0.17
set security nat source rule-set Outbound-NAT to interface fe-0/0/7.0
set security nat source rule-set Outbound-NAT rule egress-int-bitch match destination-address 0.0.0.0/0
set security nat source rule-set Outbound-NAT rule egress-int-bitch then source-nat interface
set security nat source rule-set th3 from zone transitHELL-2
set security nat source rule-set th3 to zone transitHELL-3
set security nat source rule-set th3 rule natAll-1 match destination-address 0.0.0.0/0
set security nat source rule-set th3 rule natAll-1 then source-nat interface
set security nat source rule-set th4 from interface lt-0/0/0.4
set security nat source rule-set th4 to interface lt-0/0/0.5
set security nat source rule-set th4 rule natAll-2 match destination-address 0.0.0.0/0
set security nat source rule-set th4 rule natAll-2 then source-nat interface
set security nat source rule-set th5 from interface lt-0/0/0.6
set security nat source rule-set th5 to interface lt-0/0/0.7
set security nat source rule-set th5 rule natAll-3 match destination-address 0.0.0.0/0
set security nat source rule-set th5 rule natAll-3 then source-nat interface
set security nat source rule-set th6 from interface lt-0/0/0.8
set security nat source rule-set th6 to interface lt-0/0/0.9
set security nat source rule-set th6 rule natAll-4 match destination-address 0.0.0.0/0
set security nat source rule-set th6 rule natAll-4 then source-nat interface
set security nat source rule-set th7 from interface lt-0/0/0.10
set security nat source rule-set th7 to interface lt-0/0/0.11
set security nat source rule-set th7 rule natAll-5 match destination-address 0.0.0.0/0
set security nat source rule-set th7 rule natAll-5 then source-nat interface
set security nat source rule-set th8 from interface lt-0/0/0.12
set security nat source rule-set th8 to interface lt-0/0/0.13
set security nat source rule-set th8 rule natAll-6 match destination-address 0.0.0.0/0
set security nat source rule-set th8 rule natAll-6 then source-nat interface
set security nat source rule-set Inbound-NAT from interface vlan.0
set security nat source rule-set Inbound-NAT to interface lt-0/0/0.0
set security nat source rule-set Inbound-NAT rule natAll-0 match destination-address 0.0.0.0/0
set security nat source rule-set Inbound-NAT rule natAll-0 then source-nat interface
set security nat source rule-set th9 from interface lt-0/0/0.14
set security nat source rule-set th9 to interface lt-0/0/0.15
set security nat source rule-set th9 rule natAll-7 match destination-address 0.0.0.0/0
set security nat source rule-set th9 rule natAll-7 then source-nat interface
set security nat source rule-set th10 from interface lt-0/0/0.16
set security nat source rule-set th10 to interface lt-0/0/0.17
set security nat source rule-set th10 rule natAll-8 match destination-address 0.0.0.0/0
set security nat source rule-set th10 rule natAll-8 then source-nat interface
set security nat destination pool WEBSERVER address 10.1.0.10/32
set security nat destination rule-set Internet-PAT from zone LESSNAT
set security nat destination rule-set Internet-PAT rule WEBSERVER-PAT match destination-address 10.2.0.2/32
set security nat destination rule-set Internet-PAT rule WEBSERVER-PAT match destination-port 80
set security nat destination rule-set Internet-PAT rule WEBSERVER-PAT then destination-nat pool WEBSERVER
set security policies from-zone NATHELL to-zone LESSNAT policy allow-all-bitch match source-address any
set security policies from-zone NATHELL to-zone LESSNAT policy allow-all-bitch match destination-address any
set security policies from-zone NATHELL to-zone LESSNAT policy allow-all-bitch match application any
set security policies from-zone NATHELL to-zone LESSNAT policy allow-all-bitch then permit
set security policies from-zone NATHELL to-zone LESSNAT policy allow-all-bitch then log session-init
set security policies from-zone LESSNAT to-zone NATHELL policy allow-webserver-traffic match source-address any
set security policies from-zone LESSNAT to-zone NATHELL policy allow-webserver-traffic match destination-address any
set security policies from-zone LESSNAT to-zone NATHELL policy allow-webserver-traffic match application junos-icmp-all
set security policies from-zone LESSNAT to-zone NATHELL policy allow-webserver-traffic match application junos-http
set security policies from-zone LESSNAT to-zone NATHELL policy allow-webserver-traffic match application junos-ssh
set security policies from-zone LESSNAT to-zone NATHELL policy allow-webserver-traffic then permit
set security policies from-zone LESSNAT to-zone NATHELL policy allow-webserver-traffic then log session-init
set security policies from-zone NATHELL to-zone transitHELL-2 policy NATHELL-to-th2 match source-address any
set security policies from-zone NATHELL to-zone transitHELL-2 policy NATHELL-to-th2 match destination-address any
set security policies from-zone NATHELL to-zone transitHELL-2 policy NATHELL-to-th2 match application any
set security policies from-zone NATHELL to-zone transitHELL-2 policy NATHELL-to-th2 then permit
set security policies from-zone transitHELL-2 to-zone transitHELL-3 policy allow-transit-2 match source-address any
set security policies from-zone transitHELL-2 to-zone transitHELL-3 policy allow-transit-2 match destination-address any
set security policies from-zone transitHELL-2 to-zone transitHELL-3 policy allow-transit-2 match application any
set security policies from-zone transitHELL-2 to-zone transitHELL-3 policy allow-transit-2 then permit
set security policies from-zone transitHELL-3 to-zone transitHELL-4 policy allow-transit-4 match source-address any
set security policies from-zone transitHELL-3 to-zone transitHELL-4 policy allow-transit-4 match destination-address any
set security policies from-zone transitHELL-3 to-zone transitHELL-4 policy allow-transit-4 match application any
set security policies from-zone transitHELL-3 to-zone transitHELL-4 policy allow-transit-4 then permit
set security policies from-zone transitHELL-4 to-zone transitHELL-5 policy allow-transit-5 match source-address any
set security policies from-zone transitHELL-4 to-zone transitHELL-5 policy allow-transit-5 match destination-address any
set security policies from-zone transitHELL-4 to-zone transitHELL-5 policy allow-transit-5 match application any
set security policies from-zone transitHELL-4 to-zone transitHELL-5 policy allow-transit-5 then permit
set security policies from-zone transitHELL-5 to-zone transitHELL-6 policy allow-transit-6 match source-address any
set security policies from-zone transitHELL-5 to-zone transitHELL-6 policy allow-transit-6 match destination-address any
set security policies from-zone transitHELL-5 to-zone transitHELL-6 policy allow-transit-6 match application any
set security policies from-zone transitHELL-5 to-zone transitHELL-6 policy allow-transit-6 then permit
set security policies from-zone transitHELL-6 to-zone transitHELL-7 policy allow-transit-7 match source-address any
set security policies from-zone transitHELL-6 to-zone transitHELL-7 policy allow-transit-7 match destination-address any
set security policies from-zone transitHELL-6 to-zone transitHELL-7 policy allow-transit-7 match application any
set security policies from-zone transitHELL-6 to-zone transitHELL-7 policy allow-transit-7 then permit
set security policies from-zone transitHELL-7 to-zone transitHELL-8 policy allow-transit-8 match source-address any
set security policies from-zone transitHELL-7 to-zone transitHELL-8 policy allow-transit-8 match destination-address any
set security policies from-zone transitHELL-7 to-zone transitHELL-8 policy allow-transit-8 match application any
set security policies from-zone transitHELL-7 to-zone transitHELL-8 policy allow-transit-8 then permit
set security policies from-zone transitHELL-8 to-zone transitHELL-9 policy allow-transit-9 match source-address any
set security policies from-zone transitHELL-8 to-zone transitHELL-9 policy allow-transit-9 match destination-address any
set security policies from-zone transitHELL-8 to-zone transitHELL-9 policy allow-transit-9 match application any
set security policies from-zone transitHELL-8 to-zone transitHELL-9 policy allow-transit-9 then permit
set security policies from-zone transitHELL-9 to-zone LESSNAT policy 9-to-LESSNAT match source-address any
set security policies from-zone transitHELL-9 to-zone LESSNAT policy 9-to-LESSNAT match destination-address any
set security policies from-zone transitHELL-9 to-zone LESSNAT policy 9-to-LESSNAT match application any
set security policies from-zone transitHELL-9 to-zone LESSNAT policy 9-to-LESSNAT then permit
set security policies default-policy permit-all
set security zones security-zone NATHELL host-inbound-traffic system-services all
set security zones security-zone NATHELL host-inbound-traffic protocols all
set security zones security-zone NATHELL interfaces vlan.0
set security zones security-zone NATHELL interfaces lt-0/0/0.0
set security zones security-zone LESSNAT host-inbound-traffic system-services all
set security zones security-zone LESSNAT host-inbound-traffic protocols all
set security zones security-zone LESSNAT interfaces fe-0/0/7.0
set security zones security-zone LESSNAT interfaces lt-0/0/0.17
set security zones security-zone transitHELL-2 host-inbound-traffic system-services all
set security zones security-zone transitHELL-2 host-inbound-traffic protocols all
set security zones security-zone transitHELL-2 interfaces lt-0/0/0.1
set security zones security-zone transitHELL-2 interfaces lt-0/0/0.2
set security zones security-zone transitHELL-3 host-inbound-traffic system-services all
set security zones security-zone transitHELL-3 host-inbound-traffic protocols all
set security zones security-zone transitHELL-3 interfaces lt-0/0/0.3
set security zones security-zone transitHELL-3 interfaces lt-0/0/0.4
set security zones security-zone transitHELL-4 host-inbound-traffic system-services all
set security zones security-zone transitHELL-4 host-inbound-traffic protocols all
set security zones security-zone transitHELL-4 interfaces lt-0/0/0.5
set security zones security-zone transitHELL-4 interfaces lt-0/0/0.6
set security zones security-zone transitHELL-5 host-inbound-traffic system-services all
set security zones security-zone transitHELL-5 host-inbound-traffic protocols all
set security zones security-zone transitHELL-5 interfaces lt-0/0/0.7
set security zones security-zone transitHELL-5 interfaces lt-0/0/0.8
set security zones security-zone transitHELL-6 host-inbound-traffic system-services all
set security zones security-zone transitHELL-6 host-inbound-traffic protocols all
set security zones security-zone transitHELL-6 interfaces lt-0/0/0.9
set security zones security-zone transitHELL-6 interfaces lt-0/0/0.10
set security zones security-zone transitHELL-7 host-inbound-traffic system-services all
set security zones security-zone transitHELL-7 host-inbound-traffic protocols all
set security zones security-zone transitHELL-7 interfaces lt-0/0/0.11
set security zones security-zone transitHELL-7 interfaces lt-0/0/0.12
set security zones security-zone transitHELL-8 host-inbound-traffic system-services all
set security zones security-zone transitHELL-8 host-inbound-traffic protocols all
set security zones security-zone transitHELL-8 interfaces lt-0/0/0.13
set security zones security-zone transitHELL-8 interfaces lt-0/0/0.14
set security zones security-zone transitHELL-9 host-inbound-traffic system-services all
set security zones security-zone transitHELL-9 host-inbound-traffic protocols all
set security zones security-zone transitHELL-9 interfaces lt-0/0/0.15
set security zones security-zone transitHELL-9 interfaces lt-0/0/0.16
set routing-instances 1 instance-type virtual-router
set routing-instances 1 interface lt-0/0/0.0
set routing-instances 1 interface vlan.0
set routing-instances 1 routing-options static route 0.0.0.0/0 next-hop 10.1.1.2
set routing-instances 10 instance-type virtual-router
set routing-instances 10 interface lt-0/0/0.17
set routing-instances 10 interface fe-0/0/7.0
set routing-instances 10 routing-options static route 0.0.0.0/0 next-hop 10.2.0.1
set routing-instances 2 instance-type virtual-router
set routing-instances 2 interface lt-0/0/0.1
set routing-instances 2 interface lt-0/0/0.2
set routing-instances 2 routing-options static route 0.0.0.0/0 next-hop 10.1.2.2
set routing-instances 3 instance-type virtual-router
set routing-instances 3 interface lt-0/0/0.3
set routing-instances 3 interface lt-0/0/0.4
set routing-instances 3 routing-options static route 0.0.0.0/0 next-hop 10.1.3.2
set routing-instances 4 instance-type virtual-router
set routing-instances 4 interface lt-0/0/0.5
set routing-instances 4 interface lt-0/0/0.6
set routing-instances 4 routing-options static route 0.0.0.0/0 next-hop 10.1.4.2
set routing-instances 5 instance-type virtual-router
set routing-instances 5 interface lt-0/0/0.7
set routing-instances 5 interface lt-0/0/0.8
set routing-instances 5 routing-options static route 0.0.0.0/0 next-hop 10.1.5.2
set routing-instances 6 instance-type virtual-router
set routing-instances 6 interface lt-0/0/0.9
set routing-instances 6 interface lt-0/0/0.10
set routing-instances 6 routing-options static route 0.0.0.0/0 next-hop 10.1.6.2
set routing-instances 7 instance-type virtual-router
set routing-instances 7 interface lt-0/0/0.11
set routing-instances 7 interface lt-0/0/0.12
set routing-instances 7 routing-options static route 0.0.0.0/0 next-hop 10.1.7.2
set routing-instances 8 instance-type virtual-router
set routing-instances 8 interface lt-0/0/0.13
set routing-instances 8 interface lt-0/0/0.14
set routing-instances 8 routing-options static route 0.0.0.0/0 next-hop 10.1.8.2
set routing-instances 9 instance-type virtual-router
set routing-instances 9 interface lt-0/0/0.15
set routing-instances 9 interface lt-0/0/0.16
set routing-instances 9 routing-options static route 0.0.0.0/0 next-hop 10.1.9.2
set vlans default l3-interface vlan.0
[/bash]

Conf Generation Shell Script:

[bash]
#!/bin/bash

for i in $(seq 0 30)
do
echo -n "Doing $i …"

N1=$(expr $i + 1)

cp template.txt $i.conf

# Replace N1
sed -i s/#N1/$N1/g $i.conf

# Replace N
sed -i s/#N/$i/g $i.conf

echo " done"
done
[/bash]

Until we NAT again …

Juniper SRX Chassis Cluster RG0 Nagios Check

I was required to check (as this customer did not have a trap collector) which node was active for redundancy group 0 on a SRX cluster. So I thought I would check for a SNMP OID that is only presented by the active RG0 node. This script uses snmpwalk and is configured to use SNMP v2c (this can be easily changed). It has been tested on:

  • CentOS 5
  • Junos 11.4R2
  • SNMP v2c

Here is the little hacky shell script:

[bash]
#!/bin/bash

# Cooper Lees <me@cooperlees.com>
# Dirty Cluster RG0 checker
# Lasted Updated: 20120818

HOST=$1
COMMUNITY=$2

if [ "$HOST" == "" ] || [ "$COMMUNITY" == "" ]; then
echo "ERROR: No host or SNMP community specified"
exit 2
fi

SNMPOUTPUT=$(snmpwalk -v 2c -c $COMMUNITY $HOST 1.3.6.1.4.1.2636.3.1.14.1.7)

echo $SNMPOUTPUT | grep "INTEGER: 2" > /dev/null
if [ $? == 0 ]; then
echo "Host $HOST is the Chassis cluster ACTIVE RE"
exit 0
fi

echo $SNMPOUTPUT | grep "No Such Object available on this agent at this OID" > /dev/null
if [ $? == 0 ]; then
echo "Host $HOST is the INACTIVE RE"
exit 2
fi

echo "WTF – Something is not right …"
exit 3
[/bash]

It checks for the “jnxRedundancyState” OID – this OID reports on RE states and is only accurate on Junos routers (e.g. M and MX series etc.).

Enjoy …

SRX Branch Chassis Cluster Ports

Here is a table of the ports that are used for chassis cluster control link and management ports on Branch SRX devices.

The quoted ports are the ‘stand alone’ non clustered port names (not node1’s port names once clustered). In a SRX cluster the PIM slots on node1 start at the last PIM slot of node0 + 1. For example, a SRX240 cluster’s node1 starts at PIM 5. It’s control link port is effectively ge-5/0/1).

Model FXP0 (Management) FXP1 (Control Link)
SRX100 fe-0/0/6 fe-0/0/7
SRX210 fe-0/0/6 fe-0/0/7
SRX220 ge-0/0/6 (> 11.0) ge-0/0/7
SRX240 ge-0/0/0 ge-0/0/1
SRX550 ge-0/0/0 ge-0/0/1
SRX650 ge-0/0/0 ge-0/0/1

 *fab0 and fab1 interfaces (Data Link) are always configurable, e.g.:

  • set interfaces fab0 fabric-options member-interfaces ge-0/0/2
  • set interfaces fab1 fabric-options member-interfaces ge-5/0/2

Juniper SRX Screens + Dynamic VPNs

Little tip with SRX Dynamic VPNs and ‘security screens’ on the VPN’s ingress zone I stumbled across during my JNCIE-SEC study.

UPDATE (20120401): Seems Juniper has addressed and fixed this bug …
More info:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21713&actp=RSS 

It seems you can not have the ‘IP Spoofing’ screen enabled when sending IPSec Dynamic VPN traffic ingressing into the zone with the screen set. This traffic is dropped by the screen which can be seen via a ‘security flow traceoption flag basic-datapath’:

  • ‘packet dropped, drop by spoofing check.’

So removing (or deactivating) the ip spoofing check solved the problem:

  • deactivate security screen ids-option from-Internet ip spoofing

Kind of lame, the spoofing screen sounds a good idea on your Internet facing interfaces, but seems a no no if you want dynamic VPNs. That is all. Hopefully eventually Juniper make this check smarter.

SRX110 and ADSL2+

So work was awesome this year and bought me an SRX110 for Xmas. I thought that I would share, to configure it’s vDSL interface to use adsl (with Australian VPI and VCI), you just configure the interface as if it was an ADSL PIM.

Here is the config:

[plain]
set interfaces at-1/0/0 description "ADSL Interface"
set interfaces at-1/0/0 mtu 1540
set interfaces at-1/0/0 encapsulation atm-pvc
set interfaces at-1/0/0 atm-options vpi 8
set interfaces at-1/0/0 dsl-options operating-mode auto
set interfaces at-1/0/0 unit 0 description PPPoA
set interfaces at-1/0/0 unit 0 encapsulation atm-ppp-llc
set interfaces at-1/0/0 unit 0 vci 8.35
set interfaces at-1/0/0 unit 0 ppp-options chap default-chap-secret "PASSWORD"
set interfaces at-1/0/0 unit 0 ppp-options chap local-name "username@ISP"
set interfaces at-1/0/0 unit 0 ppp-options chap passive
set interfaces at-1/0/0 unit 0 family inet address x.x.x.x/32
[/plain]

JUNOS AppSecure now on Branch SRXs

So application identification / firewall / secure has made it way to the branch. This is awesome news. So I have managed to obtain a 30 day trial to see how it performs on my home SRX100. With ym simple rule base I have seen 1ms increase in my latency!!

After adding the license you can now perform the following:

Install Application identification

request services application-identification download

Check the status:

  • request services application-identification download status
    Application package 1980 is installed successfully.

Create a Application Ruleset

All that is ahppening here is youtube is BLOCKED, everything else is allowed.

[plain]
set security application-firewall rule-sets block-webtraffic rule youtube match dynamic-application junos:YOUTUBE
set security application-firewall rule-sets block-webtraffic rule youtube then deny
set security application-firewall rule-sets block-webtraffic default-rule permit
[/plain]

Add to a security policy:

There is now the ‘application-firewall’ settings to apply to policies …

cooper@noona-gw# set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services ?
Possible completions:
> application-firewall  Application firewall services
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don’t inherit configuration data from these groups
gprs-gtp-profile     Specify GPRS Tunneling Protocol profile name
gprs-sctp-profile    Specify GPRS stream control protocol profile name
idp                  Intrusion detection and prevention
redirect-wx          Set WX redirection
reverse-redirect-wx  Set WX reverse redirection
> uac-policy           Enable unified access control enforcement of policy
utm-policy           Specify utm policy name

Example Policy:

[plain]
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services application-firewall rule-set block-webtraffic
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close
[/plain]

TODO: Play with ‘application-tracking’. Will update blog post once I have.

So it’s that simple … Application firewalling is now accross the whole SRX range … win.

MiToken + Junos Two Factor Radius Authentication

Do you have Junos devices? If you do, excellent choice. Do you have MiToken? Once again, love your work there. If you don’t have MiToken, it’s a plug-in to the M$ IAS/NPS servers that allows mutiple types of hard and soft tokens to be used allowing secure OTPs with dual factor authentication with your Active Directory domain(s).

This post will guide you though configuring Junos to use MiToken for two factor authentiucation to help hardern your Junos devices.


For more information on MiToken visit mi-token.com.
This configuration has been tested with Junos11.1r3.5
, Junos is a registered trademark of Juniper Networks.

Junos Device Config:

Now go jump into Junos configuration mode and set the following:

[text]
# Add radius to the password auth order
set system authentication-order radius

set system radius-server x.x.x.x port 1812
set system radius-server x.x.x.x secret "SECRET"
set system radius-server x.x.x.x timeout 10
set system radius-server x.x.x.x retry 2
set system radius-server x.x.x.x source-address x.x.x.x

# Block everyone access by default
set system login user remote full-name Radius-User
set system login user remote class unauthorized

# Create users who should get access
set system login user john full-name "John Smith"
set system login user john class super-user
[/text]

MiToken / NPS Configuration:

Now lets configure the MiToken side to accept radius packets from our Junos device(s). The only down side to MiToken is it runs on Windows :-(.

1) Define a Radius client in NPS


Right click on radius clients and choose ‘New RADIUS Client’

2) Define a connection request policy


Set up your policy to identify your Junos devices … For more information refer to the MiToken Admin guide.


This step is optional. You do not have to require Windows Authentication to be active – This would take you back to single factor OTP auth

3) Enable MiToken on the connection request policy for Junos devices

4)

Enjoy you radius dual factor authentication. Your auditors and boss will now love you. Hit them up for a raise.

5)

Send some praise Cooper’s way 🙂