반응형
SMALL

ScreenOS divides its routing component into two virtual routers—untrust-VR and trust-VR. If you have obtained and loaded a virtual router (VR) software key, you can create a new VR. Multiple VRs can exist, but trust-VR is the default.

Additionally, you can set basic parameters for the untrust-VR and trust-VR and for user-defined VRs. When you set parameters for a VR, you can also configure dynamic routing protocols.

If you configure AutoConnect virtual private network (AC-VPN), you must enable Next-Hop Resolution Protocol (NHRP) on the VR.

To Create or Modify a Virtual Router

  1. Enter the required information:

Virtual Router Name: Indicates the name of the VR.

Virtual Router ID: Indicates one of two settings that identify the VR.

Use System Default: Indicates that the IP address of the VR acts as the ID of the routing instance.

Custom: Enables you to set an IP address to identify the virtual routing instance that is different from the default address.

Management VR: Designates this VR as the management virtual router (MGT VR). A MGT VR supports the out-of-band management infrastructure and segments security device management traffic away from production traffic.

Maximum Route Entry: Indicates the upper limit of the number of routes the VR can store in its routing table.

Unlimited: Indicates that the current virtual routing instance has no upper limit for the number of routes it can store in its routing table.

Set Limit At: Enables you to set a specified upper limit for the number of routes the current VR can store in its routing table.

Maximum ECMP Routes: Enables you to set a specified upper limit for the maximum number of equal cost multipath (ECMP) routes that can exist for each protocol and for static routes in a routing table. Specify 2, 3, or 4. Setting the limit enables ECMP routing so that the security device can perform load balancing between ECMP routes.

Route Lookup Preference: Specifies the order in which the VR performs route lookup, if source-based routing or source interface-based routing (SIBR) is enabled in the VR. The VR checks the routing table with the highest preference value first.

For Destination Routing: Assigns a preference value for the destination-based routing table. The default value is 1. Enter a value between 1 and 255.

For Source Based Routing: Assigns a preference value for the source-based routing table. The default value is 2. Enter a value between 1 and 255.

For Source Interface Based Routing: Assigns a preference value for the SIBR routing table. The default value is 3. Enter a value between 1 and 255.

Use default route: (For the trust-VR only) Adds a default route with the specified VR as the next hop.

Shared and accessible by other vsys: Indicates that the root-level local VR is accessible from a virtual system (vsys). The untrust-VR is, by default, shared by all other vsys.

Ignore Subnet Conflict for Interfaces in This VRouter: Directs the VR to ignore overlapping subnet addresses for interfaces in the VR.

Make This VRouterDefault-Vrouter for the System: Sets this VR as the default VR for the vsys. The trust-VR is the default VR for the root system.

Auto Export Route to Untrust-VR: Directs the VR to export public interface routes to the untrust-VR.

Make SNMP Trap Private: (This option is only available for the default root-level VR.) Enables you to make Simple Network Management Protocol (SNMP) traps for the dynamic routing MIBs private for the VR.

Enable Source Based Routing: Enables source based routing on this VR.

Enable Source Interface Based Routing: Enables source interface-based routing on this VR.

Advertise Routes on Inactive Interfaces: Directs the VR to consider active routes on inactive interfaces for advertising.

Permit sync VR configure to NSRP peer: Directs the VR to synchronize its configuration with the VR on its NetScreen Redundancy Protocol (NSRP) peer.

Route Preference: Displays various ways to identify the desirability of a route in the current VR. The lower the value, the more probable the VR will select the route.

Auto Exported: Indicates the level of desirability associated with the decision the current VR makes to select an automatically exported route from other VRs on the network.  

Imported: Indicates the level of desirability associated with the decision the current virtual routing instance makes to select a route imported from another VR on the network.  

EBGP: Indicates the level of desirability associated with the decision the current VR makes to select a route originating from an Exterior Border Gateway Protocol (EBGP) router.

OSPF: Indicates the level of desirability associated with the decision the current VR makes to select a route originating from an Open Shortest Path First (OSPF) router.

RIP/RIPng: Indicates the level of desirability associated with the decision the current VR makes to select a route originating from a Routing Information Protocol (RIP) or a Routing Information Protocol Next Generation (RIPng) router. RIPng is intended only for use in IPv6 networks.

Connected: Indicates the level of desirability associated with the decision the current VR makes to select a route sent from a router that has at least one interface with an IP address assigned to it.

Static: Indicates the level of desirability associated with the decision the current VR makes to select a static or manually configured route.

IBGP: Indicates the level of desirability associated with the decision the current VR makes to select a route originating from an Interior Border Gateway Protocol (IBGP) router.

OSPF External Type 2: Indicates the level of desirability associated with the decision the current VR makes to select OSPF External-Type-2 routes.

  1. Click OK to save your changes and return to the Virtual Router List. Click Apply to continue configuring the VR.

If you clicked Apply, the Dynamic Routing Protocols Support area displays with the following links:

BGP: A link for creating a Border Gateway Protocol (BGP) routing instance. For more information, see Virtual Router BGP Settings.

OSPF: A link for creating an OSPF routing instance. For more information, see OSPF Virtual Router Settings.

RIP: A link for creating a RIP routing instance. For more information, see RIP Virtual Router Settings.

RIPng: A link for creating a RIPng routing instance. For more information, see RIPng Virtual Router Settings.

Next Hop Resolution Protocol (NHRP) Support: If you are configuringAC-VPN,click NHRP Setting to enable NHRP and configure Next Hop Client (NHC) cache entries.

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Network' 카테고리의 다른 글

한드림넷 보안스위치 사용자 알림 설정  (0) 2012.07.12
Alteon L4 FWLB Sample  (0) 2012.04.20
Juniper EX-series Switch Password Recovery  (0) 2012.02.17
Alteon config 기본 설정  (2) 2012.02.07
Alteon SLB에서 PIP(Proxy IP) 설정  (1) 2012.02.04
반응형
SMALL
LAN to LAN VPN between two Juniper firewalls in Transparent mode

 

Summary:
VPN terminates at the Juniper firewall in Transparent mode.
How to configure a Virtual Private Network (VPN) between two Juniper firewalls in Transparent mode.

 

Problem or Goal:
How is a VPN configured between two Juniper firewalls in Transparent mode?
This example will be based on a VPN between two SSG140s, using ScreenOS 5.4.0r8.0; however, this config is valid with ScreenOS 5.x and 6.x.



Assumptions:

Firewall at Site A and Site B are in Transparent mode and connected to the Internet.
Internal network on the Firewall at Site A is 1.1.1.0 255.255.255.0. The Internet router is at 1.1.1.1, and the VLAN1 IP of the firewall is 1.1.1.50
Internal network on the Firewall at Site B is 1.1.2.0 255.255.255.0. The internet router is at 1.1.2.1, and the VLAN1 IP of the firewall is 1.1.2.50
Assuming both P1 and P2 are using "standard" security level, the Preshare key for P1 is "netscreen", and Replay Protection is disabled.


 

 

Solution:
The steps are documented below.

Note that when the Virtual Private Network (VPN) tunnel uses a pair of Juniper firewalls in Transparent mode as the termination point, the security gateway needs to point to the IP address of the peer's VLAN1 interface.
Additionally, the Transparent mode Juniper firewall needs a static route to reach the remote IPSec gateway.



Site A Configuration details:
--------------------------------------

Define address objects



WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-B
    * IP Address/Netmask: 1.1.2.0/24

Choose V1-Trust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-A
    * IP address/Netmask: 1.1.1.0/24


CLI:
set address v1-trust lan-A 1.1.1.0/24
set address v1-untrust lan-B 1.1.2.0/24



Define IKE gateway (Phase 1)



WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
  •   Gateway Name: toB
  •   Security Level: Standard
  •   Static IP Address: 1.1.2.50
  •   Preshared Key: netscreen
  •   Outgoing Zone: V1-Untrust

CLI:
set ike gateway toB address 1.1.2.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard



Define IPSec VPN (Phase 2)



WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK
  •   VPN Name: toB
  •   Security Level: Standard
  •   Remote Gateway: Predefined: toB

CLI:
set vpn toB gateway toB sec-level standard



Define policy



WEBUI:
Select Policies and following, then click New
  •   From: V1-Trust
  •   To: V1 Untrust
Enter following and click OK
  •   Source Address: Address Book Entry, lan-A
  •   Destination Address: Address Boot Entry, lan-B
  •   Service: ANY
  •   Action: Tunnel
  •   Tunnel: VPN, toB
  •   Modify matching bidirectional VPN policy: check 

CLI:
set policy id 1000 from v1-trust to v1-untrust lan-A lan-B any tunnel vpn toB
set policy id 1001 from v1-untrust to v1-trust lan-B lan-A any tunnel vpn toB pair-policy 1000



Define static route



WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK
  • IP Address/Netmask: 0.0.0.0/0
  • Next Hop: Gateway (selected)
  • Interface: VLAN1
  • Gateway IP Address: 1.1.1.1
 
CLI:
set route 0.0.0.0/0 gateway 1.1.1.1

 


Site B Configuration details:
--------------------------------------

Define address objects



WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK
  •     Address Name: lan-A
  •     IP Address/Netmask: 1.1.1.0/24
Choose V1-Trust from pull-down menu and click New
Enter following and click OK
  •     Address Name: lan-B
  •     IP address/Netmask: 1.1.2.0/24

CLI:
set address v1-trust lan-B 1.1.2.0/24
set address v1-trust lan-A 1.1.1.0/24



Define IKE gateway (Phase1)



WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
  •   Gateway Name: toA
  •   Security Level: Standard
  •   Static IP Address: 1.1.1.50
  •   Preshared Key: netscreen
  •   Outgoing Zone: V1-Untrust

CLI:
set ike gateway toA address 1.1.1.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard


Define IPSec VPN (Phase 2)



WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK
  •   VPN Name: toA
  •   Security Level: Standard
  •   Remote Gateway: Predefined: toA

CLI:
set vpn toA gateway toA sec-level standard


Define policy



WEBUI:
Select Policies and following, then click New
  •   From: V1-Trust
  •   To: V1-Untrust

Enter following and click OK

  •   Source Address: Address Book Entry, lan-B
  •   Destination Address: Address Boot Entry, lan-A
  •   Service: ANY
  •   Action: Tunnel
  •   Tunnel: VPN, toA
  •   Modify matching bidirectional VPN policy: check 

CLI:
set policy id 1000 from v1-trust to v1-untrust lan-B lan-A any tunnel vpn toA
set policy id 1001 from v1-untrust to v1-trust lan-A lan-B any tunnel vpn toA pair-policy 1000



Define static route



WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK
  • IP Address/Netmask: 0.0.0.0/0
  • Next Hop: Gateway (selected)
  • Interface: VLAN1
  • Gateway IP Address: 1.1.2.1
CLI:
set route 0.0.0.0/0 gateway 1.1.2.1

 


Note: Technical Documentation

A Transparent mode VPN example is also included in the Technical Documentation:

ScreenOS  Concepts & Examples ScreenOS Reference Guide, Volume 5:  Virtual Private Networks

Chapter 4 -- Site-to-Site Virtual Private Networks
“Transparent Mode VPN” Example

 

ScreenOS 5.4: http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v5.pdf 
ScreenOS 6.0: http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/CE_v5.pdf

 

 

Purpose:
Troubleshooting

 

 

Related Links:

 

 

 

 

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX Firewall Password Recovery  (0) 2012.03.21
Juniper 인터넷 2회선을 이용한 Load Balancing  (0) 2012.02.21
Juniper Firewall ALG  (0) 2012.02.20
Juniper Firewall DHCP Server Configuration  (0) 2012.01.27
LG SafeZone IPS 2400 뒷면.....  (0) 2012.01.26
반응형
SMALL

 


*ALG(Application Layer Gateway)란?

NetScreen에서 V5.0에서 특정한 프로토콜(SIP, FTP, H.323 등)을 지원하는 신규 기능으로 ALG는 특정한 트래픽을 분석하여 NetScreen 방화벽을 통과하여 서비스가 가능하도록 resource 할당, 유동적인 방화벽 정책(ex: dynamic port을 요청하는 경우 편리하게 지원가능)을 설정할 수 있도록 지원할 수 있는 기능으로 Protocol Convert 역할을 할 수 있음, 알려진 포트를 사용하는 경우 및 정책에서 지정하는 경우 ALG기능을 사용할 수 있으며 ALG는 해당 프로토콜의 Payload 내용을 감지 또는 변경할 수 있습니다.

[출처] ISG1000장비의 ALG기능 질문입니다.. (주니퍼 엔지니어 모임) |작성자 네오

ALG 관련 ISSUE가 한번 있었다.
본사와 지사간의 VPN G to G를 설치하기 위해 부산과 대전을 다녀온 적이 있다.
VPN 설정하고 통신 테스트 하고 전혀 문제가 되지 않았는데... 한곳에서 SIP 관련 ISSUE가 발생을 했다.
인터넷 전화를 사용하는 업체인데 전화가 걸려오는 전화를 받는 것은 문제가 없었는데,

다른 곳에서 울리는 전화를 땡겨받기를 할 경우

약 8-10초간 아무 소리도 안 들리다가 이후 통화가 가능한가 싶더니 15-17초 이후 전화 연결이 자동으로 끊어졌다.
통신에 필요한 프로토콜은 SIP 하나였는데 Rule 부분의 문제는 아니었다.
결론적으로 주니퍼 방화벽의 메뉴중 Security 탭의 ALG에서 SIP를 Disable 시켜서 원인 해결이 되었다.
위에서 언급했듯이 ALG 는 L7 기반의 Application Layer Gateway를 처리 하다 보니 우리가 알지 못했던 비 정상적인
패킷에 대해서 처리가 이루어지기 때문에 오동작으로 오해하기가 쉽다.
더 신중한 보안 및 Application 처리를 위해서 ALG를 사용하는 것은 맞지만 국내 현실에 맞지 않는 부분도 많은 것 같다.

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Juniper 인터넷 2회선을 이용한 Load Balancing  (0) 2012.02.21
LAN to LAN VPN between two Juniper firewalls in Transparent mode  (0) 2012.02.20
Juniper Firewall DHCP Server Configuration  (0) 2012.01.27
LG SafeZone IPS 2400 뒷면.....  (0) 2012.01.26
웹방화벽 WebFront 소개 자료 및 채널 교육 자료  (0) 2012.01.12
반응형
SMALL

반응형
LIST
저작자표시 비영리 변경금지

'지금 이 순간' 카테고리의 다른 글

아라뱃길  (0) 2012.03.18
i-rocks BT-6460 Slim & Compact Bluetooth Mobile Keyboard  (0) 2012.03.13
오늘의 점심은 깐풍새우 정식  (0) 2012.02.16
Naver Open Cast  (0) 2012.02.16
홈플러스 Croissant (크로아상, 크로와상) 생지로 바로 굽기  (0) 2012.02.13
반응형
SMALL


Summary:

This article describes how to recover a lost or forgotten password for the EX-series Switch.

 

Problem or Goal:

Lost root password for the EX-series Switch.

 

 

Solution:

Troubleshooting Loss of the Root Password on the EX-series Switch

Problem:
If you forget the root password for the switch, you can use the password recovery procedure to reset the root password.

NOTE: You need physical access to the switch to recover the root password. This is done by direct console access or through a console server to the console port on the EX Switch.

Solution To recover the root password:
  1. Power off your switch by unplugging the power cord or turning off the power at the wall switch.
  1. Insert one end of the Ethernet cable into the serial port on the management device and connect the other end to the console port on the back of the switch.
  1. On the management device, start your asynchronous terminal emulation application (such as Microsoft Windows Hyperterminal) and select the appropriate COM port to use (for example, COM1).
  1. Configure the port settings as follows:
  • Bits per second: 9600
  • Data bits: 8
  • Parity: None
  • Stop bits: 1
  • Flow control: None
  1. Power on your switch by plugging in the power cord or turning on the power atthe wall switch.
  1. When the following prompt appears, press the Spacebar to access the switch's bootstrap loader command prompt:
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 1 second...
  1. At the following prompt, type boot -s to start up the system in single-user mode:
loader> boot -s
  1. At the following prompt, type recovery to start the root password recovery procedure:
Enter full path name of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery

A series of messages describe consistency checks, mounting of filesystems, and initialization and checkout of management services. Then the CLI prompt appears.
  1. Enter configuration mode in the CLI:
user@switch> cli
  1. Set the root password. For example:
user@switch# set system root-authentication plain-text-password
  1. At the following prompt, enter the new root password. For example:
New password: juniper1

Retype new password:
  1. At the second prompt, reenter the new root password.
  1. If you are finished configuring the network, commit the configuration.root@switch# commit

commit complete

  1. Exit configuration mode in the CLI.
root@switch# exit

  1. Exit operational mode in the CLI.
root@switch> exit

  1. At the prompt, enter y to reboot the switch.
Reboot the system? [y/n] y
반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Network' 카테고리의 다른 글

Alteon L4 FWLB Sample  (0) 2012.04.20
Juniper Virtual Router Basic Configuration  (0) 2012.02.21
Alteon config 기본 설정  (2) 2012.02.07
Alteon SLB에서 PIP(Proxy IP) 설정  (1) 2012.02.04
Brocade FLS624G dhcp 구성 config (Foundry)  (0) 2012.01.25
반응형
SMALL

반응형
LIST
저작자표시 비영리 변경금지

'지금 이 순간' 카테고리의 다른 글

i-rocks BT-6460 Slim & Compact Bluetooth Mobile Keyboard  (0) 2012.03.13
골뱅이와 소면  (0) 2012.02.19
Naver Open Cast  (0) 2012.02.16
홈플러스 Croissant (크로아상, 크로와상) 생지로 바로 굽기  (0) 2012.02.13
부산 광안대교  (0) 2012.02.10
반응형
SMALL

http://opencast.naver.com/SB754   <- 바로 요기

예전부터 네이버 오픈캐스트의 화면 인터페이스가 맘에 들었지만 뭐에 쓰는 물건이지 몰랐기에 관심을 끊었다가 도전해 보기로 했다.
티스토리도 가입이 초대에 의해 이루어지는 아주 까다로운 방법이었는데 오픈캐스트는 5명 이상의 네이버 메일을 통해 추천을 받아야 된다고 한다.
내 주변에 네이버 계정 쓰는 아는 사람이라...음....누가 있을까 ?
와이프1
와이프2
나의 다른 계정
아들
...
한개가 빈다.
할수 없이 회사 직원에게 부탁을 했다.
그래서 드뎌 개설 완료.
동영상을 통해 발행하는 방법을 습득하고 첫페이지를 발행했다.
이것 저것 손대서 관리가 잘 안되는 것들이 나오긴 하지만 그래도 새로운 것을 해본다는 것에 대한 재미는 어쩔수  없다
한동안 오픈캐스트에 신경좀 써 봐야쥐.....ㅋㅋ

P.S
써 놓구 보니 와이프가 두명 처럼 보인다.
아니다 와이프의 계정 두개다
오해 없기를...

반응형
LIST
저작자표시 비영리 변경금지

'지금 이 순간' 카테고리의 다른 글

골뱅이와 소면  (0) 2012.02.19
오늘의 점심은 깐풍새우 정식  (0) 2012.02.16
홈플러스 Croissant (크로아상, 크로와상) 생지로 바로 굽기  (0) 2012.02.13
부산 광안대교  (0) 2012.02.10
오늘의 점심  (2) 2012.02.07
반응형
SMALL


<아이들이 둘다 광고에 나와서 보관중 ㅎㅎ>








반응형
LIST
저작자표시 비영리 변경금지

'딴나라이야기 > 필리핀이야기' 카테고리의 다른 글

필리핀 여행 2일차 (24.04.09)  (0) 2024.04.10
필리핀 여행 1일차 (24.04.08)  (0) 2024.04.08
필리핀의 주요 골프장  (0) 2011.11.11
유비콘필이 필리핀 TV에 나왔다  (1) 2011.09.04
Cebu  (0) 2011.08.04

+ Recent posts

티스토리툴바