Mike | Mike’s Blog

Juniper SRX cheat sheet

by Mike | Dec 14, 2017 | Juniper | 0 comments

root@juniper% — shell OS FreeBSD

1	root@juniper% — shell OS FreeBSD

After cli command we can enter to:

root@juniper> — operational mode
root@juniper# — configurational mode

1 2	root@juniper> — operational mode root@juniper# — configurational mode

Operational MODE:

root@juniper> clear — to clear smth
root@juniper> monitor — to monitor smth in real-time mode
root@juniper> ping — pong
root@juniper> show — show configuration
root@juniper> test — to test saved configs and interfaces
root@juniper> traceroute — trace

root@juniper> clear — to clear smth

root@juniper> monitor — to monitor smth in real-time mode

root@juniper> ping — pong

root@juniper> show — show configuration

root@juniper> test — to test saved configs and interfaces

root@juniper> traceroute — trace

Interfaces

root@juniper> show interface description
root@juniper> show interface terse  #short
root@juniper> show interface detail #detail

root@juniper> show interface description

root@juniper> show interface terse #short

root@juniper> show interface detail #detail

Save rescue config

root@juniper> request system configuration rescue save

1	root@juniper> request system configuration rescue save

To get back to rescue config:

root@juniper# rollback rescue

1	root@juniper# rollback rescue

Delete uncommitted commands

root@juniper> clear system commit

1	root@juniper> clear system commit

Show CPU, mem, and temperature

root@juniper> show chassis routing-engine

1	root@juniper> show chassis routing-engine

Show int traffic

root@juniper> monitor traffic interface ge-0/0/1 
root@juniper> monitor interface traffic

1 2	root@juniper> monitor traffic interface ge-0/0/1 root@juniper> monitor interface traffic

Restart a process

root@juniper> restart {process} gracefully

1	root@juniper> restart {process} gracefully

Reboot router

root@juniper> request system reboot

1	root@juniper> request system reboot

Clean UP

root@juniper> request system storage cleanup

1	root@juniper> request system storage cleanup

Configurational MODE:

Turning off smth

root@juniper# deactivate {interfaces ge-0/0/10}

1	root@juniper# deactivate {interfaces ge-0/0/10}

Load factory default config

root@juniper# load factory-default

1	root@juniper# load factory-default

Set root pass

root@juniper# set system root-authentication plain-text-password

1	root@juniper# set system root-authentication plain-text-password

Create new user

root@juniper# set system login user {username} class {usertype: operator, read-only, super-user} authentication plain-text-password

1	root@juniper# set system login user {username} class {usertype: operator, read-only, super-user} authentication plain-text-password

Turn on WEB

root@srx# set system services web-management http interface {vlan.0} {#interfaces#}

1	root@srx# set system services web-management http interface {vlan.0} {#interfaces#}

Turn on ssh

root@srx# set system services ssh

1	root@srx# set system services ssh

Change one port to the another

root@juniper# rename interfaces ge-0/0/0 to ge-0/0/1

1	root@juniper# rename interfaces ge-0/0/0 to ge-0/0/1

Change IP address without deleting it:

[edit interfaces]
root@juniper# rename ge-0/0/1 unit 0 family inet address 192.168.0.1/28 to address 192.168.0.2/28

1 2	[edit interfaces] root@juniper# rename ge-0/0/1 unit 0 family inet address 192.168.0.1/28 to address 192.168.0.2/28

Copy a part of config to the another branch:

root@juniper# copy interfaces ge-0/0/0 to ge-0/0/1

1	root@juniper# copy interfaces ge-0/0/0 to ge-0/0/1

Go to top level:

[edit interfaces ge-0/0/1]
root@juniper# top

1 2	[edit interfaces ge-0/0/1] root@juniper# top

Enter operational commands while editing:

root@juniper# run {show route}

1	root@juniper# run {show route}

Check config without commit:

root@juniper# commit check

1	root@juniper# commit check

Commit at the time:

root@juniper# commit at 12:00

1	root@juniper# commit at 12:00

Cancel commit at the time:

root@juniper> clear system commit

1	root@juniper> clear system commit

Commit to the rollback in time:

root@juniper# commit confitmed 100 #minutes

1	root@juniper# commit confitmed 100 #minutes

Rollback:

root@juniper# rollback #last config
root@juniper# rollback? #show archive

1 2	root@juniper# rollback #last config root@juniper# rollback? #show archive

To see changes without committing:

root@juniper# show | compare

1	root@juniper# show \| compare

Switching:

Add ports to VLAN:

root@juniper# set interfaces interface-range interfaces-trust member-range ge-0/0/1 to ge-0/0/7

1	root@juniper# set interfaces interface-range interfaces-trust member-range ge-0/0/1 to ge-0/0/7

root@juniper# set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust

1	root@juniper# set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust

root@juniper# set vlans vlan-trust vlan-id 3
root@juniper# set vlans vlan-trust l3-interface vlan.0
root@juniper# set interfaces vlan unit 0 family inet address 192.168.0.1/24

root@juniper# set vlans vlan-trust vlan-id 3

root@juniper# set vlans vlan-trust l3-interface vlan.0

root@juniper# set interfaces vlan unit 0 family inet address 192.168.0.1/24

Security zones:

Allow all host traffic in trust

root@juniper# set security zones security-zone trust host-inbound-traffic system-services all

1	root@juniper# set security zones security-zone trust host-inbound-traffic system-services all

Allow all host protocols in trust

root@juniper# set security zones security-zone trust host-inbound-traffic protocols all

1	root@juniper# set security zones security-zone trust host-inbound-traffic protocols all

Add interfaces in trust

root@juniper# set security zones security-zone trust interfaces vlan.0
root@juniper# set security zones security-zone trust interfaces lo0.0
root@juniper# set security zones security-zone trust interfaces ge-0/0/1.0

root@juniper# set security zones security-zone trust interfaces vlan.0

root@juniper# set security zones security-zone trust interfaces lo0.0

root@juniper# set security zones security-zone trust interfaces ge-0/0/1.0

Create trust-to-trust policy:

root@juniper# set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
root@juniper# set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
root@juniper# set security policies from-zone trust to-zone trust policy trust-to-trust match application any
root@juniper# set security policies from-zone trust to-zone trust policy trust-to-trust then permit

root@juniper# set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any

root@juniper# set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any

root@juniper# set security policies from-zone trust to-zone trust policy trust-to-trust match application any

root@juniper# set security policies from-zone trust to-zone trust policy trust-to-trust then permit

Yeeeep! Cisco Cyber Ops Scholarship

by Mike | Dec 12, 2017 | CISCO | 0 comments

I have really exciting news:

Brand new domain

by Mike | Dec 7, 2017 | Uncategorized | 0 comments

I have just moved my tiny blog from yudin.us to the brand new domain mike.ydn.id.au. It could be a fresh start for my blogging 🙂

Site-to-site IPSec between Juniper and Cisco through Mikrotik’s NAT

by Mike | Dec 6, 2017 | CISCO, Juniper | 0 comments

Since my company has been using Cisco and Juniper network equipment we have a lot of IPSec tunnels to remote branches. To achieve some sort of high-availability we have decided to implement one of the IPSec tunnels over an LTE network.

To do so we bought Mikrotik wAP LTE kit to get connected to an LTE network and obtained a public IP address from a mobile data operator.

So.. we have:

Cisco ISR in the DC with public IP address 1.1.1.1
Mikrotik wAP LTE with public IP address 2.2.2.2
Juniper SRX100 in the branch with private address 172.16.1.2/30 connected to Mikrotik

Cisco ISR config

Tunnel interface:

interface Tunnel10
 description TO REMOTE BRANCH
 bandwidth 15000
 ip address 172.20.1.1 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0/0
 tunnel mode ipsec ipv4
 tunnel destination 2.2.2.2
 tunnel protection ipsec profile VTI

interface Tunnel10

description TO REMOTE BRANCH

bandwidth 15000

ip address 172.20.1.1 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0/0

tunnel mode ipsec ipv4

tunnel destination 2.2.2.2

tunnel protection ipsec profile VTI

ip route 2.2.2.2 255.255.255.255 1.1.1.2

1	ip route 2.2.2.2 255.255.255.255 1.1.1.2

IPSec config:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key SHAREDKEY address 10.0.0.2 
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile VTI
 set transform-set TSET
!
!
!
!
!
!
!
interface Tunnel10
 bandwidth 15000
 ip address 172.20.1.1 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 2.2.2.2
 tunnel protection ipsec profile VTI
!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key SHAREDKEY address 10.0.0.2

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

mode tunnel

crypto ipsec profile VTI

set transform-set TSET

interface Tunnel10

bandwidth 15000

ip address 172.20.1.1 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source Ethernet0/0

tunnel mode ipsec ipv4

tunnel destination 2.2.2.2

tunnel protection ipsec profile VTI

Juniper SRX config

security {
    ike {
        policy IKE_DC {
            mode main;
            proposal-set compatible;
            pre-shared-key ascii-text "SHAREDPASS"; ## SECRET-DATA
        }
        gateway GW_DC {
            ike-policy IKE_DC;
            address 1.1.1.1;
            external-interface fe-0/0/6.0;
        }
    }
    ipsec {
        policy Juniper {
            proposal-set compatible;
        }
        vpn VPN_DC {
            bind-interface st0.10;
            ike {
                gateway GW_DC;
                ipsec-policy Juniper;
            }
            establish-tunnels immediately;
        }
    }
    alg {
        dns disable;
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1360;
            }
        }
    }

security {

ike {

policy IKE_DC {

mode main;

proposal-set compatible;

pre-shared-key ascii-text "SHAREDPASS"; ## SECRET-DATA

}

gateway GW_DC {

ike-policy IKE_DC;

address 1.1.1.1;

external-interface fe-0/0/6.0;

}

ipsec {

policy Juniper {

proposal-set compatible;

}

vpn VPN_DC {

bind-interface st0.10;

ike {

gateway GW_DC;

ipsec-policy Juniper;

}

establish-tunnels immediately;

}

alg {

dns disable;

}

flow {

tcp-mss {

ipsec-vpn {

mss 1360;

}

Adding to zone and allowing IKE on the interface:

set security zones security-zone untrust interfaces fe-0/0/6.0
set security zones security-zone untrust host-inbound-traffic system-services ike

1 2	set security zones security-zone untrust interfaces fe-0/0/6.0 set security zones security-zone untrust host-inbound-traffic system-services ike

Mikrotik config

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=2.2.2.2 dst-port=4500 \
    in-interface=lte1 protocol=udp to-addresses=172.16.1.2 to-ports=4500
add action=dst-nat chain=dstnat dst-address=2.2.2.2 dst-port=500 \
    in-interface=lte1 protocol=udp to-addresses=172.16.1.2 to-ports=500
add action=src-nat chain=srcnat out-interface=lte1 src-address=172.16.1.2 \
    to-addresses=2.2.2.2

/ip firewall nat

add action=dst-nat chain=dstnat dst-address=2.2.2.2 dst-port=4500 \

in-interface=lte1 protocol=udp to-addresses=172.16.1.2 to-ports=4500

add action=dst-nat chain=dstnat dst-address=2.2.2.2 dst-port=500 \

in-interface=lte1 protocol=udp to-addresses=172.16.1.2 to-ports=500

add action=src-nat chain=srcnat out-interface=lte1 src-address=172.16.1.2 \

to-addresses=2.2.2.2

IPsec debug on SRX

To debug IPSec on Juniper you can use this commands:

Phase 1

show security ike security-associations
node0:
--------------------------------------------------------------------------
Index State Initiator cookie Responder cookie Mode Remote Address
1990848 UP 0a8d1bb614de2965 47ade7df5b93f10f Main 1.1.1.1

show security ike security-association index <#> detail
show security ike security-association <peer-ip>


show security ike stats sa

show security ike security-associations

node0:

--------------------------------------------------------------------------

Index State Initiator cookie Responder cookie Mode Remote Address

1990848 UP 0a8d1bb614de2965 47ade7df5b93f10f Main 1.1.1.1

show security ike security-association index <#> detail

show security ike security-association <peer-ip>

show security ike stats sa

Phase 2

show security ipsec security-associations | no-more
node0:
--------------------------------------------------------------------------
 Total active tunnels: 3
 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway 
 <131073 ESP:3des/sha1 828f5d73 1299/ 4426652 - root 500 1.1.1.1 
 >131073 ESP:3des/sha1 3c0637c3 1299/ 4426652 - root 500 1.1.1.1 

show security ipsec inactive-tunnels
node0:
--------------------------------------------------------------------------
 Total inactive tunnels: 0
 Total inactive tunnels with establish immediately: 0

show security ipsec security-associations | no-more

node0:

--------------------------------------------------------------------------

Total active tunnels: 3

ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway

<131073 ESP:3des/sha1 828f5d73 1299/ 4426652 - root 500 1.1.1.1

>131073 ESP:3des/sha1 3c0637c3 1299/ 4426652 - root 500 1.1.1.1

show security ipsec inactive-tunnels

node0:

--------------------------------------------------------------------------

Total inactive tunnels: 0

Total inactive tunnels with establish immediately: 0

Passed CCNA R&S certification

by Mike | Aug 19, 2017 | CCNA | 0 comments

Yesterday I finally passed CCNA R&S 200-125 exam. Next goal – CCNP.

« Older Entries

Next Entries »