[j-nsp] ICMP unreachable and mask reply - assistance required to check these features

Mon Jan 2 01:19:22 EST 2012

Hello Harri,

I would suggest the following, it might help:

1- Use the ping command with specifying source interface where you can use
outside interface as source and your inside as host. Syntax of command is
given at below link:

http://www.juniper.net/techpubs/en_US/junos11.2/topics/task/operational/security-ping-command-using.html

2- You can make one of your EX switch as layer 3 device and use it as a
server. Configure an IP on interface and accordingly use a default route.
You can also access the webUI of switch which will be same as you are
accessing web-server.

On Mon, Jan 2, 2012 at 5:31 AM, Harri Makela <harri_makela at yahoo.com> wrote:

> Hi Group
>
> I have 2 questions here if you can assist please
>
>
> 1 - I want to block ICMP Traffic type (mask reply and
> unreachable) from our internet router to enter into our production
> environment. I have sorted out the required firrewall filters but not
> sure how can I generate ICMP traffic to check if the same filters are
> blocking traffic in question or not and how much resources are these
> filters taking at the same time ?
>
> firewall {
>     filter A {
>         term 1 {
>             from {
>                 protocol icmp;
>                 icmp-type mask-request;
>             }
>             then {
>                 count mask-req;
>                 log;
>                 discard;
>             }
>         }
>         term 2 {
>             from {
>                 protocol icmp;
>                 icmp-type mask-reply;
>             }
>             then {
>                 count mask-rep;
>                 log;
>                 discard;
>             }
>         }
>         term 3 {
>             from {
>                 protocol icmp;
>                 icmp-type unreachable;
>             }
>             then {
>                 count unreach;
>                 log;
>                 discard;
>             }
>         }
>         term default {
>             then accept;
>         }
>     }
> }
>
> 2 - I have 3 x J6350 (10.0R3.10) in test environment along with 6 x
> EX-4200-48T (10.4R5.5) but there is no server or workstation connected
> with these devices from where I can generate ICMP traffic by using
> utility like hping ? I am working from a remote location and I have no
> assistance available at the moment in order to connect any device
> physically on site.
>
> Looking forward for your kind advice/feedback.
>
>
> Many Thanks
> HM
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

-- 

Regards,

Rehan Rafi

*JNCIS-SSL, JNCIS-M, JNCIA-FWV, JNCIA-IDP, JNCIA-AC, CCSP, Security+*

M: +966-501682358     E: rrk.cse at gmail.com