[j-nsp] Firewall filter using a prefix-list, not updating

David Gee dave at infiltr8.com
Mon Mar 5 16:26:23 EST 2012


Hi all,

Thanks for the advice and information. Very much appreciated.

I'll forward on to the JTAC and see where I get.

All the best,
David

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
juniper-nsp-request at puck.nether.net
Sent: 05 March 2012 12:53
To: juniper-nsp at puck.nether.net
Subject: juniper-nsp Digest, Vol 112, Issue 7

Send juniper-nsp mailing list submissions to
	juniper-nsp at puck.nether.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://puck.nether.net/mailman/listinfo/juniper-nsp
or, via email, send a message with subject or body 'help' to
	juniper-nsp-request at puck.nether.net

You can reach the person managing the list at
	juniper-nsp-owner at puck.nether.net

When replying, please edit your Subject line so it is more specific than
"Re: Contents of juniper-nsp digest..."


Today's Topics:

   1. Juniper Training as per of degree or online with a training
      partner !! (Harri Makela)
   2. Re: Juniper Training as per of degree or online with a
      training partner !! (Jose Madrid)
   3. Re: 100Base-LX10 and MX80 (Richard A Steenbergen)
   4. Re: Firewall filter using a prefix-list, not updating
      (Richard A Steenbergen)
   5. Re: 100Base-LX10 and MX80 (Daniel Roesen)
   6. Help with vpn srx - asa (bizza)
   7. Re: Help with vpn srx - asa (Asad Raza)
   8. Re: Help with vpn srx - asa (Ben Dale)


----------------------------------------------------------------------

Message: 1
Date: Sun, 4 Mar 2012 15:18:29 -0800 (PST)
From: Harri Makela <harri_makela at yahoo.com>
To: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
Subject: [j-nsp] Juniper Training as per of degree or online with a
	training	partner !!
Message-ID:
	<1330903109.51265.YahooMailNeo at web120001.mail.ne1.yahoo.com>
Content-Type: text/plain; charset=utf-8

Hi Guys

Do you know any university/college offering Juniper certifications as per of
their degree program ? 


OR

Any company offering online juniper training ?

Thanks
HM


------------------------------

Message: 2
Date: Mon, 5 Mar 2012 00:02:59 -0500
From: Jose Madrid <jmadrid2 at gmail.com>
To: Harri Makela <harri_makela at yahoo.com>
Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
Subject: Re: [j-nsp] Juniper Training as per of degree or online with
	a training partner !!
Message-ID:
	<CAL9vm5PxkThGKhM5k-f2eER_7AbEYrr=BDBzEvxxXcCT37EOeA at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

The biggest name that comes to mind is Proteus Networks which is owned by
Joe Sorricelli.  Not sure if they have online training, but check them out.


On Sun, Mar 4, 2012 at 6:18 PM, Harri Makela <harri_makela at yahoo.com> wrote:

> Hi Guys
>
> Do you know any university/college offering Juniper certifications as 
> per of their degree program ?
>
>
> OR
>
> Any company offering online juniper training ?
>
> Thanks
> HM
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



--
It has to start somewhere, it has to start sometime.  What better place than
here? What better time than now?


------------------------------

Message: 3
Date: Sun, 4 Mar 2012 23:10:54 -0600
From: Richard A Steenbergen <ras at e-gerbil.net>
To: ??ukasz Dudzi??ski <lukasz at dudzinscy.org>
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] 100Base-LX10 and MX80
Message-ID: <20120305051054.GL93489 at gerbil.cluepon.net>
Content-Type: text/plain; charset=us-ascii

On Wed, Feb 29, 2012 at 02:35:09PM +0100, ??ukasz Dudzi??ski wrote:
> 
> I did it already. The topic you have mentioned does not cover the 
> essence of my question. I've asked for that specific SFP 
> (100Base-LX10), not for using third party optics at all. The problem 
> is that I don't know if it is possible to use 100Base-LX10 optics in 
> MX80, because Juniper documentation does not mention about 
> 100Base-LX10 SFP. There is a note regarding 100Base-FX (FE on MMF), 
> but no 100Base-LX10 (FE on SMF).

Generally speaking, the answer is "unless the pluggable requires some 
special handling from the router above and beyond what is considered 
'normal' relative to the other pluggables, it WILL work regardless of 
whether or not it is officially supported".

So far the only two examples I've found of the above are copper vs fiber 
(copper sometimes requires special handling to do things like detect 
link state properly), and 100 vs 1000. The LX10 part is irrelevent, if 
it was a 1000BASE optic you could throw in 1km or 100km and the router 
wouldn't know the difference, but you're on shaky ground with the 100 
support. You also run into questions about whether 100 is even supported 
at all, since there are different ways to implement the PHY, one with 
10/100/1000 support, and another with 1000-only.

My personal recollection is that MX back in the DPC days only supported 
1000. I could probably go dust off some documentation on the internals 
of the MX80 and tell you whether the PHY for the modular version 
supports 10/100/1000 for the SFPs or not (its a slightly different hw 
layout for modular vs non-modular, obviously the non-modular does 
because its 10/100/1000 copper), but its late and lets be honest I 
really don't care that much. :) I'm sure someone else will do it now 
that I've taunted them though (I can think of at least 5 or 6 usual 
suspects who probably know this off the top of their head :P), so just 
consider the above as generic advice for when this question comes up 
again in the future. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


------------------------------

Message: 4
Date: Sun, 4 Mar 2012 23:14:03 -0600
From: Richard A Steenbergen <ras at e-gerbil.net>
To: David Gee <dave at infiltr8.com>
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Firewall filter using a prefix-list, not updating
Message-ID: <20120305051403.GM93489 at gerbil.cluepon.net>
Content-Type: text/plain; charset=us-ascii

On Sun, Mar 04, 2012 at 04:45:04PM -0000, David Gee wrote:
> 
> If I create a relatively simple filter such as the one below, and 
> attach it as an output filter on a vlan interface, it works as per the 
> prefix-list it references. However, if I update the prefix-list, like 
> add an additional /32, the firewall filter does not permit it. If I 
> remove and re-apply the filter, it has no effect on the new addition 
> to the prefix-list (even though the prefix shows up in the 
> prefix-list). To force the new prefix to become active, I have had to 
> re-apply the firewall filter statement that references the prefix-list 
> (i.e. delete it, and re-apply it). Is this normal?

Depends on your definition of "normal". I run into firewall bugs like 
this all the time these days (probably on my 6th one in the last 2 
years). When in doubt, remove the filter and re-apply, this causes a 
data structure rebuild on the hw and makes the badness go away. And just 
consider yourself lucky that it doesn't cause the FPCs to crash when you 
reorder firewall terms like on EX8200 running 11.1R5. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


------------------------------

Message: 5
Date: Mon, 5 Mar 2012 09:47:11 +0100
From: Daniel Roesen <dr at cluenet.de>
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] 100Base-LX10 and MX80
Message-ID: <20120305084711.GA9236 at srv03.cluenet.de>
Content-Type: text/plain; charset=us-ascii

On Sun, Mar 04, 2012 at 11:10:54PM -0600, Richard A Steenbergen wrote:
> My personal recollection is that MX back in the DPC days only supported 
> 1000.

Depends. Some DPCs were multirate (e.g. the 2x10GE + 20x1GE combos).

> I could probably go dust off some documentation on the internals 
> of the MX80 and tell you whether the PHY for the modular version 
> supports 10/100/1000 for the SFPs or not

The 20x1GE MICs do support multirate, definately with the "original
Juniper" Methode Elec. OEM SFPs. Works in MX80 as well as MPC2 and is
supported.

Caveat: you have to explicitly configure "speed auto" on the interface,
otherwise it WILL do autoneg, but only advertise 1000Mbps capability.
And to configure "speed auto", you'll also have to explicitly configure
"gigether-options auto-negotiation" even though the interface already
does autoneg by default, otherwise your commit will be blocked. I was
utterly unsuccessful explaining to bogosity of that to JTAC, trying
hard for weeks. "It's working as coded, so it's fine". No, it's not.
I gave up eventually after being persistent enough to at least add some
hints into the reference docs.

lab at lab-MX80-01> show interfaces ge-1/2/7 | match link     
Physical interface: ge-1/2/7, Enabled, Physical link is Up
  Link-level type: Ethernet, MTU: 1514, Speed: 100mbps, BPDU Error: None,
MAC-REWRITE Error: None,

lab at lab-MX80-01> show configuration interfaces ge-1/2/7  
speed auto;
gigether-options {
    auto-negotiation;
}

lab at lab-MX80-01> show chassis hardware    
...
  MIC 1          REV 23   750-028392   xxxxxx            3D 20x 1GE(LAN) SFP
      Xcvr 7     REV 02   740-013111   xxxxxxx           SFP-T
...

lab at lab-MX80-01> show chassis pic fpc-slot 1 pic-slot 2    
...
                          Fiber                    Xcvr vendor
  Port  Cable type        type  Xcvr vendor        part number
Wavelength
...
  7     GIGE 1000T        n/a   Methode Elec.      SP7041-M1-JN      n/a    
...


Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0


------------------------------

Message: 6
Date: Mon, 5 Mar 2012 12:57:13 +0100
From: bizza <bizzam at gmail.com>
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Help with vpn srx - asa
Message-ID:
	<CAJcQygZPkrzXDpV7T2Qy21GHGWaXoLZuqVOfK0RcxifoAPVXFA at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi,
I have some problem in to configure a vpn between a srx and a cisco asa.
This is my configuration:

    ike {
        proposal trans-vpn {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 86400;
        }
        policy ike_pol_vpn2remote {
            mode main;
            proposals trans-vpn;
            pre-shared-key ascii-text "1234567899"; ## SECRET-DATA
        }
        gateway gw_vpn2remote {
            ike-policy ike_pol_vpn2remote;
            address X.Y.W.Z;
            local-identity inet A.B.C.D;
            external-interface fe-0/0/7.0;
            version v1-only;
        }
    }
    ipsec {
        policy ipsec_pol_vpn2remote {
            proposal-set compatible;
        }
        vpn vpn2remote {
            bind-interface st0.0;
            ike {
                gateway gw_vpn2remote;
                ipsec-policy ipsec_pol_vpn2remote;
            }
            establish-tunnels immediately;
        }
    }

And in the asa side remote IT tech said that configuration is the
same: encryption, hash, lifetime, group, ecc..

In /var/log/kmd I found:
Mar  5 12:51:27   IKEv1 Error : Timeout
Mar  5 12:52:06   IKEv1 Error : No proposal chosen
Mar  5 12:52:27   IKEv1 Error : Timeout
Mar  5 12:52:41   IKEv1 Error : No proposal chosen
Mar  5 12:53:13   IKEv1 Error : No proposal chosen
Mar  5 12:53:27   IKEv1 Error : Timeout
Mar  5 12:53:47   IKEv1 Error : No proposal chosen
Mar  5 12:54:27   IKEv1 Error : Timeout
Mar  5 12:54:30   IKEv1 Error : No proposal chosen
Mar  5 12:55:08   IKEv1 Error : No proposal chosen


Any hints?

Regards
Marco
-- 
bizza


------------------------------

Message: 7
Date: Mon, 5 Mar 2012 17:28:14 +0500
From: Asad Raza <asadgardezi at gmail.com>
To: bizza <bizzam at gmail.com>
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Help with vpn srx - asa
Message-ID:
	<CACN6Xjz4=DF26Ek-pnTRGMMEwZJ9ch0GEoyqMyQb9LnxV3S91w at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi Marco,

I see that you are using a custom proposal in phase-1 but using compatible
in phase-2, that could be the problem. You need to define exact proposal in
phase-2 aswell. Could you confirm if proposal mismatch is in phase-1 (ike)
or phase-2 (ipsec) ot be more specific?

regards,

Asad

On Mon, Mar 5, 2012 at 4:57 PM, bizza <bizzam at gmail.com> wrote:

> Hi,
> I have some problem in to configure a vpn between a srx and a cisco asa.
> This is my configuration:
>
>    ike {
>        proposal trans-vpn {
>            authentication-method pre-shared-keys;
>            dh-group group5;
>            authentication-algorithm sha-256;
>            encryption-algorithm aes-256-cbc;
>            lifetime-seconds 86400;
>        }
>        policy ike_pol_vpn2remote {
>            mode main;
>            proposals trans-vpn;
>            pre-shared-key ascii-text "1234567899"; ## SECRET-DATA
>        }
>        gateway gw_vpn2remote {
>            ike-policy ike_pol_vpn2remote;
>            address X.Y.W.Z;
>            local-identity inet A.B.C.D;
>            external-interface fe-0/0/7.0;
>            version v1-only;
>        }
>    }
>    ipsec {
>        policy ipsec_pol_vpn2remote {
>            proposal-set compatible;
>        }
>        vpn vpn2remote {
>            bind-interface st0.0;
>            ike {
>                gateway gw_vpn2remote;
>                ipsec-policy ipsec_pol_vpn2remote;
>            }
>            establish-tunnels immediately;
>        }
>    }
>
> And in the asa side remote IT tech said that configuration is the
> same: encryption, hash, lifetime, group, ecc..
>
> In /var/log/kmd I found:
> Mar  5 12:51:27   IKEv1 Error : Timeout
> Mar  5 12:52:06   IKEv1 Error : No proposal chosen
> Mar  5 12:52:27   IKEv1 Error : Timeout
> Mar  5 12:52:41   IKEv1 Error : No proposal chosen
> Mar  5 12:53:13   IKEv1 Error : No proposal chosen
> Mar  5 12:53:27   IKEv1 Error : Timeout
> Mar  5 12:53:47   IKEv1 Error : No proposal chosen
> Mar  5 12:54:27   IKEv1 Error : Timeout
> Mar  5 12:54:30   IKEv1 Error : No proposal chosen
> Mar  5 12:55:08   IKEv1 Error : No proposal chosen
>
>
> Any hints?
>
> Regards
> Marco
> --
> bizza
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


------------------------------

Message: 8
Date: Mon, 5 Mar 2012 22:54:46 +1000
From: Ben Dale <bdale at comlinx.com.au>
To: bizza <bizzam at gmail.com>
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Help with vpn srx - asa
Message-ID: <BBAA23FE-B045-4F5C-872A-DDB1061B2FAF at comlinx.com.au>
Content-Type: text/plain; charset=us-ascii


On 05/03/2012, at 9:57 PM, bizza wrote:
>        gateway gw_vpn2remote {
>            ike-policy ike_pol_vpn2remote;
>            address X.Y.W.Z;
>            local-identity inet A.B.C.D;
>            external-interface fe-0/0/7.0;
>            version v1-only;
>        }

In your IKE gateway configuration above, you have configured the
local-identity - this particular knob is only used for authentication when
you are using aggressive mode (which you are not).  

I suspect what you really wanted to configure was the proxy-id which ASAs
tend to be VERY picky about.

You'll need:

set security ipsec vpn vpn2remote ike proxy-identity local A.B.C.D/E
set security ipsec vpn vpn2remote ike proxy-identity remote F.G.H.I/J
set security ipsec vpn vpn2remote ike proxy-identity service any

where F.G.H.I/J is the subnet on the remote side.

Ben






------------------------------

_______________________________________________
juniper-nsp mailing list
juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

End of juniper-nsp Digest, Vol 112, Issue 7
*******************************************



More information about the juniper-nsp mailing list