[j-nsp] Problem with Active Directory with my SRX

Shombra shombra at shombra.com.br
Fri Mar 7 13:02:37 EST 2014


Hi all,

First of all, sorry my english is not so good.

I’m using VPN P2P in my network. In my Data Center, I have 2 SRX240 in cluster,  and my servers, my problem is with my Active Directorie.

the problem is, when I put one PC in the domain this PC doesn’t dynamically register in the DNS, I check all what I know, and I don’t find nothing wrong.
I used Wireshark to check the packets and i saw the PC sent the Dynamic update DNS and this packets did not arrived at the other side.

I make a testing environment with Mikrotik, in the my Data Center, not using the SRX, and it worked fine.

The PC dynamically register in the DNS without any problem even when the PC is in another NETWORK.

follows the configurations from my SRX:

VPN
carlinhos at FW-Cluster01# show security ike 
proposal SEDE-COMPANY-PHASE1 {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm md5;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 28800;
}
policy SEDE-COMPANY-POLICY {
    mode main;
    proposals SEDE-COMPANY-PHASE1;
    pre-shared-key ascii-text “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”; ## SECRET-DATA
}
gateway SEDE-COMPANY-GATEWAY {
    ike-policy SEDE-COMPANY-POLICY;
    address 200.200.200.10;
    dead-peer-detection {
        interval 20;
        threshold 5;
    }
    external-interface reth1.186;
}
carlinhos at FW-Cluster01# show security ipsec  
proposal SEDE-COMPANY-PHASE2 {
    protocol esp;
    authentication-algorithm hmac-md5-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 28800;
}
policy SEDE-COMPANY-POLICY {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals SEDE-COMPANY-PHASE2;
}
vpn SEDE-COMPANY {
    bind-interface st0.2007;
    ike {
        gateway SEDE-COMPANY-GATEWAY;
        ipsec-policy SEDE-COMPANY-POLICY;
    }
    establish-tunnels immediately;
}

____________________________________________________________________________________________________

ZONES
carlinhos at FW-Cluster01# show security zones security-zone v2007-COMPANY_SEDE ———> This is my Data Center LAN Zone -> All my Servers and my AD
address-book {
    address v2007-COMPANY_SEDE 192.168.0.0/24;
}
host-inbound-traffic {
    system-services {
        all;
    }
    protocols {
        all;
    }
}
interfaces {
    reth2.2007 {
        host-inbound-traffic {
            system-services {
                all;
            }
        }
    }
}

carlinhos at FW-Cluster01# show security zones security-zone v2007-COMPANY_SEDE-vpn     ———> This is MY VPN Zone - in the other side my workstation
host-inbound-traffic {
    system-services {
        ping;
    }
    protocols {
        all;
    }
}
interfaces {
    st0.2007;
}

____________________________________________________________________________________________________

POLICIES
carlinhos at FW-Cluster01# show security policies from-zone v2007-COMPANY_SEDE to-zone v2007-COMPANY_SEDE-vpn 
policy Libera_to_Rede_CTI {
    match {
        source-address v2007-COMPANY_SEDE;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}
carlinhos at FW-Cluster01# show security policies from-zone v2007-COMPANY_SEDE-vpn to-zone v2007-COMPANY_SEDE    
policy Libera_Acesso {
    match {
        source-address any;
        destination-address v2007-COMPANY_SEDE;
        application any;
    }
    then {
        permit;
    }
}

____________________________________________________________________________________________________

ROUTES
192.168.1.0/24    *[Static/5] 1w3d 00:31:04
                            > via st0.2007


Thanks for all
Carlos



More information about the juniper-nsp mailing list