[j-nsp] SRX Deployment Questions

Jeffrey Nikoletich jeffn at xfernet.com
Mon Aug 22 15:42:48 EDT 2016


All,



I actually got this figured out. Was due to a bad card. So we are fully
deployed now. The only issue we seem to be having is very slow file
transfer speeds from anything behind the SRX.



Before cutting over from an ASA 5550 we were getting speeds uploading to S3
around 4-8mbps. Now we are getting 150-250kbps. Any ideas? I have checked
the MTU and also did a MTU ping test all the way up the chain and it all
looks good. Servers that are outside the firewall have no issues.



Here is my sanitized config. Any help is appreciated:



jeff> show configuration

version 12.3X48-D30.7;

system {

    internet-options {

        path-mtu-discovery;

chassis {

    aggregated-devices {

        ethernet {

            device-count 2;

        }

    }

}

security {

    alg {

        dns disable;

        ftp disable;

        mgcp disable;

        msrpc disable;

        sunrpc disable;

        sccp disable;

        talk disable;

        tftp disable;

        pptp disable;

    }

    flow {

        tcp-session {

            no-sequence-check;

        }

    }

    nat {

        source {

            pool SourceNAT-pool {

                description "SourceNAT pool";

                address {

                    69.X.X.2/32 to 69.X.X.3/32;

                    69.X.X.60/32 to 69.X.X.62/32;

                }

            }

            rule-set interface-nat {

                from zone LAN;

                to zone WAN;

                rule rule1 {

                    match {

                        source-address 0.0.0.0/0;

                        destination-address 0.0.0.0/0;

                    }

                    then {

                        source-nat {

                            pool {

                                SourceNAT-pool;

                            }

                        }

                    }

                }

            }

        }

    policies {

        from-zone LAN to-zone WAN {

            policy permit-all {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                    source-identity any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone WAN to-zone LAN {

            policy allow-xfernet {

                match {

                    source-address XFERNET;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

            policy allow_web {

                match {

                    source-address any;

                    destination-address VIP_Servers_Internal;

                    application [ junos-http junos-https http-8080 ];

                }

                then {

                    permit;

                }

            }

            policy permit_icmp_in {

                match {

                    source-address any;

                    destination-address any;

                    application junos-icmp-all;

                }

                then {

                    permit;

                }

            }

        }

        from-zone LAN to-zone LAN {

           policy LAN-to-LAN {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone WAN to-zone junos-host {

            policy Allow-Management {

                match {

                    source-address XFERNET;

                    destination-address LOCALHOST;

                    application [ junos-ssh junos-http junos-https
junos-icmp-all ];

                }

                then {

                   permit;

                    log {

                        session-close;

                    }

                }

            }

            policy Deny-All-Else {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    deny;

                    log {

                        session-init;

                    }

                }

            }

        }

    }

    zones {

        security-zone LAN {

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {

                    all;

                }

            }

            interfaces {

                ae1.0 {

                    host-inbound-traffic {

                        system-services {

                            all;

                        }

                        protocols {

                            all;

                        }

                    }

                }

            }

        }

        security-zone WAN {

            host-inbound-traffic {

                system-services {

                    ping;

                    traceroute;

                    ssh;

                    http;

                    https;

                    ike;

                    snmp;

                }

            }

            interfaces {

                ae0.0;

            }

        }

    }

}

interfaces {

    xe-1/0/0 {

        description WAN-ExternalSW-0303;

        gigether-options {

            802.3ad ae0;

        }

    }

    xe-2/0/0 {

        description LAN-301-Te0/49;

        gigether-options {

            802.3ad ae1;

        }

    }

    xe-4/0/1 {

        gigether-options {

            802.3ad ae1;

        }

    }

    xe-5/0/0 {

        description WAN-ExternalSW-0302;

        gigether-options {

            802.3ad ae0;

        }

    }

    ae0 {

        description WAN;

        aggregated-ether-options {

            link-speed 10g;

        }

        unit 0 {

            family inet {

                address 69.X.X.2/26;

            }

        }

    }

    ae1 {

        aggregated-ether-options {

            link-speed 10g;

        }

        unit 0 {

            family inet {

                address 10.X.X.1/16;

jeffn>


		Regards,

Jeffrey Nikoletich - Chief Information Officer | 213-201-6080

Xfernet
 | 1-855-XFERNETPh  213-201-6080 | http://www.xfernet.net


More information about the juniper-nsp mailing list