SOLVED: disable -->JunOS default stateful firewall

JoeMJoeM ✭✭✭

SOLVED:  issue - default JunOS stateful firewall

BrianM gives the solution @14min into this video:
           JunOS Ethernet Interfaces & Ethernet Switching :: Part 2


SOLUTION:

configure
delete security

            ### following three commands changed from flow-based -- BrianM
set security forwarding-options family mpls  mode packet-based
set security forwarding-options family iso   mode packet-based
set security forwarding-options family inet6 mode packet-based
commit and-quit


            ### must reboot to have affect
request system reboot

 

================================================

================================================

Original explanation of issue:

Possible project migrating Cisco to JunOS.......and another great use of INE's AAP library.  Brian teaches intro-JunOS from the perspective of someone who is Cisco command-line trained.   Back and forth between IOS and JunOS -- comparing commands and processes.   Great videos so far.

 

Trying to follow along, and I need help needed setting up JunOS connectivity.  JunOS expert needed.

I think that it is a security config issue.  Seems like a firewall problem.  Unfortunately, I am lost on the JunOS command-line, and I have reach my limit with the initial JunOS setup (Juniper Firefly demo)

 

Packet capture verifies the below communication, but JunOS will not respond.

ARP cache -- both devices see each other

root@vSRX-1> show arp
MAC Address       Address         Name        Interface     Flags
ca:01:07:68:00:08 12.12.12.1    12.12.12.1    ge-0/0/0.0     none

 

R1-IOS#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  12.12.12.1              -   ca01.0768.0008  ARPA   FastEthernet0/0
Internet  12.12.12.10            11   0800.279e.eb1d  ARPA   FastEthernet0/0

 

 

ICMP -- JunOS can ping successfully (IOS replies), but JunOS will not reply.

root@vSRX-1> ping 12.12.12.1
PING 12.12.12.1 (12.12.12.1): 56 data bytes
64 bytes from 12.12.12.1: icmp_seq=0 ttl=255 time=69.078 ms
64 bytes from 12.12.12.1: icmp_seq=1 ttl=255 time=55.257 ms
64 bytes from 12.12.12.1: icmp_seq=2 ttl=255 time=66.566 ms

 

R1-IOS#ping 12.12.12.10
<snip>
.....

 

 

OSPF --  R1-IOS can see JunOS hellos . JunOS sees nothing from IOS.

R1-IOS debug;

*Jun 29 10:13:27.843: OSPF-1 PAK  : rcv. v:2 t:1 l:44 rid:12.12.12.10 aid:0.0.0.0 chk:D409 aut:0 auk: from FastEthernet0/0

R1-IOS#sh ip ospf neig
Neighbor ID     Pri   State           Dead Time   Address         Interface
12.12.12.10     128   INIT/DROTHER    00:00:35    12.12.12.10     FastEthernet0/0

NOTE:  I believe that it is stuck in init mode, because it is not seeing its own RID returned from JunOS. JunOS is ignoring everything.



root@vSRX-1> show ospf neighbor


NOTE:   does not see ospf packets from R1-IOS.

 

 

ISSUE?/SOLUTION?

I have tried to dismantle the JunOS firewall (untrusted-zone), and finally tried to place the interface into the TRUSTED-ZONE.

Unfortunately, I am mangling my configuration and nothing has changed (everything commited).

Below is my JunOS config output.  (packet captures verify all of the above)
What am I missing? Why won't JUNOS respond to the neighbor?

 

root@vSRX-1> show version
Hostname: vSRX-1
Model: firefly-perimeter
JUNOS Software Release [12.1X47-D20.7]

root@vSRX-1# show
<SNIP>


    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
<--necessary?
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 12.12.12.10/24;
            }
        }
    }
}
protocols {
    ospf {
        area 0.0.0.0 {
            interface ge-0/0/0.0;
        }
    }
}
security {
    screen {
        ids-option untrust-screen {
            ip {  
  <-- removed ping of death default (desparate move)
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-permit {  
<-- initial change - I changed from default-deny
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            interfaces {
                ge-0/0/0.0;
<-- I added to interface to trust
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
    }
}

======================

Comments

  • And this just saved me after many hours of troubleshooting. I could also see layer 2 connectivity via arp 

Sign In or Register to comment.