[j-nsp] Intrazone IPSEC
hi all
Im trying to set up intra zone policy based VPN on SRX and it doesnt work,
below the config:
from-zone trust to-zone trust {
policy 1 {
match {
source-address [ local remote ];
destination-address [ remote local ];
application any;
}
then {
permit;
tunnel {
ipsec-vpn test_VPN
}
log {
session-close;
Anyone has any reference if this works?
Thanks.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DNS
FW1 is doing a source based nat and i can ping from FW2 any dns even google. On 1/3/2010 3:10 μμ, Barny Sanchez wrote: 1) Can you verify that you can ping from FW2 to 4.2.2.2?. If it works, then probably you have a DNS misconfigured. 2) If the previous doesn't work, can you verity that you have a correct routing in place and also that FW1 has a proper policy in place, you can start by testing with a any to any policy. This is the bare minimal things to check, but there are other problems to consider, such as: 1) NAT misconfiguration. 2) Routing missconfiguration. 3) Without knowing anyting more about your environment, could be a vsys problem (high-end firewalls). 4) VPNs involved? Thanks, Barny Sanchez | Consulting Engineer - Security Systems | Juniper Networks On Mar 1, 2010, at 7:04 AM, SunnyDay wrote: Hello I Have 2 netscreen firewall connected on behind the other. eth0eth1 eth3 internet<---FW1<-->FW2 My problem is that FW2 from the cli is not able to do name resolution.eg: ping www.google.com.FW1<http://www.google.com.FW1> is able to ping www.google.com<http://www.google.com> I configured on FW2 open dns with source interface eth3 with no luck any ideas? Regards ___ juniper-nsp mailing list juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] DNS
Hello I Have 2 netscreen firewall connected on behind the other. eth0eth1 eth3 internet <---FW1<-->FW2 My problem is that FW2 from the cli is not able to do name resolution.eg: ping www.google.com.FW1 is able to ping www.google.com I configured on FW2 open dns with source interface eth3 with no luck any ideas? Regards ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Routing between routing instance
Hello i have configured a routing instance as vrf type.And configured
this:
interface-routes {
rib-group inet InstanceA;
rib-groups {
InstanceA {
import-rib [ InstanceA.inet.0 inet.0 ];
Which caused all the interface routes to be imported to the Routing
instance routing table and then configured this :
route 10.0.0.0/24 next-table InstanceA.inet.0;
To be able to ping inside the vrf from the default routing instance.
My question is how can i put inside InstanceA just a default route and
not the interfaces routes?
Thank you
__ Information from ESET NOD32 Antivirus, version of virus signature
database 4789 (20100120) __
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] pppoe mx
Hello does anyone have any configs on how to terminate pppoe to an MX router? Thank You __ Information from ESET NOD32 Antivirus, version of virus signature database 4743 (20100104) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Track-ip
Hello I need to have a backup adsl and the srx to failover to the adsl when the primary fails.Everyone says to do it with event scripts but its not very clear on how to do it. Anyone has any template config or instruction on how to configure an event script for monitoring the gateway of an interface? Thank You __ Information from ESET NOD32 Antivirus, version of virus signature database 4685 (20091214) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Ospf preference
yes for that prefix if it is possible. Matthew Walster wrote: Do you mean just for that prefix, or that the route via router 3 is preferred for everything but router 2? If the latter, surely you just adjust the OSPF metric? Matthew Walster 2009/9/30 SunnyDay mailto:cscosu...@gmail.com>> Hello i have 3 routers and they are all configured with ospf router 1 has 10.0.0.0 subnet from router 2 and router 3 with the same preference i want to make the preference advertised from router 2 to be preferred over router 3 for network 10.0.0.0.Is <http://10.0.0.0.Is> this done via policy options? Thank You Β Β Β Β Β router 1 router 2 Β Β Β Β Β Β Β Β router 3 Β Β Β Β Β 10.0.0.0 __ Information from ESET NOD32 Antivirus, version of virus signature database 4469 (20090930) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net <mailto:juniper-nsp@puck.nether.net> https://puck.nether.net/mailman/listinfo/juniper-nsp __ Information from ESET NOD32 Antivirus, version of virus signature database 4469 (20090930) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Ospf preference
Hello i have 3 routers and they are all configured with ospf router 1 has 10.0.0.0 subnet from router 2 and router 3 with the same preference i want to make the preference advertised from router 2 to be preferred over router 3 for network 10.0.0.0.Is this done via policy options? Thank You router 1 router 2router 3 10.0.0.0 __ Information from ESET NOD32 Antivirus, version of virus signature database 4469 (20090930) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Management ports
Hello is there some way to change the default management ports(22,23,443) to some other port number? Thank you __ Information from ESET NOD32 Antivirus, version of virus signature database 4448 (20090922) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Screenos multilink
Hello does anyone know to which interfaces can i configure a multilink bundle? is it only serial interfaces? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] NSM
Hello Any one knows how can i configure a j series router so i can import it to Netscreen Security Manager? ( NSM ) Thank You ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] E320 question
hello Will a cnf config file work from an E320 to E120 ? Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Wan Acceleration
Hello Does the WX series for wan acceleration offer encryption as well? Thank You ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Mpls Ldp
Hello i have some issues between a cisco router and a E320 concerning mpls ldp i was wondering if any one knows what are the default modes for cisco for: Label distribution control mode Label retention mode Label advertisement mode Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] ScreenOS problem
Hello i have am ssg 140 running screenOS 6.1.0r2.0. i have 2 adsl pims load balancing traffic.i have configured to adsl1/0 a dsl subinterface with a different pvc and different pppoe connection.The problem is after 2 or 3 days the adsl interface is down and a restart is required for the interface to come up again. Does anyone know if its maybe a bug or something else to look in the config? Thank you. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] dymanic interfaces junose
Hello In junose ihave this configuration on an interface: i/nterface gigabitEthernet 1/0/1 shutdown mtu 1522 encapsulation vlan vlan bulk-config "test" profile vlan bulk-config "test" "test pro" vlan bulk-config "test" vlan-range 567 667 /my problem is that the interface is shutdown but i still have vlan subinterface,pppoe interface and ppp in down state and i cannot remove the "/vlan bulk-config "test" vlan-range 567 667" /from the interface because it says:/dynamic interface exists any ideas? / ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Multilink question
hello i have an e320 and i want to configure multilink ppp but i have some questions. the thing i have done is this: i have 2 VRs VR-1 and VR-Multilink interface loopback 1 (VR-1_ ip add 1.1.1.1 /32 interface loopback 40 (VR-Multilink) ip add 2.2.2.2 /32 aaa domain-map "mlppp.test.kk" router-name Multilink ipv6-router-name default tunnel 1 address 1.1.1.1 source-address 2.2.2.2 password 123456 ! aaa profile "Mlppp_profile" translate default test.kk my question is:is the tunnel created between the VR-Multilink and VR-1 ? and how the translate command works in this case if i dont configure the command this doesnt work. thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] traceroute output
hello can anyone explain what this means and all hops are the same? traceroute 10.10.10.15 Tracing route to 10.10.10.15, TTL = 32, timeout = 2 sec. (Press ^c to stop.) 1 0ms 0ms 0ms 10.10.10.15 2 10ms 10ms 10ms 10.10.10.15 3 10ms 12ms 12ms 10.10.10.15 4 10ms 10ms 12ms 10.10.10.15 thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] bgp/mpls vpn
hello i have configured a bgp/mpls vpn which lokks like this: address-family vpnv4 unicast no check-vpn-next-hops neighbor x.x.x.x activate address-family ipv4 unicast vrf test no synchronization no auto-summary redistribute rip redistribute connected redistribute access redistribute access-internal exit-address-family when i issue the command /show ip bgp summary /i see at the output *Default IPv4-unicast is enabled* is there a way to disable that so i can only receive vpv4 routes and not ipv4? Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] E320 upgrade question
hello i have a E320 with software release 8.x.x and i want to upgrade to release 9.x.x is there any limitation on hardware e.g(LM,SRP)? thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Rarp Junos
hello is RARP supported on M-series and T-series? i searched a whole bunch of documentation and came up with nothing. thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] screenos question
reffering to previous question i want to configure the sub interface as bridge and place a cpe on one ethernet port of the ssg and the cpe get an ip on its ethernet directly. how can i configure that? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Screenos problem
or create another zone to the untrust virtual router Pavel Lunin wrote: SunnyDay wrote: Hello im trying to create a dls sub interface and i get this message any clues? SSG140-> set interface adsl2/0.1 pvc 8 36 zone Untrust Zone Untrust traffic shaping has been enabled! Disable traffic shaping before binding. It's silly but it is. ScreenOS doesn't allow to add subiterfaces to a zone if you have any policies from/to this zone with traffic shaping enabled. So you have to turn off traffic shaping for all the policies for Untrust zone and than bind the new interface. -- Regards, Pavel ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Screenos problem
Hello im trying to create a dls sub interface and i get this message any clues? SSG140-> set interface adsl2/0.1 pvc 8 36 zone Untrust Zone Untrust traffic shaping has been enabled! Disable traffic shaping before binding. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SSL question
hello is it possible for a user to login to a page that has host checker enabled and if the criteria are matched (or not) redirect the user to another sign in page. Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] bgp as-path
but what if i have 4509:65001:4356:65444 will it remove both private or only 65001 and when it checks the next (4356) stops and does not remove 65444 Hyunseog Ryu wrote: "remove private-as" will remove private ASNs from AS-Path, so only ASes with public AS range will be survive after this filtering. So it works for AS-PATHs with both public/private ASN combinations. -Original Message----- From: SunnyDay [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2008 12:43 PM To: Hyunseog Ryu Cc: SunnyDay; juniper-Nsp Subject: Re: [j-nsp] bgp as-path yes i know but whta if the AS-PATH contains both ublic and private. what will happen then. i read that the OS will consider it a config error? Hyunseog Ryu wrote: >From bgp options, you can find 'remove-private-as' or something like that. Sent from my Windows Mobile(r) phone. -Original Message- From: SunnyDay <[EMAIL PROTECTED]> Sent: Friday, November 14, 2008 12:35 PM To: juniper-Nsp Subject: [j-nsp] bgp as-path hello i want to know what will the behavior be if AS-PATH contains both public and private ASN and is possible to remove all private ?? Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] bgp as-path
yes i know but whta if the AS-PATH contains both ublic and private. what will happen then. i read that the OS will consider it a config error? Hyunseog Ryu wrote: >From bgp options, you can find 'remove-private-as' or something like that. Sent from my Windows Mobile® phone. -Original Message- From: SunnyDay <[EMAIL PROTECTED]> Sent: Friday, November 14, 2008 12:35 PM To: juniper-Nsp Subject: [j-nsp] bgp as-path hello i want to know what will the behavior be if AS-PATH contains both public and private ASN and is possible to remove all private ?? Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] bgp as-path
hello i want to know what will the behavior be if AS-PATH contains both public and private ASN and is possible to remove all private ?? Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Screenos interface
Hello is it possible to shutdown an interface in screenos? i have seen the "exec interface" command but nothing comes out. thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Dns problem screen os
hello im using screenos 6.1.0r2 i have configured sever bgroup interfaces which are also dhcp servers. the ssg has 3 adsl connections.all bgroup interfaces have dns#1 from isp1 and dns#2 from isp2 but after some days suddenly the dns on all interfaces changes to the dns of the 3rd isp. any ideas? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Screenos Antispam
Hello i have an ssg 140 with screenos 6.1.0r2 and i want to use the antispam feature. i have enabled it from untrust zone to the mail servers zone with junipers predefined server, it doesnt seem to work.i tried setting manually a black list address and worked. here is an output of debug on ssg of the antispam server. any help appreciated. 2008-11-03 13:30:12 : free_sbl_dns_request_by_sblreq a2baed0 ## 2008-11-03 13:30:13 : AS: sbl insert queue: a2baed0 ## 2008-11-03 13:30:13 : ===get request "[EMAIL PROTECTED]" ip 0.0.0.0 ## 2008-11-03 13:30:13 : ===query whitelist servers ## 2008-11-03 13:30:13 : ===query blacklist servers ## 2008-11-03 13:30:13 : ===request pass "[EMAIL PROTECTED]", ip 0.0.0.0 didn't match any ## 2008-11-03 13:30:13 : free_sbl_dns_request_by_sblreq a2baed0 ## 2008-11-03 13:30:36 : AS: sbl insert queue: a2baed0 ## 2008-11-03 13:30:36 : ===get request "" ip 62.1.42.14 ## 2008-11-03 13:30:36 : ===query whitelist servers ## 2008-11-03 13:30:36 : ===query blacklist servers ## 2008-11-03 13:30:36 : query send to sbl: 14.42.1.62.d14b0f96bb6b4cb0b235a40c7dde3b35.msgsecurity.juniper.net bab5084 ## 2008-11-03 13:30:36 : sbl_dns_callback bab5084 ## 2008-11-03 13:30:36 : sbl_dns_callback get ip 0.0.0.0 ## 2008-11-03 13:30:36 : request_pattern "", ip 62.1.42.14 ## 2008-11-03 13:30:36 : server_name msgsecurity.juniper.net ## 2008-11-03 13:30:36 : blackserver ## 2008-11-03 13:30:37 : ===get request "" ip 62.1.42.14 ## 2008-11-03 13:30:37 : ===request pass "", ip 62.1.42.14 didn't match any ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] ScreenOS question
Hello a stupid question maybe. When i ping to a host i can see from the logging of the firewall this: 192.168.40.10:24064 192.168.100.11:512 192.168.40.10:24064 192.168.100.11:512 ICMP my question is this i thing that icmp does not have a port,why do i get a dst-port from this output? how does this work? and second i tried to ping from a certain device and in the logging the dst-port was 0. Is there a problem with that? Any help appreciated. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] bridge group interfaces
hello im using screenOS 6.1r2 ihave configured 9 bridge group interfaces (e.g bgroup0/0.10) the thing is when i try to remove one either from WebUi and CLI all of the interfaces disappear then you have to reboot to have normal operation. any ideas? Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] web redirection
i dont want to redirect traffic for we filtering i think just plain web redirection Stefan Fouant wrote: Can you please clarify if you intend to perform URL filtering or Anti-Virus scanning? On 10/17/08, SunnyDay <[EMAIL PROTECTED]> wrote: hello does juniper netscreen ssg series support web redirection? thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] web redirection
hello does juniper netscreen ssg series support web redirection? thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] aaa accounting
hello can anyone explain the use of these commands? "aaa service accounting interval"* *"aaa user accounting interval" Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ping output
its JUNOSe [EMAIL PROTECTED] wrote: Are you working on 9.1+ JUNOS version? ;) (cf: "Bizaare bug of the year award" :p) From: [EMAIL PROTECTED] on behalf of SunnyDay Sent: Fri 26/09/2008 12:03 To: Juniper-Nsp Subject: [j-nsp] ping output hello anyone can explain this output has 200% success? bras01:(config)#run ping x.x.x.x Sending 5 ICMP echoes to x.x.x.x, timeout = 2 sec. ! Success rate = 200% (10/5), round-trip min/avg/max = 0/1/9 ms bras01:(config)# Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] ping output
hello anyone can explain this output has 200% success? bras01:(config)#run ping x.x.x.x Sending 5 ICMP echoes to x.x.x.x, timeout = 2 sec. ! Success rate = 200% (10/5), round-trip min/avg/max = 0/1/9 ms bras01:(config)# Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Bgp mpls/vpn
hello I want to configure a mpls/vpn with hub and spoke topology on erx 320. the customers may or may not be in the same PE router. I configure one vrf for the hub with route target export 1:100 and import 1:200 and 2 other vrfs with import 1:100 and export 1:200 respectively. Will this work for CEs on same PE router? and for CEs that are not on the same PE? Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SA-2500 Secure meeting
Hi I have A SA-2500 and when i try to configure a smtp server for secure meeting i get an "smtp server name unknown" any ideas why is that?The SA pings the smtp server from internal port. Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] ERX pools
Hello i have a virtual router vr-test and in that virtual router several vrf`s "vr-test:testvrf" i have one question is it possible to configure to virtual router vr-test a local pool so from that pool the vrf subscribers also can receive an ip address or do i have to configure it inside the vrf? Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SSG140 traffic shaping
Hello when i configure traffic shaping to policies it only seems to work for policing bandwidth. when i try to configure in one policy Guaranteed Bandwidth and maximum Bandwidth instead of policing bandwidth i suddenly dont have any traffic at all towards the internet.when i return to policing bandwidth everything works ok. Any ideas why is that happening? Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MIP issue
I have tried the policy config like you say but no luck. The loopback is in the untrust zone in untrust vr The testing zone is in VR-test. You suggest to put in the untrust vr a route 192.168.90.2 pointing to the VR-test? -Original Message- From: Stefan Fouant [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2008 5:06 PM To: SunnyDay Cc: Juniper-Nsp Subject: Re: [j-nsp] MIP issue On Wed, Jun 1, 2005 at 12:09 AM, SunnyDay <[EMAIL PROTECTED]> wrote: > The policy is from untrust to global with source any destination MIP > And no I dont have route.i don't understand the use of the route or what > route to configure. When the incoming ICMP echo-requests come into the device, does the device know how to reach the network where those requests are coming from so it can respond with the echo-replies? Have you tried changing the policy from 'untrust to global' to 'untrust to testing' zone... check and see if that makes a difference. -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MIP issue
The policy is from untrust to global with source any destination MIP And no I dont have route.i don't understand the use of the route or what route to configure. -Original Message- From: Stefan Fouant [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2008 4:27 PM To: SunnyDay; Juniper-Nsp Subject: Re: [j-nsp] MIP issue What specifically is your policy permitting and do you have a route which resolves back to the source of those ICMP echo-requests? On 5/31/05, SunnyDay <[EMAIL PROTECTED]> wrote: > Hello > > I have 1 adsl interface in the untrust zone and I have configured a loopback > with another public ip address > > And made the adsl member of loopback group.(the loopback interface). > > I now go to the loopback interface to configure a mip. > > Then I configure the policy from untrust to Testing zone. > > When I ping from the internet I see traffic on the policy logs coming in and > translated to the private address but ping fails. > > Thanks > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Sent from Gmail for mobile | mobile.google.com Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MIP issue
I have 1 adsl interface in the untrust zone and I have configured a loopback with another public ip address And made the adsl member of loopback group.(the loopback interface). I now go to the loopback interface to configure a mip. Then I configure the policy from untrust to Testing zone. When I ping from the internet I see traffic on the policy logs coming in and translated to the private address but ping fails. Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MIP issue
Hello I have 1 adsl interface in the untrust zone and I have configured a loopback with another public ip address And made the adsl member of loopback group.(the loopback interface). I now go to the loopback interface to configure a mip. Then I configure the policy from untrust to Testing zone. When I ping from the internet I see traffic on the policy logs coming in and translated to the private address but ping fails. Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SSG
Hello Is there anyway to log failed login attempts to SSG firewalls? Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Vpn in active/active HA
Im not going to use cerificates just policy based vpn or route-based is there any issue on these? -Original Message- From: Sidney Boumendil [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2008 1:06 PM To: SunnyDay Cc: Juniper-Nsp Subject: Re: [j-nsp] Vpn in active/active HA On 8/29/08, SunnyDay <[EMAIL PROTECTED]> wrote: > Hello is there anything specific setting to watch out for when configuring a > vpn in > two ssg when in high availability active/active state? Hello, If you are going to use certificate authentication for some tunnels, be sure to configure a nsrp cluster name and issue your certificates with this name so as not to disrupt the ipsec tunnel in case of vsd group failover. B.R Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Vpn in active/active HA
Hello is there anything specific setting to watch out for when configuring a vpn in two ssg when in high availability active/active state? Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Policy traffic shaping netscreen
Hello I have an SSG 140 with screenOS 6.1.0r2.0 And I have a problem with policy traffic shaping which does no seem to work proper. When I configure a policy with guaranteed bw and maximum bw traffic seems to be matched at another policy with another source address than the one configured. e.g 192.168.40.10 is matched at a policy with source 192.168.40.19 any ideas what causes this kind of behavior? Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Source Based Routing
Hello I trying to configure source based routing on a ssg140. The ssg has 3 adsl lines 2 adsl cards and one bridged pppoe on an Ethernet. I have put the interfaces to the untrust-vr and local network to the trust-vr with the appropriate zones. I have 4 subnets 192.168.10.1 192.168.20.1 192.168.30.1 192.168.40.1. I have configured a default route to the trust-vr pointing the untrust-vr. At the untrust-vr I have source based routing e.g 192.168.10.0/24 to leave through adsl/1.but this does not seem to work. When I put the source based routing to the rust-vr traffic leaves for adsl/1 but internal traffic goes also. Anyone has worked with similar scenario icould use some help here. Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] load balance traffic
I don't have it configured but the thing is that I ping at the gateway [EMAIL PROTECTED] run ping 1.1.1.1 source 10.11.11.7 (pp0.0) PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: icmp_seq=0 ttl=127 time=42.211 ms 64 bytes from 1.1.1.1: icmp_seq=1 ttl=127 time=20.205 ms ^C [edit] [EMAIL PROTECTED] run ping 1.1.1.1 source 10.11.11.8 (pp0.1) PING 1.1.1.1 (1.1.1.1): 56 data bytes ^C --- 1.1.1.1 ping statistics --- 9 packets transmitted, 0 packets received, 100% packet loss = 1.1.1.1/32 *[Direct/0] 02:29:54 > via pp0.1 [Direct/0] 02:29:54 > via pp0.0 Any ideas on why this happening? 1.1.1.1 is the bras loopback. Behind the bras is 172.16.24.2 which cannot be reached without specifying the source address 172.16.24.0/24 *[Static/5] 00:22:24 via pp0.0 > via pp0.1 [edit] [EMAIL PROTECTED] run ping 172.16.24.2 PING 172.16.24.2 (172.16.24.2): 56 data bytes ^C --- 172.16.24.2 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss [edit] [EMAIL PROTECTED] run ping 172.16.24.2 source 10.11.11.7 PING 172.16.24.2 (172.16.24.2): 56 data bytes 64 bytes from 172.16.24.2: icmp_seq=0 ttl=63 time=22.413 ms 64 bytes from 172.16.24.2: icmp_seq=1 ttl=63 time=30.293 ms ^C === [edit] [EMAIL PROTECTED] run ping 172.16.24.2 source 10.11.11.8 PING 172.16.24.2 (172.16.24.2): 56 data bytes 64 bytes from 172.16.24.2: icmp_seq=2 ttl=63 time=50.255 ms 64 bytes from 172.16.24.2: icmp_seq=3 ttl=63 time=80.231 ms === -Original Message- From: Erdem Sener [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 2:54 PM To: sunnyday Subject: Re: [j-nsp] load balance traffic Hi, Can you check if you have "system default-address-selection" configured? If it's there, delete it and you should be fine. Cheers, Erdem On Fri, Jul 25, 2008 at 1:39 PM, sunnyday <[EMAIL PROTECTED]> wrote: > I have logged traffic at the interfaces and found that the router is using > the loopback as source address for reaching the gateway > When specifying the 2 interfaces the pings work > How can I change the default selection of the loopback address? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of sunnyday > Sent: Friday, July 25, 2008 1:12 PM > To: Juniper-Nsp > Subject: [j-nsp] load balance traffic > > > > Hello I have a j router with 2 adsl cards they have been assigned ip > address from the bras. > > > > pp0.0 upup inet 10.11.11.7 --> 1.1.1.1 > > pp0.1 upup inet 10.11.11.8 --> 1.1.1.1 > > > > > > the problem is that only one adsl card(pp0.1) can ping the loopback(1.1.1.1) > of the bras: > > 1.1.1.1/32 *[Direct/0] 00:23:33 > >> via pp0.1 > >[Direct/0] 00:23:33 > >> via pp0.0 > > > > 10.11.11.7/32 *[Local/0] 00:27:34 > > Local via pp0.0 > > 10.11.11.8/32 *[Local/0] 00:27:34 > > Local via pp0.1 > > Any ideas on how to change the behavior and have both interfaces forwarding > for the gateway? > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] load balance traffic
I have logged traffic at the interfaces and found that the router is using the loopback as source address for reaching the gateway When specifying the 2 interfaces the pings work How can I change the default selection of the loopback address? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sunnyday Sent: Friday, July 25, 2008 1:12 PM To: Juniper-Nsp Subject: [j-nsp] load balance traffic Hello I have a j router with 2 adsl cards they have been assigned ip address from the bras. pp0.0 upup inet 10.11.11.7 --> 1.1.1.1 pp0.1 upup inet 10.11.11.8 --> 1.1.1.1 the problem is that only one adsl card(pp0.1) can ping the loopback(1.1.1.1) of the bras: 1.1.1.1/32 *[Direct/0] 00:23:33 > via pp0.1 [Direct/0] 00:23:33 > via pp0.0 10.11.11.7/32 *[Local/0] 00:27:34 Local via pp0.0 10.11.11.8/32 *[Local/0] 00:27:34 Local via pp0.1 Any ideas on how to change the behavior and have both interfaces forwarding for the gateway? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] load balance traffic
Hello I have a j router with 2 adsl cards they have been assigned ip address from the bras. pp0.0 upup inet 10.11.11.7 --> 1.1.1.1 pp0.1 upup inet 10.11.11.8 --> 1.1.1.1 the problem is that only one adsl card(pp0.1) can ping the loopback(1.1.1.1) of the bras: 1.1.1.1/32 *[Direct/0] 00:23:33 > via pp0.1 [Direct/0] 00:23:33 > via pp0.0 10.11.11.7/32 *[Local/0] 00:27:34 Local via pp0.0 10.11.11.8/32 *[Local/0] 00:27:34 Local via pp0.1 Any ideas on how to change the behavior and have both interfaces forwarding for the gateway? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Routing question
And lets say you configure 2 static routes for the route 1.1.1.1 one for each interface and no preference added to the static routes. What will happen then? -Original Message- From: Nalkhande Tarique Abbas [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2008 12:35 PM To: sunnyday; Juniper-Nsp Subject: RE: [j-nsp] Routing question With no dynamic routing involved. The election of path should be based on static entries for the concerned routes. Thanks & Regards, Tarique A. Nalkhande Juniper Technical Assistance Center 888.314. JTAC (888.314.5822) Toll Free 408.745.9500 Domestic & International Email : - [EMAIL PROTECTED] Please CC: [EMAIL PROTECTED], with the case number in the subject line. Working hours: Tuesday to Saturday ( 05:00 hrs to 13:00 hrs GMT ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sunnyday Sent: Thursday, July 24, 2008 2:40 PM To: 'Juniper-Nsp' Subject: [j-nsp] Routing question Hello im going to ask a stupid question guys. I have 2 paths to a route one is fast Ethernet and one is serial and no routing protocol is present Which interface will be selected? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Routing question
Hello im going to ask a stupid question guys. I have 2 paths to a route one is fast Ethernet and one is serial and no routing protocol is present Which interface will be selected? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SecurID netscreen problem
Ok I managed to got it working thanks for your help Stefan. -Original Message- From: Stefan Fouant [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 8:03 PM To: sunnyday Cc: Juniper-Nsp; [EMAIL PROTECTED] Subject: Re: [j-nsp] SecurID netscreen problem The tunnel can be treated as as an point-to-point IP unnumbered interface for purposes of forwarding traffic, so normally there is no need for IP address assignments on the tunnel itself. IP addressing is normally only used "inside" the tunnel if you wanted to ping the remote end of the tunnel itself or perhaps layer another tunneling technology on top of the underlying IPsec tunnel, thereby specifying the local and remote tunnel IPs as the source and destination addresses for the secondary tunnel. If you can use Netscreen Remote Client as opposed to the ShrewSoft client, you'll have more flexibility as the Netscreen Remote Client will allow you to use AUTH authentication and therefore assign remote settings. On Mon, Jul 21, 2008 at 11:51 AM, sunnyday <[EMAIL PROTECTED]> wrote: > Ok sorry > > Any client in mind that supports auth? >> And how can I make the vpn work without ip address assigned to the >> dialup user? >> I have only managed to get it to work with ip.i also used netscreen >> remote as well besides shrewsoft. > > -Original Message- > From: Stefan Fouant [mailto:[EMAIL PROTECTED] > Sent: Monday, July 21, 2008 5:11 PM > To: sunnyday; Juniper-Nsp; [EMAIL PROTECTED] > Subject: Re: [j-nsp] SecurID netscreen problem > > If I recall correctly, you are using Xauth. As I mentioned in a > previous post, ScreenOS does not support the assignment of remote > settings such as IP addresses using Xauth. In most cases you do not > need to assign an address to the tunnel in order to get the tunnel > operational, but if this is a requirement for your network you'll need > to switch from that ShrewSoft client to something else that supports > AUTH authentication. > > HTHs. > > > > On 7/21/08, sunnyday <[EMAIL PROTECTED]> wrote: >> I have set up a vpn to authenticate to an external SecureID server the >> authentication requests reach the server and authentication is successful > as >> I can see through the logs of the SecureID server >> >> But my problem is that the dialup vpn client is unable to get an ip > address. >> How it possible to give the vpn client an ip address? >> >> Thank you >> >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > -- > Sent from Gmail for mobile | mobile.google.com > > Stefan Fouant > Principal Network Engineer > NeuStar, Inc. - http://www.neustar.biz > GPG Key ID: 0xB5E3803D > > -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SecurID netscreen problem
I don't use tunnel interface just configured the vpn through the Autokey Advanced > Gateway and Autokey Ike and then a bidirectional policy from Dial-Up VPN to any Action=Tunnel And that's it.After that the user is configured locally. And that thing that you said with netscreen remote how can you do AUTH Authentication? I have only see preshared key and preshared key with Xauth. -Original Message- From: Stefan Fouant [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 8:03 PM To: sunnyday Cc: Juniper-Nsp; [EMAIL PROTECTED] Subject: Re: [j-nsp] SecurID netscreen problem The tunnel can be treated as as an point-to-point IP unnumbered interface for purposes of forwarding traffic, so normally there is no need for IP address assignments on the tunnel itself. IP addressing is normally only used "inside" the tunnel if you wanted to ping the remote end of the tunnel itself or perhaps layer another tunneling technology on top of the underlying IPsec tunnel, thereby specifying the local and remote tunnel IPs as the source and destination addresses for the secondary tunnel. If you can use Netscreen Remote Client as opposed to the ShrewSoft client, you'll have more flexibility as the Netscreen Remote Client will allow you to use AUTH authentication and therefore assign remote settings. On Mon, Jul 21, 2008 at 11:51 AM, sunnyday <[EMAIL PROTECTED]> wrote: > Ok sorry > > Any client in mind that supports auth? >> And how can I make the vpn work without ip address assigned to the >> dialup user? >> I have only managed to get it to work with ip.i also used netscreen >> remote as well besides shrewsoft. > > -Original Message- > From: Stefan Fouant [mailto:[EMAIL PROTECTED] > Sent: Monday, July 21, 2008 5:11 PM > To: sunnyday; Juniper-Nsp; [EMAIL PROTECTED] > Subject: Re: [j-nsp] SecurID netscreen problem > > If I recall correctly, you are using Xauth. As I mentioned in a > previous post, ScreenOS does not support the assignment of remote > settings such as IP addresses using Xauth. In most cases you do not > need to assign an address to the tunnel in order to get the tunnel > operational, but if this is a requirement for your network you'll need > to switch from that ShrewSoft client to something else that supports > AUTH authentication. > > HTHs. > > > > On 7/21/08, sunnyday <[EMAIL PROTECTED]> wrote: >> I have set up a vpn to authenticate to an external SecureID server the >> authentication requests reach the server and authentication is successful > as >> I can see through the logs of the SecureID server >> >> But my problem is that the dialup vpn client is unable to get an ip > address. >> How it possible to give the vpn client an ip address? >> >> Thank you >> >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > -- > Sent from Gmail for mobile | mobile.google.com > > Stefan Fouant > Principal Network Engineer > NeuStar, Inc. - http://www.neustar.biz > GPG Key ID: 0xB5E3803D > > -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SecurID netscreen problem
Ok sorry Any client in mind that supports auth? > And how can I make the vpn work without ip address assigned to the > dialup user? > I have only managed to get it to work with ip.i also used netscreen > remote as well besides shrewsoft. -Original Message- From: Stefan Fouant [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 5:11 PM To: sunnyday; Juniper-Nsp; [EMAIL PROTECTED] Subject: Re: [j-nsp] SecurID netscreen problem If I recall correctly, you are using Xauth. As I mentioned in a previous post, ScreenOS does not support the assignment of remote settings such as IP addresses using Xauth. In most cases you do not need to assign an address to the tunnel in order to get the tunnel operational, but if this is a requirement for your network you'll need to switch from that ShrewSoft client to something else that supports AUTH authentication. HTHs. On 7/21/08, sunnyday <[EMAIL PROTECTED]> wrote: > I have set up a vpn to authenticate to an external SecureID server the > authentication requests reach the server and authentication is successful as > I can see through the logs of the SecureID server > > But my problem is that the dialup vpn client is unable to get an ip address. > How it possible to give the vpn client an ip address? > > Thank you > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Sent from Gmail for mobile | mobile.google.com Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SecurID netscreen problem
I have set up a vpn to authenticate to an external SecureID server the authentication requests reach the server and authentication is successful as I can see through the logs of the SecureID server But my problem is that the dialup vpn client is unable to get an ip address. How it possible to give the vpn client an ip address? Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Vpn with rsa
I don't understand how to assign remote settings shrewsoft only has xauth not auth as an option.i have tried it from trust to untrust with authentication applied on the policy for a specific user And when he requested internet service he got a prompt to enter username and password I entered the username I have configured in the RSA server and the token code as password and worked. The problem is on the vpn authentication that Im confused on the way the authentication occurs.(Do I have to configure a locally user? If I don't how will he receive ip address?) I even put it in the policy of the vpn "Untrust to Trust" "authentication" the rsa server and got nothing. I would really appreciated if you help me out here. -Original Message- From: Stefan Fouant [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 5:38 PM To: sunnyday Cc: Juniper-Nsp; [EMAIL PROTECTED] Subject: Re: [j-nsp] Vpn with rsa Whoops, sorry I forgot to mention that you can use an IKE/XAuth account as well. Yep, if you've got it already set up, you should just be able to forward the authentication requests toward the RSA server as opposed to the local database and you should be good to go. As I mentioned before however, the SecurID cannot assign remote settings to an L2TP or an XAuth user, so if you intend on assigning any remote settings, you are probably better off using an Auth user for this purpose. Good luck! On Wed, Jul 16, 2008 at 10:21 AM, sunnyday <[EMAIL PROTECTED]> wrote: > I have an working ipsec vpn with xauth.i use the shrew soft vpn client. can > I just forward the requests to the RSA authentication manager instead of the > local database? > I tried it but with luck. > > > -Original Message- > From: Stefan Fouant [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 16, 2008 5:17 PM > To: sunnyday > Cc: Juniper-Nsp; [EMAIL PROTECTED] > Subject: Re: [j-nsp] Vpn with rsa > > For dial-up VPN applications, you can configure an Auth or L2TP user > and authenticate them against the SecurID database. I would recommend > configuring an Auth user as the SecurID cannot assign remote settings > to an L2TP user. Once you've configured your Auth user account and > set up authentication against the SecurID server, it's really just a > simple matter of specifying the Auth user in the IKE Phase 1 profile. > > For more information, you are really going to need to dig into the > manuals. The "ScreenOS Concepts and Examples Guide Volume 9: User > Authentiation" should provide you an ample starting point. > > HTHs. > > On Wed, Jul 16, 2008 at 3:52 AM, sunnyday <[EMAIL PROTECTED]> wrote: >> I need to configure (if possible ) a vpn with rsa authentication.i have > some >> tokens which generate the tokens codes and have setup the securID server. >> >> I already have a IPSEC vpn. I need to know what steps to take to use rsa >> tokens to authenticate when requesting access to the vpn. >> >> Any help appreciated. >> >> Thank you >> >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > > -- > Stefan Fouant > Principal Network Engineer > NeuStar, Inc. - http://www.neustar.biz > GPG Key ID: 0xB5E3803D > > -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Vpn with rsa
I have an working ipsec vpn with xauth.i use the shrew soft vpn client. can I just forward the requests to the RSA authentication manager instead of the local database? I tried it but with luck. -Original Message- From: Stefan Fouant [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 5:17 PM To: sunnyday Cc: Juniper-Nsp; [EMAIL PROTECTED] Subject: Re: [j-nsp] Vpn with rsa For dial-up VPN applications, you can configure an Auth or L2TP user and authenticate them against the SecurID database. I would recommend configuring an Auth user as the SecurID cannot assign remote settings to an L2TP user. Once you've configured your Auth user account and set up authentication against the SecurID server, it's really just a simple matter of specifying the Auth user in the IKE Phase 1 profile. For more information, you are really going to need to dig into the manuals. The "ScreenOS Concepts and Examples Guide Volume 9: User Authentiation" should provide you an ample starting point. HTHs. On Wed, Jul 16, 2008 at 3:52 AM, sunnyday <[EMAIL PROTECTED]> wrote: > I need to configure (if possible ) a vpn with rsa authentication.i have some > tokens which generate the tokens codes and have setup the securID server. > > I already have a IPSEC vpn. I need to know what steps to take to use rsa > tokens to authenticate when requesting access to the vpn. > > Any help appreciated. > > Thank you > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Vpn with rsa
I need to configure (if possible ) a vpn with rsa authentication.i have some tokens which generate the tokens codes and have setup the securID server. I already have a IPSEC vpn. I need to know what steps to take to use rsa tokens to authenticate when requesting access to the vpn. Any help appreciated. Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Jncis-fw
Hello anyone knows any material to read for the jncis-fw certification? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Mlppp J series
Hello any one knows or has any config on how to configure Mlppp on J series with two adsl pics? Juniper documentation is a little bit confusing. Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Bulk stats
Hello I need a general idea on bulkstats and what information can I get. I can get only interface stats? From the doc I have a numerous of interfaces but when trying to configure I have only a few. Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] (no subject)
That means there`s not a way to view the output of the command: Show egress-queue rates interface gigabitEthernet x/x/x through SNMP? -Original Message- From: Jonathan Crawford [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2008 12:10 PM To: sunnyday; juniper-nsp@puck.nether.net Subject: [?? Probable Spam] RE: [j-nsp] (no subject) This is because snmpwalk.exe cannot find the MIB files, and therefore does not know how to translate ifOutOctets to ask for it from the router. http://www.net-snmp.org/docs/FAQ.html#What_does__Cannot_find_module__XXX_MIB ___mean_ -Jonathan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sunnyday Sent: Tuesday, June 24, 2008 1:51 AM To: 'Boyd, Benjamin R'; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] (no subject) I tried what you said with no result this is what I get: And also to tell you that it on junose not junos. C:\Documents and Settings\jet\Desktop\SNMPWALK_OCT31>snmpwalk.exe -v 2c -c pop-RO 192.168.30.238 ifOutOctets Cannot find module (IP-MIB): At line 0 in (none) Cannot find module (IF-MIB): At line 0 in (none) Cannot find module (TCP-MIB): At line 0 in (none) Cannot find module (UDP-MIB): At line 0 in (none) Cannot find module (SNMPv2-MIB): At line 0 in (none) Cannot find module (SNMPv2-SMI): At line 0 in (none) Cannot find module (UCD-SNMP-MIB): At line 0 in (none) Cannot find module (UCD-DEMO-MIB): At line 0 in (none) Cannot find module (SNMP-TARGET-MIB): At line 0 in (none) Cannot find module (SNMP-VIEW-BASED-ACM-MIB): At line 0 in (non Cannot find module (SNMP-COMMUNITY-MIB): At line 0 in (none) Cannot find module (UCD-DLMOD-MIB): At line 0 in (none) Cannot find module (SNMP-FRAMEWORK-MIB): At line 0 in (none) Cannot find module (SNMP-MPD-MIB): At line 0 in (none) Cannot find module (SNMP-USER-BASED-SM-MIB): At line 0 in (none Cannot find module (SNMP-NOTIFICATION-MIB): At line 0 in (none) Cannot find module (SNMPv2-TM): At line 0 in (none) ifOutOctets: (Sub-id not found: (top) -> ifOutOctets) C:\Documents and Settings\jet\Desktop\SNMPWALK_OCT31> -Original Message- From: Boyd, Benjamin R [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 5:20 PM To: sunnyday; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] (no subject) SunnyDay, I don't know the OID, but using snmpwalk.exe to find the outOctets you would use the following: snmpwalk.exe -v 1 -c "community" "device ip" ifOutOctets Which will give you output resembling: (mib.ifIndex = outOctets) ifOutOctets.35 = 3474330439 ifOutOctets.36 = 984860543 ifOutOctets.37 = 0 ifOutOctets.38 = 3450966616 >From here you'll have to find out the ifIndex of the interface you wish to view: In the juniper: show snmp mib walk ifDescr -Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sunnyday Sent: Monday, June 23, 2008 3:45 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] (no subject) Hello anyone knows the OID or how can I view the output of the command: Show egress-queue rates interface gigabitEthernet x/x/x Via SNMP? Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp *** The information contained in this message, including attachments, may contain privileged or confidential information that is intended to be delivered only to the person identified above. If you are not the intended recipient, or the person responsible for delivering this message to the intended recipient, Windstream requests that you immediately notify the sender and asks that you do not read the message or its attachments, and that you delete them without copying or sending them to anyone else. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] (no subject)
I tried what you said with no result this is what I get: And also to tell you that it on junose not junos. C:\Documents and Settings\jet\Desktop\SNMPWALK_OCT31>snmpwalk.exe -v 2c -c pop-RO 192.168.30.238 ifOutOctets Cannot find module (IP-MIB): At line 0 in (none) Cannot find module (IF-MIB): At line 0 in (none) Cannot find module (TCP-MIB): At line 0 in (none) Cannot find module (UDP-MIB): At line 0 in (none) Cannot find module (SNMPv2-MIB): At line 0 in (none) Cannot find module (SNMPv2-SMI): At line 0 in (none) Cannot find module (UCD-SNMP-MIB): At line 0 in (none) Cannot find module (UCD-DEMO-MIB): At line 0 in (none) Cannot find module (SNMP-TARGET-MIB): At line 0 in (none) Cannot find module (SNMP-VIEW-BASED-ACM-MIB): At line 0 in (non Cannot find module (SNMP-COMMUNITY-MIB): At line 0 in (none) Cannot find module (UCD-DLMOD-MIB): At line 0 in (none) Cannot find module (SNMP-FRAMEWORK-MIB): At line 0 in (none) Cannot find module (SNMP-MPD-MIB): At line 0 in (none) Cannot find module (SNMP-USER-BASED-SM-MIB): At line 0 in (none Cannot find module (SNMP-NOTIFICATION-MIB): At line 0 in (none) Cannot find module (SNMPv2-TM): At line 0 in (none) ifOutOctets: (Sub-id not found: (top) -> ifOutOctets) C:\Documents and Settings\jet\Desktop\SNMPWALK_OCT31> -Original Message- From: Boyd, Benjamin R [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 5:20 PM To: sunnyday; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] (no subject) SunnyDay, I don't know the OID, but using snmpwalk.exe to find the outOctets you would use the following: snmpwalk.exe -v 1 -c "community" "device ip" ifOutOctets Which will give you output resembling: (mib.ifIndex = outOctets) ifOutOctets.35 = 3474330439 ifOutOctets.36 = 984860543 ifOutOctets.37 = 0 ifOutOctets.38 = 3450966616 >From here you'll have to find out the ifIndex of the interface you wish to view: In the juniper: show snmp mib walk ifDescr -Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sunnyday Sent: Monday, June 23, 2008 3:45 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] (no subject) Hello anyone knows the OID or how can I view the output of the command: Show egress-queue rates interface gigabitEthernet x/x/x Via SNMP? Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp *** The information contained in this message, including attachments, may contain privileged or confidential information that is intended to be delivered only to the person identified above. If you are not the intended recipient, or the person responsible for delivering this message to the intended recipient, Windstream requests that you immediately notify the sender and asks that you do not read the message or its attachments, and that you delete them without copying or sending them to anyone else. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] (no subject)
Hello anyone knows the OID or how can I view the output of the command: Show egress-queue rates interface gigabitEthernet x/x/x Via SNMP? Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Copying *.rel files from ERX to FTP Server
copy disk0:e320_8-2-3.rel ftpname:/e320_8-2-3.rel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of H. Zhang Sent: Monday, June 23, 2008 10:29 AM To: Amr; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Copying *.rel files from ERX to FTP Server the box does not support copying release file from ERX. - Original Message - From: "Amr" <[EMAIL PROTECTED]> To: Sent: Monday, June 23, 2008 2:36 PM Subject: [j-nsp] Copying *.rel files from ERX to FTP Server > > >> Dear All, >> how could i get the release file on my ERX1410 from the ERX >> to >> my FTP Server ? to backup the ERX Router >> >> I know that I could put the release file from the FTP to the ERX but how >> could i make the opposite and get the file from the ERX to the FTP Server >> >> Any Ideas ? >> >> Regards >> Amr >> > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MPLS LDP
Hello I have configured mpls ldp in my network and I want all ip traffic to go through mpls. I have issued the command mpls ldp ip-forwarding but the traffic seems to go through isis when I trace route to an ip I see no label assignment. After that I have issued the mpls ldp ip-forwarding hosts-only and all /32 traffic was going through mpls but all the /30 or other subnets Where going through isis.Any help would be appreciated. Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EXTENDED LICENSE UPGRADE KEY FOR SSG 5
Knows what the "EXTENDED LICENSE UPGRADE KEY FOR SSG 5" or Juniper Software License SSG-5-ELU contains? Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] limit upload ssg
Hello I have a ssg in my office with 10 PCs and I have configured for every pc a policy with the maximum and guaranteed bandwidth. I want to know if there is a way to control the upload speed since every user has the whole upload speed when running torrents and other applications. Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] (no subject)
Hello I have a ssg in my office with 10 PCs and I have configured for every pc a policy with the maximum and guaranteed bandwidth. I want to know if there is a way to control the upload speed since every user has the whole upload speed when running torrents and other applications. Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Netscreen vpn
And another question how can I tell to which zone the tunnel interface is bound? -Original Message- From: Stefan Fouant [mailto:[EMAIL PROTECTED] Sent: Saturday, May 17, 2008 6:58 PM To: sunnyday Cc: Juniper-Nsp; [EMAIL PROTECTED] Subject: Re: [j-nsp] Netscreen vpn There is just not enough information supplied to determine the problem. Is the tunnel interface bound to the Trust zone, or the Untrust zone? If it's bound to the Trust zone and you haven't explicity blocked intrazone traffic then you don't need a policy. Are you using any other Virtual-Routers other than the Trust-VR? If so, you'll need to configure Inter-VR routing. Have you enabled ping on the Trust interface? I think it's enabled by default on the Trust interface but you might want to double check. Can you describe your configuration in more detail? Stefan Fouant On Sat, May 17, 2008 at 6:02 AM, sunnyday <[EMAIL PROTECTED]> wrote: > > > Hello I have configured a dialup vpn and successfully created the tunnel and > received ip address but I cannot manage to ping the netscreen`s > > Trust interface. The ip address the vpn has is 10.250.250.1 and the trust > interface is 192.168.10.1. I tried with static routes and policies > > With no result can you please help me out with this one? > > Thank you > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Netscreen vpn
I have only the default virtual routers the untrust zone is in trust vr I have configured the vpn and a bidirectional policy: from untrust to trust source dialup vpn destination any action tunnel what do I need to configure next to have access to the local network? -Original Message- From: Stefan Fouant [mailto:[EMAIL PROTECTED] Sent: Saturday, May 17, 2008 6:58 PM To: sunnyday Cc: Juniper-Nsp; [EMAIL PROTECTED] Subject: Re: [j-nsp] Netscreen vpn There is just not enough information supplied to determine the problem. Is the tunnel interface bound to the Trust zone, or the Untrust zone? If it's bound to the Trust zone and you haven't explicity blocked intrazone traffic then you don't need a policy. Are you using any other Virtual-Routers other than the Trust-VR? If so, you'll need to configure Inter-VR routing. Have you enabled ping on the Trust interface? I think it's enabled by default on the Trust interface but you might want to double check. Can you describe your configuration in more detail? Stefan Fouant On Sat, May 17, 2008 at 6:02 AM, sunnyday <[EMAIL PROTECTED]> wrote: > > > Hello I have configured a dialup vpn and successfully created the tunnel and > received ip address but I cannot manage to ping the netscreen`s > > Trust interface. The ip address the vpn has is 10.250.250.1 and the trust > interface is 192.168.10.1. I tried with static routes and policies > > With no result can you please help me out with this one? > > Thank you > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Netscreen vpn
Hello I have configured a dialup vpn and successfully created the tunnel and received ip address but I cannot manage to ping the netscreen`s Trust interface. The ip address the vpn has is 10.250.250.1 and the trust interface is 192.168.10.1. I tried with static routes and policies With no result can you please help me out with this one? Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Netscreen RSA
I would very much appreciate if anyone could give me a config guide or sample on how to configure rsa on ssg. Thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] access-internal
Hello i have a subscriber in a vrf but his ip is not shown in the routing table as access-internal route why is that? alla other susbscribers in another vr work fine. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] /31 subnet mask
hello can any one explain the use of a /31 subnet mask i know its for saving ip addresses etc etc but i need to know how it works,limitations and how to implement it. thank you ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] (no subject)
hello i have configured a lag interface and assigned a qos profile when the show egress-queue rates interface command is issued the output is this ip lag .1best-effort 0 0 25000 tc-x4183208 0 12288000 should best-effort appear at the output? is it possible to remove it? Mihalis Mihailidis Network Engineer Kestrel Information Systems S.A. 340 Kifisias Ave, Neo Psychico 154 51 Athens, Greece Phone:+30 210 6747740 ext: 106 Mobile: +30 693 6807 512 Email: [EMAIL PROTECTED] ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] pic/fpc
hello i want to use for a m320 -1 10gig Ethernet - 5 GE - 4 STM4 - 8 STM1 can anyone tell me the FPCs tha are compatible? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] (no subject)
hello i want to know if Mlppp is supported on j series and if so a guide on how to configure it? Thanks ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Ping
Hello i tried to ping from an E320 to another router and i got the ouput LLL anyone know what it means?? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Fw: AAA
Hello i have a E320 and i use radius as authentication. i have one VR and 4 VRFs the thing i want to do is when radius becomes unavailable the users to log to the bras without authentication is this possible. any ideas ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] AAA
Hello i have a E320 and i use radius as authentication. i have one VR and 4 VRFs the thing i want to do is when radius becomes unavailable the users to log to the bras without authentication but i am confused to which VR this is supposed to be configured. any ideas ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Firewalls
Hello i have an ssg with no adsl modules just ethernet and 3 adsl lines the three cpe's connect to a switch as the ssg the thing i want to do is make the isg a dhcp server mac based and give as dns its self to the clients.is it possible for the ssg to resolve the dns of each cpe? and how will i configure which adsl line dhcp clients will take?if one fails? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] E320 IOA
Hello i have installed a line module and the proper ioa which is a half-height the thing is that when i installed it on the bottom with nothing on top it was in inactive state.but when i installed it on top it was online. Anyone knows why is this happening??? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] PPTP with juniper firewall
hello i want to know if any of juniper firewalls support PPTP termination ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] (no subject)
Hello I have a cisco router and im adapting the access lists of the box to E320 but i got stuck at these two commands anyone can help me with these cause i can find the appropriate commands thanks. access-list 2100 permit ip any any log fragments access-list 2100 permit tcp any any established log ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] (no subject)
you must have misunderstood me the os is JUNOSe
- Original Message -
From: "Peder Bach" <[EMAIL PROTECTED]>
To: "sunnyday" <[EMAIL PROTECTED]>
Cc: "Juniper-Nsp"
Sent: Monday, February 04, 2008 5:25 PM
Subject: Re: [j-nsp] (no subject)
> firewall {
>filter 2000 {
>/* access-list 2000 permit tcp any any established log */
>term T1 {
>from {
>protocol tcp;
>tcp-established;
>}
>then {
>accept;
> log;
>}
>}
>}
> }
>
>
> On Feb 4, 2008 3:54 PM, sunnyday <[EMAIL PROTECTED]> wrote:
>> Hello i want to convert a cisco command on junose
>>
>> access-list 2000 permit tcp any any established log
>>
>>
>> i can seem to find the established option in classifier-list conf
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] (no subject)
Hello i want to convert a cisco command on junose access-list 2000 permit tcp any any established log i can seem to find the established option in classifier-list conf ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Ip share interface
hello i have a question regarding giving vpn access to the internet i have seen one way to do it is via a shared ip interface. host1(config)#virtual-router pe1:pe11host1:pe1:pe11(config)#interface ip internethost1:pe1:pe11(config-if)#ip share-interface gig 2/2.10host1:pe1:pe11(config-if)#ip address 10.1.1.3 255.255.255.255 host1:pe1:pe11(config-if)#exit host1:pe1:pe11(config)#ip route 0.0.0.0 0.0.0.0 ip internet1 when i tried to configure it the shared interface was ethernet and it was not possible any ideas on a workaround?E310-Lab:vr2:vpn1(config)#ip route 0.0.0.0 0.0.0.0 ip internet% invalid next-hop for a multiaccess interface2 what the ip of the shared interface should be?in the range of the shared interface? or it doesnt matter what ip will i use?thanks in advance ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Telnet e320
hello i want to know if i can telnet to a virtual router configured on the box since the only way i do it now is through the default virtual router, is this possible? thanks in advance ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Redundacy
Hello all I want to configure two interfaces facing the subscribers with the link selection primary and link selection secondary commands and i want to know the behavior of this and how can i use it i want as it semms if 2/6 fails 2/7 to terminate ppp but if both are up what will happen? isnt there going to be a problem for vlans when there is a bulk config at two interfaces? thanks the conf is something like that: interface gigabitEthernet 2/6 mtu 1522 duplex full speed 1000 link failover timeout 500 link selection primary qos-profile test encapsulation vlan auto-configure vlan vlan bulk-config "vlan-bulk" profile vlan bulk-config "vlan-bulk" "vlan-generic" vlan bulk-config "vlan-bulk" vlan-range 100 199 vlan bulk-config "vlan-bulk" vlan-range 2101 2199 vlan bulk-config "vlan-bulk" vlan-range 3401 3499 === interface gigabitEthernet 2/7 mtu 1522 duplex full speed 1000 link failover timeout 500 link selection secondary qos-profile test encapsulation vlan auto-configure vlan vlan bulk-config "vlan-bulk" profile vlan bulk-config "vlan-bulk" "vlan-generic" vlan bulk-config "vlan-bulk" vlan-range 100 199 vlan bulk-config "vlan-bulk" vlan-range 2101 2199 vlan bulk-config "vlan-bulk" vlan-range 3401 3499 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] (no subject)
when using 40gbps swith fabric how much full duplex bandwidth is available to each slot? Can anyone tell me how this is determined? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Configuration
Hello How can i send to a j series or m series a configuration file so i can commit it and use it and in what format should it be? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] m320
my question was about load balancing because i read that at internet processor 2 is per flow an plain internet processor is random - Original Message - From: "Richard A Steenbergen" <[EMAIL PROTECTED]> To: "sunnyday" <[EMAIL PROTECTED]> Cc: "Juniper-Nsp" Sent: Thursday, December 20, 2007 10:04 PM Subject: Re: [j-nsp] m320 > On Thu, Dec 20, 2007 at 09:07:15PM +0200, sunnyday wrote: >> m320 is using internet processor II or plain internet processor? > > Neither. M320 is a Gibson architecture platform (basically its a T320 in a > bigger chassis). The routing ASIC is the R-chip, which is distributed over > the FPCs rather than being centralized like the Internet Processor ASICs. > Each PFE has an R-Chip, which on the T320/M320 means one per FPC. On T640 > the FPC3 has 2x (each one is capable of doing 20Gbps), everything else is > built with one. > > -- > Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras > GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] m320
m320 is using internet processor II or plain internet processor? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] delete configuration
how can i can use the command delete | except on m series from top of the configuration deleting everything except some element for example a certain interface Cheers ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
