srx 210 i problem z niektórymi stronami www

JunOS / Juniper / Netscreen
ODPOWIEDZ
Wiadomość
Autor
Awatar użytkownika
Bolo
wannabe
wannabe
Posty: 656
Rejestracja: 27 wrz 2006, 10:02

srx 210 i problem z niektórymi stronami www

#1

#1 Post autor: Bolo »

Witam,
Mam oto taką konfigurację (poniżej). Niestety w tym przypadku wiele stron mi nie działa odpowiednio: www.microsoft.com, www.mozilla.org czy AKTYWACJA OFFICE 365.
Czy może być to problem z , no właśnie z czym :)?

Kod: Zaznacz cały

Entering configuration mode
Users currently editing the configuration:
  root terminal p0 (pid 4900) on since 2014-04-24 16:51:45 EEST, idle 00:43:40
      [edit]

[edit]
root@FW-BY#

[edit]
root@FW-aa# show
## Last changed: 2014-04-24 13:04:32 EEST
version 12.1X44.5;
system {
    host-name FW-aa;
    domain-name tt.local;
    time-zone Europe/Minsk;
    root-authentication {
        encrypted-password "$1$y.kskXIkIoAWBmFf07n3gjMwayxW0"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user monitor {
            uid 2000;
            class read-only;
            authentication {
                encrypted-password "$1$.6MhSugBkkxbv3yuNALhJZ2UcEPTOB0"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface [ vlan.0 ge-0/0/0.0 ];
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.2.200/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
    pp0 {
        unit 0 {
            ppp-options {
                chap {
                    default-chap-secret "$9$Hk5z/CuRhyOkkdbYJZ.mfQ/A"; ## SECRET-DATA
                    local-name 412829;
                    passive;
                }
            }
            pppoe-options {
                underlying-interface fe-0/0/7.0;
                idle-timeout 0;
                auto-reconnect 3;
                client;
            }
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
        unit 1 {
            family inet;
        }
        unit 2 {
            family inet;
        }
        unit 3 {
            family inet;
        }
        unit 4 {
            family inet;
        }
        unit 5 {
            family inet;
        }
        unit 6 {
            family inet;
        }
 }
    vlan {
        unit 0 {
            family inet {
                address 10.20.0.193/28;
            }
        }
    }
}
routing-options {
    static {
        route 10.49.8.0/22 next-hop 10.20.0.194;
        route 10.50.0.0/16 next-hop st0.0;
        route 10.40.0.0/16 next-hop st0.1;
        route 192.168.33.0/24 next-hop st0.2;
        route 192.168.40.0/24 next-hop st0.3;
        route 192.168.60.0/24 next-hop st0.4;
        route 10.41.0.0/16 next-hop st0.5;
        route 10.46.0.0/16 next-hop st0.6;
        route 0.0.0.0/0 next-hop pp0.0;
    }
}
protocols {
    stp;
}
security {
    ike 
       
        }
        gateway gw_to_POL {
            ike-policy ike_aa_to_POL;
            address 81.210.12.77;
     
    }
    ipsec {
        policy ipsec_to_POL {
            proposal-set compatible;
       
        vpn to_POL {
            bind-interface st0.0;
            ike {
                gateway gw_to_POL;
                proxy-identity {
                    local 10.49.8.0/22;
                    remote 10.50.0.0/16;
                    service any;
                }
                ipsec-policy ipsec_to_POL;
            }
            establish-tunnels immediately;
        }
        vpn to_POL2 {
            bind-interface st0.1;
            ike {
                gateway gw_to_POL;
                proxy-identity {
                    local 10.49.8.0/22;
                    remote 10.40.0.0/16;
                    service any;
                }
                ipsec-policy ipsec_to_POL;
            }
            establish-tunnels immediately;
        }
        vpn to_POL3 {
            bind-interface st0.2;
            ike {
                gateway gw_to_POL;
                proxy-identity {
                    local 10.49.8.0/22;
                    remote 192.168.33.0/24;
                    service any;
                }
                ipsec-policy ipsec_to_POL;
            }
            establish-tunnels immediately;
        }
        vpn to_POL4 {
            bind-interface st0.3;
            ike {
                gateway gw_to_POL;
                proxy-identity {
                    local 10.49.8.0/22;
                    remote 192.168.40.0/24;
                    service any;
                }
                ipsec-policy ipsec_to_POL;
            }
            establish-tunnels immediately;
        }
        vpn to_POL5 {
            bind-interface st0.4;
            ike {
                gateway gw_to_POL;
                proxy-identity {
                    local 10.49.8.0/22;
                    remote 192.168.60.0/24;
                    service any;
                }
                ipsec-policy ipsec_to_POL;
            }
            establish-tunnels immediately;
        }
        vpn to_POL6 {
            bind-interface st0.5;
            ike {
                gateway gw_to_POL;
                proxy-identity {
                    local 10.49.8.0/22;
                    remote 10.41.0.0/16;
                    service any;
                }
                ipsec-policy ipsec_to_POL;
            }
            establish-tunnels immediately;
        }
 }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
 nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule siec_10_49_8_0 {
                    match {
                        source-address 10.49.8.0/24;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
                rule siec_10_49_9_0 {
                    match {
                        source-address 10.49.9.0/24;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
                rule siec_10_49_10_0 {
                    match {
                        source-address 10.49.10.0/24;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
                rule siec_10_49_11_0 {
                    match {
                        source-address 10.49.11.0/24;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
                rule siec_10_20_0_192 {
                    match {
                        source-address 10.20.0.192/28;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                st0.0;
                st0.1;
                st0.2;
                st0.3;
                st0.4;
                st0.5;
                st0.6;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                    ssh;
                    ping;
                    https;
                }
            }
            interfaces {
                ge-0/0/0.0;
                pp0.0;
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

[edit]
Na górę
b4n3
wannabe
wannabe
Posty: 128
Rejestracja: 25 cze 2010, 09:58

#2

#2 Post autor: b4n3 »

Może spróbuj złapać log do adresów które nie działają na interfejsie untrust, w sensie wychodzącym. Może to nie wina Twojego urządzenia? ;)
Na górę
Awatar użytkownika
Bolo
wannabe
wannabe
Posty: 656
Rejestracja: 27 wrz 2006, 10:02

#3

#3 Post autor: Bolo »

i wlasnie w tym problem ze nie wiem jak te logi złapać. Nie jestem jeszcze super adminem junosa. Podpowiecie mi?
Na górę
b4n3
wannabe
wannabe
Posty: 128
Rejestracja: 25 cze 2010, 09:58

#4

#4 Post autor: b4n3 »

Robisz coś takiego

Kod: Zaznacz cały

set system syslog file traffic-log any any
set system syslog file traffic-log match "RT_FLOW_SESSION"
potem robisz

show log traffic-log

Metoda bardziej dogłębna, to dump z interface

Kod: Zaznacz cały

Step 1:  Configure forwarding options:

To do this, navigate to forwarding-options and then to packet-capture hierarchy as below:
[edit]
user@host# edit forwarding-options packet-capture

[edit forwarding-options packet-capture]
user@host#
 Specify a file name for the packet capture and set the maximum-capture-size to 1500 as below:

[edit forwarding-options packet-capture] 
user@host# set file filename testpacketcapture

[edit forwarding-options packet-capture] 
user@host# set maximum-capture-size 1500

[edit forwarding-options packet-capture] 
user@host# show
file filename testpacketcapture;
maximum-capture-size 1500;

[edit forwarding-options packet-capture]
user@host#top


Step 2:  Configure firewall filter for packet capture.

This is strongly recommended because with the firewall filter, the amount of traffic to be capture can be restricted, and it is less CPU intensive, as compared without filters.

To do this, set the filter, term name, define the match condition, and its action.

For example, the firewall filter below will collect traffic that arrives on the interface with a source address of 10.209.242.138 AND destination-address of 10.204.115.166 AND vice versa. The term allow-all-else is used to make sure that the SRX does not drop any other traffic, but do not sample it either.

user@host# set firewall filter PCAP term 1 from source-address 10.209.144.32
user@host# set firewall filter PCAP term 1 from destination-address 10.204.115.166 
user@host# set firewall filter PCAP term 1 then sample 
user@host# set firewall filter PCAP term 1 then accept 
user@host# set firewall filter PCAP term 2 from source-address 10.204.115.166
user@host# set firewall filter PCAP term 2 from destination-address 10.209.144.32
user@host# set firewall filter PCAP term 2 then sample 
user@host# set firewall filter PCAP term 2 then accept 
user@host# set firewall filter PCAP term allow-all-else then accept 


Step 3:  Apply firewall fIlter to desired interface.

Decide which interface you want to capture the packets on. This must be an Ethernet interface. For this example, interface ge-0/0/0 is used.

Apply the firewall filter on the desired interface for the input and output direction:

user@host# set interfaces ge-0/0/0 unit 0 family inet filter output PCAP
user@host# set interfaces ge-0/0/0 unit 0 family inet filter input PCAP


Step 4:  Commit to activate the packet capture.

user@host# commit

Once you commit, then run your test to pass the traffic that needs to be captured.
Once the test is complete, deactivate the packet capture to stop the collection of packets. To do this, remove the packet-capture and sampling configuration that was just added above and commit. A quick way to do this is using rollback:

user@host# rollback 1
user@host# commit


Step 5:  Copy packet capture file from the SRX or J-Series device, and view it with your PCAP utility.

The captured file is located inthe /var/tmp directory and is formatted in the PCAP format. You can find the file with the file list command. 

user@host> file list /var/tmp/ | match testpacketcapture*   
testpacketcapture1.ge-0.0
Copy this file to your PC.

The packet capture file created can be viewed with Wireshark, Ethereal, or other PCAP packet capture utility.
Mam nadzieję, że pomoże
Na górę
Awatar użytkownika
Bolo
wannabe
wannabe
Posty: 656
Rejestracja: 27 wrz 2006, 10:02

#5

#5 Post autor: Bolo »

Kolego b4n3 bardzo dziękuję, jednak nic ciekawego nie znalazłem poza tym, że tylko 2 zapytania jeśli chodzi o http wychodziły z srx.
To zaczynało mi sie juz całkowicie zgadzać z tym co wcześniej podejrzewałem, czyli z MTU przy pppoe. Ustawiłem więc:

Kod: Zaznacz cały

set security flow tcp-mss all-tcp mss 1272
i poszło :)
Dziękuję jeszcze raz.
Na górę
b4n3
wannabe
wannabe
Posty: 128
Rejestracja: 25 cze 2010, 09:58

#6

#6 Post autor: b4n3 »

ok, fajnie, że dotarłeś do przyczyny, a przy okazji nauczyłeś się srxowego captura ;)
Na górę
ODPOWIEDZ

Wróć do „Juniper Networks”