In Q1 2016 Juniper has released new firewall platform SRX 300 series which replaces SRX 200 series. Initial software releases did not support Ethernet switching on SRX 300 series.
With new software release 15.1X49-D50, Juniper adds Ethernet switching support. This means that you can now use ports on firewall as a switch 🙂
To enable Ethernet switching mode use following command:
set protocols l2-learning global-mode switching
After changing the mode, you must reboot firewall for configuration to take affect.To verify that mode has changed use following command:
Usually remote sites have local internet access but in some cases you would like to route all traffic (even internet traffic) through central site. For that case you could use MPLS services or your could go with site-to-site IPSec VPN over internet. This means that you would put all traffic from remote site into IPSec VPN tunnel.
Benefits of doing that is that you get better control over traffic, which means you can monitor all you internet traffic on one location. Implementing additional services like AntiVirus, IPS, IDS, proxy, DLP, etc is done on one location.
In example bellow i will cover how to route all traffic through site-to-site IPSec VPN over internet from remote sites through central (Data center) site.
NETWORK DIAGRAM
Picture legend:
red and blue lines represent internet access for remote sites
green line represents communication between Site A and Site B through Data center site.
all traffic between data center site and remote sites is routed through site-to-site IPSec VPN
Data center SRX configuration notes:
For Site B configure correct Proxy-ID for IPSec VPN (check config bellow marked blue)
To allow communication between Site A and Site B, configure hairpin firewall policy (check config bellow marked green)
Site A SRX configuration notes:
SRX is configured to use route based IPSec VPN which means that with routes you can instruct SRX which traffic to put into IPSec VPN.
For this reason additional routing instance is needed. Additional routing instance will be used for WAN connectivity (check config bellow marked purple) and default routing instance will be used for private network and IPSec VPN.
FIREWALL INTERFACE SETTINGS
Config \ Firewall
SRX Datacenter
SRX Site A
ASA Site B
Public Interface
ge-0/0/0
ge-0/0/0
outside
Public IP
1.1.1.1
2.2.2.2
3.3.3.3
Private interface
ge-0/0/1
ge-0/0/1
inside
Private subnet
10.0.0.0/24
172.30.1.0/24
192.168.1.0/24
SRX Datacenter configuration
edit interfaces st0
set unit 0 description "VPN TO SiteA"
set unit 0 family inet
set unit 1 description "VPN TO SiteB"
set unit 1 family inet
edit routing-options static
set route 172.30.1.0/24 next-hop st0.0
set route 192.168.1.0/24 next-hop st0.1
edit security ike proposal IKE-Proposal-SiteA
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
edit security ike proposal IKE-Proposal-SiteB
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
set lifetime-seconds 86400
edit security ike policy IKE-POLICY-SiteA
set mode main
set proposals IKE-Proposal-SiteA
set pre-shared-key ascii-text "Bingo1"
edit security ike policy IKE-POLICY-SiteB
set mode main
set proposals IKE-Proposal-SiteB
set pre-shared-key ascii-text "Bingo2"
edit security ike gateway IKE-GW1-SiteA
set ike-policy IKE-POLICY-SiteA
set address 2.2.2.2
set dead-peer-detection always-send
set dead-peer-detection interval 10
set dead-peer-detection threshold 2
set external-interface ge-0/0/0
edit security ike gateway IKE-GW1-SiteB
set ike-policy IKE-POLICY-SiteB
set address 3.3.3.3
set external-interface ge-0/0/0
edit security ipsec proposal IPSec-Proposal-SiteA
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc
edit security ipsec proposal IPSec-Proposal-SiteB
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc
set lifetime-seconds 3600
set lifetime-kilobytes 4608000
edit security ipsec policy IPSec-Policy-SiteA
set proposals IPSec-Proposal-SiteA
edit security ipsec policy IPSec-Policy-SiteB
set proposals IPSec-Proposal-SiteB
edit security ipsec vpn VPN1-SiteA
set bind-interface st0.0
set ike gateway IKE-GW1-SiteA
set ike ipsec-policy IPSec-Policy-SiteA
edit security ipsec vpn VPN1-SiteB
set bind-interface st0.1
set ike gateway IKE-GW1-SiteB
set ike proxy-identity local 0.0.0.0/0set ike proxy-identity remote 192.168.1.0/24
set ike ipsec-policy IPSec-Policy-SiteB
edit security policies from-zone trust to-zone VPN
set policy trust-to-VPN match source-address any
set policy trust-to-VPN match destination-address any
set policy trust-to-VPN match application any
set policy trust-to-VPN then permit
edit security policies from-zone VPN to-zone trust
set policy VPN-to-trust match source-address any
set policy VPN-to-trust match destination-address any
set policy VPN-to-trust match application any
set policy VPN-to-trust then permit
edit security policies from-zone VPN to-zone VPNset policy VPN-to-VPN match source-address anyset policy VPN-to-VPN match destination-address anyset policy VPN-to-VPN match application anyset policy VPN-to-VPN then permitedit security policies from-zone VPN to-zone untrust
set policy VPN-to-untrust match source-address any
set policy VPN-to-untrust match destination-address any
set policy VPN-to-untrust match application any
set policy VPN-to-untrust then permit
edit security zones security-zone VPN
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces st0.0
set interfaces st0.1
SRX Site A configuration
edit interfaces st0
set unit 0 description "VPN TO Datacenter"
set unit 0 family inet
edit routing-instances WANset instance-type virtual-routerset interface ge-0/0/0.0set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1edit routing-options static
set route 0.0.0.0/0 next-hop st0.0
edit security ike proposal IKE-Proposal-Datacenter
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
edit security ike policy IKE-POLICY-Datacenter
set mode main
set proposals IKE-Proposal-Datacenter
set pre-shared-key ascii-text "Bingo1"
edit security ike gateway IKE-GW1-Datacenter
set ike-policy IKE-POLICY-Datacenter
set address 1.1.1.1
set dead-peer-detection always-send
set dead-peer-detection interval 10
set dead-peer-detection threshold 2
set external-interface ge-0/0/0
edit security ipsec proposal IPSec-Proposal-Datacenter
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc
edit security ipsec policy IPSec-Policy-Datacenter
set proposals IPSec-Proposal-Datacenter
edit security ipsec vpn VPN1-Datacenter
set bind-interface st0.0
set ike gateway IKE-GW1-Datacenter
set ike ipsec-policy IPSec-Policy-Datacenter
set establish-tunnels immediately
edit security policies from-zone trust to-zone VPN
set policy trust-to-VPN match source-address any
set policy trust-to-VPN match destination-address any
set policy trust-to-VPN match application any
set policy trust-to-VPN then permit
edit security policies from-zone VPN to-zone trust
set policy VPN-to-trust match source-address any
set policy VPN-to-trust match destination-address any
set policy VPN-to-trust match application any
set policy VPN-to-trust then permit
edit security zones security-zone VPN
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces st0.0
Juniper has released Junos verison 12.1X46 which finally supports multiple Proxy-ID’s on route based VPN. In essence Proxy-ID is used in phase2 of IKE VPN negotiations. Firewall agrees with it’s peers which traffic is permitted based on specified pair of local and remote networks.
Functionality is named traffic selector and can be found under section: security -> ipsec -> vpn -> VPNName -> traffic-selector
edit interfaces st0
set unit 0 family inet
edit security ike proposal Proposal-Cisco
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
set lifetime-seconds 86400
edit security ike policy IKE-Policy-Cisco
set mode main
set proposals Proposal-Cisco
set pre-shared-key ascii-text "Bingo1"
edit security ike gateway IKE-GW1-Cisco
set ike-policy IKE-Policy-Cisco
set address 1.1.1.1
set external-interface ge-0/0/0
edit security ipsec proposal Cisco-Proposal-IPSec
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc
set lifetime-seconds 3600
set lifetime-kilobytes 46000
edit security ipsec policy Cisco-Policy-IPSec
set proposals Cisco-Proposal-IPSec
edit security ipsec vpn VPN1-Cisco
set bind-interface st0.0
set ike gateway IKE-GW1-Cisco
set ike ipsec-policy Cisco-Policy-IPSec
set traffic-selector TS1 local-ip 172.30.1.0/24set traffic-selector TS1 remote-ip 192.168.1.0/24set traffic-selector TS2 local-ip 172.50.1.0/24set traffic-selector TS2 remote-ip 192.168.1.0/24edit routing-options
set static route 192.168.1.0/24 next-hop st0.0
edit security zones security-zone VPN
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces st0.0
edit security zones security-zone LOCAL
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces ge-0/0/1.0
edit security policies from-zone LOCAL to-zone VPN
set policy LOCAL-to-VPN match source-address any
set policy LOCAL-to-VPN match destination-address any
set policy LOCAL-to-VPN match application any
set policy LOCAL-to-VPN then permit
edit security policies from-zone VPN to-zone LOCAL
set policy VPN-to-LOCAL match source-address any
set policy VPN-to-LOCAL match destination-address any
set policy VPN-to-LOCAL match application any
set policy VPN-to-LOCAL then permit
Let’s say that you got a request to create site-to-site IPSec VPN between Juniper SRX and Cisco ASA firewalls. You would automatically assume that you have to use policy based VPN on SRX as Cisco ASA supports only policy based VPNs. Well, you can, but there is another option. You can use route based VPN.
Before we continue, I would like to stress out, that it is really important, that you have VPN settings identical on both sides or VPN tunnel will not come up or it will be unstable.
Network diagram
VPN Settings on Cisco ASA and Juniper SRX
Parameters\Device
Cisco ASA
Juniper SRX
Phase1(IKE)
authentication
sha1
sha1
encryption
aes128
aes128
dh-group
group2
group2
lifetime(seconds)
86400
86400
Mode
main
main
pre-shared-key
Bingo1
Bingo1
Phase2(IPSec)
protocol
esp
esp
authentication
sha1
sha1
encription
aes128
aes128
lifetime-seconds
3600
3600
lifetime-kilobytes
46000
46000
I would like to point out two things on which you have to pay attention, when you will be configuring route based IPSec VPN between SRX and ASA:
on SRX when you are creating virtual st0 interface, it has to be unnumbered
example:
edit interfaces st0
set unit 0 family inet
on SRX under section security -> ipsec -> vpn -> VPNName -> ike you have to configure proxy-identity. This will essentially tell SRX which networks it has to use for creating IPSec SA.
example:
edit security ipsec vpn VPN1-Cisco
set ike proxy-identity local 172.30.1.0/24
set ike proxy-identity remote 192.168.1.0/24
Juniper SRX configuration
edit interfaces st0
set unit 0 family inetedit security ike proposal Proposal-Ciscoset authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
set lifetime-seconds 86400
edit security ike policy IKE-Policy-Cisco
set mode main
set proposals Proposal-Cisco
set pre-shared-key ascii-text "Bingo1"
edit security ike gateway IKE-GW1-Cisco
set ike-policy IKE-Policy-Cisco
set address 1.1.1.1
set external-interface ge-0/0/0
edit security ipsec proposal Cisco-Proposal-IPSec
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc
set lifetime-seconds 3600
set lifetime-kilobytes 46000
edit security ipsec policy Cisco-Policy-IPSec
set proposals Cisco-Proposal-IPSec
edit security ipsec vpn VPN1-Cisco
set bind-interface st0.0
set ike gateway IKE-GW1-Cisco
set ike proxy-identity local 172.30.1.0/24set ike proxy-identity remote 192.168.1.0/24
set ike ipsec-policy Cisco-Policy-IPSec
edit routing-options
set static route 192.168.1.0/24 next-hop st0.0
edit security zones security-zone VPN
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces st0.0
edit security zones security-zone LOCAL
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces ge-0/0/1.0
edit security policies from-zone LOCAL to-zone VPN
set policy LOCAL-to-VPN match source-address any
set policy LOCAL-to-VPN match destination-address any
set policy LOCAL-to-VPN match application any
set policy LOCAL-to-VPN then permit
edit security policies from-zone VPN to-zone LOCAL
set policy VPN-to-LOCAL match source-address any
set policy VPN-to-LOCAL match destination-address any
set policy VPN-to-LOCAL match application any
set policy VPN-to-LOCAL then permit
In previous post I mentioned how can SIP ALG be of benefit on Juniper SRX firewalls. But in some cases where phone clients do not support RFC 3581 and SIP ALG is enabled, SRX firewall will drop the traffic. When SIP ALG is enabled, it is applied globally. Basically it is on or off for “whole” firewall.
In this example Private PBX is located in LAN A subnet and phone clients are located in LAN B subnet. SIP ALG is enabled on SRX firewall and it is used for communication between Provider PBX and Private PBX.
For the communication between phone clients and Private PBX, SIP ALG is disabled within firewall policy.
[edit applications]
set application DisableSIP_ALG term t1 alg ignore
set application DisableSIP_ALG term t1 protocol udp
[edit security]
set zones security-zone LAN-A address-book address PrivatePBX 192.168.1.100/32
[edit security]
set zones security-zone LAN-B address-book address LAN-B-NET 172.30.1.0/24
[edit security policies from-zone LAN-A to-zone LAN-B]
set policy PBX-to-LAN-B-DisableSIPALG match source-address PrivatePBX
set policy PBX-to-LAN-B-DisableSIPALG match destination-address LAN-B-NET
set policy PBX-to-LAN-B-DisableSIPALG match application DisableSIP_ALG
set policy PBX-to-LAN-B-DisableSIPALG then permit
[edit security policies from-zone LAN-B to-zone LAN-A]
set policy LAN-B-to-PBX-DisableSIPALG match source-address LAN-B-NET
set policy LAN-B-to-PBX-DisableSIPALG match destination-address PrivatePBX
set policy LAN-B-to-PBX-DisableSIPALG match application DisableSIP_ALG
set policy LAN-B-to-PBX-DisableSIPALG then permit
Have you ever wondered how to allow traffic from providers PBX to your PBX without creating additional firewall policy with dynamic port ranges for RTP stream?
Well here comes SIP ALG into play. SIP ALG recognizes SIP traffic and opens pinhole into firewall to allow RTP stream from one PBX to another for the duration of the session/call. There is no need for additional firewall policy for RTP stream if the SIP ALG is used.
This kind of setup will work only if both PBX-es have support for RFC 3581.
On Juniper SRX firewalls SIP ALG is enabled by default. To check SIP ALG status, enter command “show security alg status”.
In this example additional IP address 1.1.1.100 was provided from ISP and it is assigned a static NAT mapping to IP address 192.168.1.100. IP address 1.1.1.100 will be used for SIP and RTP traffic.
[edit security nat static]
set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address 1.1.1.100/32
set rule-set rs1 rule r1 then static-nat prefix 192.168.1.100/32
[edit security nat]
set proxy-arp interface ge-0/0/0.0 address 1.1.1.100/32
[edit security]
set zones security-zone trust address-book address LocalPBX 192.168.1.100/32
[edit security]
set zones security-zone untrust address-book address ProviderPBX 2.2.2.200/32
marioblab 