SRX Wildcard cert for management / dynamic vpn

1. Convert wildcard cert to .pem file

2. Copy .pem file to srx with winscp:

/cf/root/:
.cshrc
.history
.login
.profile
HCW.nl.pem

3. edit configuration
root@fire-002-001> edit
Entering configuration mode
root@fire-002-001# set security certificates local HCWildcard load-key-file /cf/root/HCW.nl.pem
root@fire-002-001# set system services web-management https local-certificate HCWildcard
root@fire-002-001# set system domain-name hcw.nl
root@fire-002-001# commit

Hits: 37

SRX – host inbound traffic & Ike

When configuring VPN’s and untrust interface is dhcp,

This does NOT work:

security {
    zones {
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    https;
                    ssh;
                    ping;
                    ike;
                }
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }

Ike sa is up
ipsec sa is NOT

This is the right way to set this up:

security {
    zones {
        security-zone untrust {
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            ike;
                            ping;
                            ssh;
                            http;
                        }
                    }
                }
            }
        }

Ike sa is up
Ipsec sa is up

 

Hits: 44

SRX recovery root password

Recovering the Root Password (SRX Series)

If you forget the root password for the SRX100, SRX200, or the SRX600 device, you can use the password recovery procedure to reset the root password.

Note: You need console access to recover the root password.

To recover the root password:

Power off the device by pressing the power button on the front panel and reboot the device.
Turn on the power to the management device.
Power on the device by pressing the power button on the front panel. Verify that the POWER LED on the front panel turns green.
The terminal emulation screen on your management device displays the device’s boot sequence.

When the autoboot is completed, press the spacebar a few times to access the bootstrap loader prompt.
At the following prompt, enter boot -s to start up the system in single-user mode.

loader>boot -s
At the following prompt, enter recovery to start the root password recovery procedure.

Enter full pathname of shell or ‘recovery’ for root password recovery or RETURN for /bin/sh: recovery
Enter configuration mode in the CLI.
Set the root password. For example:

user@host# set system root-authentication plain-text-password
For more information about configuring the root password, see the Junos System Basics Configuration Guide.

At the following prompt, enter the new root password. For example:

New password: juniper1
Retype new password:
At the second prompt, reenter the new root password.
If you are finished configuring the network, commit the configuration.

root@host# commit
commit complete
Exit configuration mode in the CLI.
Exit operational mode in the CLI.
At the prompt, enter y to reboot the device.

Reboot the system? [y/n] y

Hits: 46

SRX config – ipsec vpn asa – srx multiple subnets

version 10.1R2.8;
interfaces {
    ge-0/0/3 {
        unit 0 {
            family inet {
                address 192.168.34.2/16;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                address 10.0.2.254/24;
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family inet {
                address 2.2.2.2/28;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 2.2.2.1;
    }
}
security {
    ike {
        proposal ikep1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy IkePolicy1 {
            mode main;
            proposals ikep1;
            pre-shared-key ascii-text “$9$JgGHm36AB1h/CMX7d4o”; ## SECRET-DATA
        }
        gateway IkeGateway1 {
            ike-policy IkePolicy1;
            address 64.61.147.206;
            dead-peer-detection;
            no-nat-traversal;
            external-interface ge-0/0/14.0;
        }
    }
    ipsec {
        vpn-monitor-options {
            interval 10;
            threshold 10;
        }
        proposal ipsecp2 {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy VpnPolicy1 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsecp2;
        }
        vpn Vpn1 {
            ike {
                gateway IkeGateway1;
                ipsec-policy VpnPolicy1;
            }
        }
    }
    nat {
        source {
            rule-set hide-nat {
                from zone [ Dmz2 Trust ];
                to zone Untrust;
                rule Except {
                    match {
                        destination-address 172.16.1.0/24;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
                rule hide-nat-rule {
                    match {
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone Trust {
            tcp-rst;
            address-book {
                address local_lan 192.168.0.0/16;
            interfaces {
                ge-0/0/3.0;
            }
        }
        security-zone Untrust {
            address-book {
                address ASA_lan 172.16.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/14.0;
            }
        }
        security-zone Dmz2 {
            tcp-rst;
            address-book {
                address dmz2_lan 10.0.2.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/5.0;
            }
        }
    }
    policies {
        from-zone Untrust to-zone Dmz2 {
            policy ASADmz2 {
                match {
                    source-address ASA_lan;
                    destination-address dmz2_lan;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Vpn1;
                            pair-policy Dmz2ASA;
                        }
                    }
                }
            }
        }
        from-zone Trust to-zone Untrust {
            policy VpnASA {
                match {
                    source-address local_lan;
                    destination-address ASA_lan;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Vpn1;
                            pair-policy ASAVpn;
                        }
                    }
                }
            }
            policy 56 {
                match {
                    source-address Full_Access;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        from-zone Dmz2 to-zone Untrust {
            policy Dmz2ASA {
                match {
                    source-address dmz2_lan;
                    destination-address ASA_lan;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Vpn1;
                            pair-policy ASADmz2;
                        }
                    }
                }
            }
            policy sslvpn2any {
                match {
                    source-address sslvpn_10.0.2.10;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Untrust to-zone Trust {
            policy ASAVpn {
                match {
                    source-address ASA_lan;
                    destination-address local_lan;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Vpn1;
                            pair-policy VpnASA;
                        }
                    }
                }
            }
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
}

Hits: 33

ASA config – ipsec vpn asa – srx multiple subnets

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
names
name 192.168.0.0 NLLan
name 10.0.2.0 NLLan2
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
object-group network VPNSubnets
 network-object NLLan2 255.255.255.0
 network-object NLLan 255.255.0.0
access-list outside_1_cryptomap extended permit ip 172.16.1.0 255.255.255.0 object-group VPNSubnets
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 object-group VPNSubnets
access-list inside_access_in extended permit ip any any
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 2.2.2.2
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600
webvpn
group-policy DfltGrpPolicy attributes
 vpn-filter value inside_access_in
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *
!

Hits: 31