Clik here to view.
IPsec Site-to-Site VPN Juniper ScreenOS Cisco ASA
This post describes the steps to configure a Site-to-Site VPN between a Juniper ScreenOS firewall and the Cisco ASA firewall. With the correct IKE and IPsec parameters as well as the correct Proxy IDs...
View ArticleClik here to view.
Policy-Based Routing (PBR) on a Juniper ScreenOS Firewall
Here comes an example on how to configure policy-based routing (PBR) on a Juniper ScreenOS firewall. The requirement at the customers site was to forward all http and https connections through a cheap...
View ArticleClik here to view.
Site-to-Site VPNs with Diffie-Hellman Group 14
When talking about VPNs it is almost always clear that they are encrypted. However, it is not so clear on which security level a VPN is established. Since the Perfect Forward Secrecy (PFS) values of...
View ArticleClik here to view.
IPsec Site-to-Site VPN Juniper ScreenOS Cisco Router
Similar to all my other site-to-site VPN articles, here are the configurations for a VPN tunnel between a Juniper ScreenOS SSG firewall and a Cisco IOS router. Due to the VPN Monitor of the SSG...
View ArticleClik here to view.
Juniper NSM: Exclamation Mark due to Attack Database Version Mismatch
Short and very specific notice: How to remove the exclamation marks on the Juniper NSM device list for firewalls that have an outdated attack database version. This happens if the license for the deep...
View ArticleClik here to view.
IPsec Site-to-Site VPN Juniper ScreenOS Cisco Router w/ VTI
And finally: A route-based VPN between a Juniper ScreenOS SSG firewall and a Cisco router with a virtual tunnel interface (VTI). Both sides with tunnel interfaces and IPv4 addresses. Both sides with a...
View ArticleClik here to view.
Juniper ScreenOS Firewall autocorrects Route Entries
I was a bit confused today as I saw a “wrong” route entry in the config of an SSG firewall. The route had not the correct “network/netmask” notation but a “host-address/netmask-of-the-network”...
View ArticleClik here to view.
Juniper ScreenOS NSRP: Configuration via GUI, NSM, and CLI
Short step-by-step screenshot guide for an initial configuration of NSRP of two Juniper ScreenOS firewalls, such as the SSGs. One screenshot pack for the http GUI and another one for the Network and...
View ArticleClik here to view.
Juniper ScreenOS DHCP Relay: “Use Interface as Source IP for VPN”
I had strange looking DHCP packets in my network as I tested around with DHCP relays on the Juniper SSG firewall. Some packets were blocked and I didn’t know why. After some troubleshooting it was...
View ArticleClik here to view.
OSPF for IPv4 Test Lab: Cisco Router & ASA, Juniper SSG & Palo Alto
I tested OSPF for IPv4 in my lab: I configured OSPF inside a single broadcast domain with five devices: 2x Cisco Router, Cisco ASA, Juniper SSG, and Palo Alto PA. It works perfectly though these are a...
View ArticleClik here to view.
VoIP von FRITZ!Box über Juniper SSG Firewall
Ich habe bei mir zu Hause die AVM FRITZ!Box als alleinigen Router abgelöst und durch eine Juniper SSG 5 Firewall ersetzt. Die FRITZ!Box ist trotzdem noch vorhanden und steht als IP-Client hinter der...
View ArticleClik here to view.
MRTG/Routers2: Template Juniper SSG
Finally, this is how I am monitoring my Juniper ScreenOS SSG firewalls with MRTG/Routers2. Beside the interfaces (that can be built with cfgmaker) I am using my template in order to monitor the CPU...
View ArticleClik here to view.
Juniper ScreenOS NAT Overview: MIP DIP VIP
MIP DIP VIP. I am sometimes confused with the NAT names of the Juniper ScreenOS devices. Therefore, I drew a small figure with a few basic examples for these NAT types. Note that this figure does not...
View ArticleClik here to view.
IPsec Site-to-Site VPN FortiGate Juniper SSG
Here comes the step-by-step guide for building a site-to-site VPN between a FortiGate and a ScreenOS firewall. Not much to say. I am publishing several screenshots and CLI listings of both firewalls,...
View ArticleClik here to view.
Site-to-Site VPNs with Diffie-Hellman Groups 19 & 20 (Elliptic Curve)
Similar to my test with Diffie-Hellman group 14 shown here I tested a VPN connection with the elliptic curve Diffie-Hellman groups 19 and 20. The considerations why to use these DH groups are listed in...
View ArticleClik here to view.
Firewall IPv6 Capabilities: Cisco, Forti, Juniper, Palo
Since IPv6 gets more and more important, I am using it by default on all my test firewalls, which of course support IPv6. However, when comparing the different functions and administration...
View ArticleClik here to view.
IPv6 through IPv4 VPN Tunnel with Juniper SSGs
The most common transition method for IPv6 (that is: how to enable IPv6 on a network that does not have a native IPv6 connection to the Internet) is a “6in4″ tunnel. Even other tunneling methods such...
View ArticleClik here to view.
Policy-Based Routing on ScreenOS with different Virtual Routers
I already puslished a blog post concerning policy-based routing on a Juniper firewall within the same virtual router (VR). For some reasons, I was not able to configure PBR correctly when using...
View ArticleClik here to view.
OSPFv3 for IPv6 Lab: Cisco, Fortinet, Juniper, Palo Alto, Quagga
Similar to my test lab for OSPFv2, I am testing OSPFv3 for IPv6 with the following devices: Cisco ASA, Cisco Router, Fortinet FortiGate, Juniper SSG, Palo Alto, and Quagga Router. I am showing my lab...
View ArticleClik here to view.
Juniper ScreenOS: DHCPv6 Prefix Delegation
The Juniper ScreenOS firewall is one of the seldom firewalls that implements DHCPv6 Prefix Delegation (DHCPv6-PD). It therefore fits for testing my dual stack ISP connection from Deutsche Telekom,...
View Article