Beruflich Dokumente
Kultur Dokumente
Associate-JNCIA
JNCIA-FWV Lab Manual
Developed by
M. Irfan Ghauri
M. Tanzeel Nasir
Sikander Shah Rashdi
C-32/1 Block-5 Gulshan-e-Iqbal, Karachi ESP Press
Ph #0213-6034003 Copyrights 2011
JNCIA-FWV Lab Manual
1
LAB. LABS DESCRIPTION PAGE
NO.
1
ScreenOs Basic and WebUI Basics
3
2
Accessing Firewall using Console/Telnet/SSH/HTTP
7
3
NAT
1.MIP
2.DIP
a. DIP with ip pool
b. DIP with ip shift
c. DIP with different ip (PAT)
d. DIP with egress interface
3.VIP
4.Destination Nat
10
4
Creating Object and Policy
24
5
POLICY
1. Multi cell Policy
2. Group Policy
26
6
ADVANCE POLICY CONFIG.
1. Logging
2. Counting
3. Scheduling
4. Authentication with (Local,webauth and AAA)
30
7
Site to Site VPN
36
8
Transparent Firewall
40
JNCIA-FWV Lab Manual
2
9
Debug Commands
41
10
DEVICE MANAGEMENT
a. Syslog
b. Snmp
44
JNCIA-FWV Lab Manual
3
Lab # 1
ScreenOS Basic
Configuration
After connecting your PC to the Console Port.
LOGIN: netscreen
PASSWORD:netscreen
ns5gt->
To change the Host Name
Ns5gt-> Set hostname <Hostname>
Set the System Date & Time
Ns5gt-> set clock 7/02/2010 04:20:00
Changing root administrator user name and password
Ns5gt-> Set admin name netscreen
Ns5gt-> Set admin password netscreen
Ns5gt-> get admin user
WEB UI configuration >admin >administrators
Verify the System Date & Time
Ns5gt> get clock
Configure netscreen with the ip addresses
Ns5gt-> set interfaces trust ip 10.0.0.10/8
Ns5gt-> set interfaces untrust ip 20.0.0.10/8
Ns5gt-> get interface
Ns5gt-> get interface trust
JNCIA-FWV Lab Manual
4
WEB UI Network >Interfaces >Edit
Enable telnet and ping your untrust interface
Ns5gt-> set interfaces untrust manage telnet
Ns5gt-> set interfaces untrust manage ping
WEB UI Network >Interfaces >Edit
Ensure that a policy exists to allow your (trust) network to access
(untrust ) network
Ns5gt-> get policy
WEB UI Policies
Verify ip connectivity by issuing a ping from your (trust) network to
(untrust) network
Ns5gt-> ping 20.0.0.1
If you are using the CLI, save your configuration to flash memory. If
you are using the WEBUI, your changes are saved automatically.
Ns5gt-> save
Also save it to your local pc using TFTP
Ns5gt-> save config to tftp 10.0.0.1 groupname.cfg
Restore the configuration from TFTP
Ns5gt-> save config from tftp 10.0.0.1 groupname.cfg merge
WEB UI Configuration >Update >Config File
Create two administrator user accounts: one read-only and the other
having all privilages
Ns5gt-> Set admin user AdminReadOnly password abc123 privelage
read-only
Ns5gt-> Set admin user AdminReadWrite password abc123 privelage
all
JNCIA-FWV Lab Manual
5
Set the console Time out
Ns5gt-> Set console timeout 8 (8 in minutes default 10)
WEB UI configuration >admin >management
Set administration station ip in the firewall (Only that machine will
be able to logon to the firewall).
Ns5gt-> set admin manager-ip 10.0.0.20 255.255.255.255
WEB UI Configuration >Admin >Permitted IPs
Set administration station ip in the firewall (Only from this ip
machine will be able to logon to the firewall).
Ns5gt-> set interfaces trust manage-ip 20.0.0.20
WEB UI Network >Interfaces >Edit
Reset to factory default
Ns5gt-> unset all
-------------------------------? Yes
Ns5gt->reset
Modified save ? no
--------------------------------? yes
Create a separate rollback configuration file in flash memory.
Ns5gt-> save config to last-known-good
Ns5gt-> exec config rollback
Enable management services
Ns5gt-> set interfaces trust manage
Or
Ns5gt-> set interfaces trust manage ping
Ns5gt-> set interfaces trust manage web
Ns5gt-> set interfaces trust manage SSH
Ns5gt-> set ssh enable
WEB UI Network >Interfaces >Edit
JNCIA-FWV Lab Manual
6
Disable management services
Ns5gt-> unset interfaces trust manage
WEB UI Network >Interfaces >Edit
Configure a Policy to allow traffic flow from trust side to untrust.
Ns5gt->Set policy id 1 from trust to untrust any any any permit (src dst
service name )
WEB UI Policies >New
Configure a Policy to allow traffic flow from untrust side to trust
Ns5gt->Set policy id 2 from untrust to trust any any any permit (src dst
servuice name )
WEB UI Policies >New
To show the log of traffic flow from trust side to untrust.
Ns5gt->Set policy id 1 from trust to untrust any any any permit log
WEB UI Policies >New >Edit
Delete policy
Ns5gt-> unset policy id 2
View the session on the firewall
Ns5gt-> get session
Clear the session on the firewall
Ns5gt-> clear session
View system information
Ns5gt-> get system
View zones
Ns5gt-> get zone
View routing table
Ns5gt-> get route
View admin information
Ns5gt-> get admin
JNCIA-FWV Lab Manual
7
Lab # 2
Accessing Firewall using
Console/Telnet/SSH/HTTP
Configuration
After connecting your PC to the Console Port.
LOGIN:netscreen
PASSWORD:netscreen
Ns5gt->
Configuring telnet/ssh on firewall.
Ns5gt-> set interface trust manage telnet
Ns5gt-> set interface trust manage ssh
Ns5gt-> set ssh enable
Ns5gt-> set ssh version 2
WEB UI Network >Interfaces >Edit
Now accessing firewall through pc using telnet
Start >Run>Cmd
C:\> ping 10.0.0.10
C:\> telnet 10.0.0.10
LOGIN:netscreen
PASSWORD:netscreen
Now accessing firewall through pc using ssh
First open the putty software
JNCIA-FWV Lab Manual
8
Then press open
JNCIA-FWV Lab Manual
9
Now accessing firewall through pc using http
First open internet explorer then type
http://10.0.0.10
JNCIA-FWV Lab Manual
10
Lab # 3
NAT
1.Mapped ip
Configuration
First map ip on untrust interface
Ns5gt-> Set interface untrust mip 20.0.0.30 host 10.0.0.2 netmask
255.255.255.255 vrouter trust-vr
WEB UI Network > Interfaces > Edit > MIP > Configuration
Network > Interfaces > Edit > MIP > Configuration
Bind the traffic policy to allow the traffic using the following policy
Ns5gt-> Set policy from untrust to trust any mip(20.0.0.30) any permit
WEBUI Policy > Policies >New
IP Address 20.0.0.1
Host A
IP Address 10.0.0.1
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
Server
IP Address 10.0.0.2
JNCIA-FWV Lab Manual
11
Creating log file through this command
Ns5gt-> Set policy from untrust to trust any mip(20.0.0.30) any nat dst
ip 20.0.0.30 permit log
WEBUI Policy > Policies (From UnTrust To Trust) > Edit
Verifying commands
Ns5gt->get config
Ns5gt->get policy
WEBUI Policy > Policies
JNCIA-FWV Lab Manual
12
2. DIP
a.DIP with ip pool
Configuration
Make a pool of ips on untrust interface
Ns5gt-> Set interface untrust dip 4 20.0.0.30 20.0.0.40 fix-port
WEBUI Network > Interfaces > Edit > DIP > Configuration
Bind the traffic policy to allow the traffic using the following policy
Ns5gt-> Set policy from trust to untrust any any any nat src dip-id 4
permit
WEBUI Policy > Policies >New
Host B
IP Address 10.0.0.2
IP Address 20.0.0.1
Host A
IP Address 10.0.0.1
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
JNCIA-FWV Lab Manual
13
Creating log file through this command
Ns5gt-> Set policy from trust to untrust any any any nat src dip-id 4
permit log
WEBUI Policy > Policies (From UnTrust To Trust) > Edit
Verifying commands
Ns5gt->get config
Ns5gt->get policy
WEBUI Policy > Policies
JNCIA-FWV Lab Manual
14
b.DIP with ip shift
Configuration
Make a pool of shifting ips on untrust interface
Ns5gt->set interface untrust dip 4 shift-from 10.0.0.1 to 20.0.0.11
20.0.0.20
WEBUI Network > Interfaces > Edit > DIP > Configuration
Bind the traffic policy to allow the traffic using the following policy
Ns5gt-> Set policy from trust to untrust any any any nat src dip-id 4
permit
WEBUI Policy > Policies >New
Host B
IP Address 10.0.0.2
IP Address 20.0.0.1
Host A
IP Address 10.0.0.1
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
JNCIA-FWV Lab Manual
15
Creating log file through this command
Ns5gt-> Set policy from trust to untrust any any any nat src dip-id 4
permit log
WEBUI Policy > Policies (From Trust To UnTrust) > Edit
Verifying commands
Ns5gt->get config
Ns5gt->get policy
WEBUI Policy > Policies
JNCIA-FWV Lab Manual
16
c.DIP with different ip (PAT)
Configuration
Set public ip on untrust interface
Ns5gt-> Set interface untrust dip 4 20.0.0.30 20.0.0.30
WEBUI Network > Interfaces > Edit > DIP > Configuration
Bind the traffic policy to allow the traffic using the following policy
Ns5gt-> Set policy from trust to untrust any any any nat src dip-id 4
permit
WEBUI Policy > Policies >New
Host B
IP Address 10.0.0.2
IP Address 20.0.0.1
Host A
IP Address 10.0.0.1
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
JNCIA-FWV Lab Manual
17
Creating log file through this command
Ns5gt-> Set policy from trust to untrust any any any nat src dip-id 4
permit log
WEBUI Policy > Policies (From Trust To UnTrust) > Edit
Verifying commands
Ns5gt->get config
Ns5gt->get policy
WEBUI Policy > Policies
JNCIA-FWV Lab Manual
18
d.DIP with egress interface
Configuration
Apply nat source on the following policy
Ns5gt-> Set policy from trust to untrust any any any nat src permit
WEBUI Policy > Policies >New
Creating log file through this command
Ns5gt-> Set policy from trust to untrust any any any nat src permit log
WEBUI Policy > Policies (From Trust To UnTrust) > Edit
Host B
IP Address 10.0.0.2
IP Address 20.0.0.1
Host A
IP Address 10.0.0.1
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
JNCIA-FWV Lab Manual
19
Verifying commands
Ns5gt->get config
Ns5gt->get policy
WEBUI Policy > Policies
JNCIA-FWV Lab Manual
20
3.VIP
Configuration
Set virtual ip on untrust interface
Ns5gt-> Set interface untrust vip 20.0.0.50 21 ftp 10.0.0.2
Ns5gt-> Set interface untrust vip 20.0.0.50 + 80 http 10.0.0.1
WEBUI Network > Interfaces > Edit > VIP/VIP Service
Apply vip on the following policy
Ns5gt-> Set policy from untrust to trust any vip::1 any permit
WEBUI Policy > Policies >New
IP Address 10.0.0.1
WEB SERVER
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
IP Address 10.0.0.2
FTP SERVER
IP Address 20.0.0.1
JNCIA-FWV Lab Manual
21
Creating log file through this command
Ns5gt-> Set policy from untrust to trust any vip::1 any permit log
WEBUI Policy > Policies (From UnTrust To Trust) > Edit
Verifying commands
Ns5gt->get config
Ns5gt->get policy
WEBUI Policy > Policies
JNCIA-FWV Lab Manual
22
4.Destination Nat
Configuration
Creating object for trust virtual ip
Ns5gt-> set address Trust "1.1.1.1" 1.1.1.1 255.255.255.255
Creating policy
Ns5gt-> set policy id 1 from Untrust to Trust Any "1.1.1.1" ANY nat src
dst ip 10.0.0.1 permit log
WEBUI Policy > Policies >New
Define route
Ns5gt-> set route 1.1.1.1 255.255.255.255 interface trust
IP Address 10.0.0.1
WEB SERVER
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
IP Address 10.0.0.2
IP Address 20.0.0.1
JNCIA-FWV Lab Manual
23
Verifying commands
Ns5gt->get config
Ns5gt->get policy
WEBUI Policy > Policies
JNCIA-FWV Lab Manual
24
Lab # 4
Creating object and policy
Configuration
Create object for trust host pc
Ns5gt-> Set address trust insidepc 10.0.0.1/32
WEBUI Policy > Policy Elements > Addresses > Configuration
Create object for untrust host pc
Ns5gt-> Set address untrust outsidepc 20.0.0.1/32
WEBUI Policy > Policy Elements > Addresses > Configuration
IP Address 10.0.0.1
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
IP Address 10.0.0.2
IP Address 20.0.0.1
JNCIA-FWV Lab Manual
25
Calling object to create a policy
Ns5gt-> Set policy from trust to untrust insidepc outsidepc any permit
Ns5gt-> Set policy from untrust to trust outsidepc insidepc any permit
WEBUI Policy > Policies >New
Verifying commands
Ns5gt->get config
Ns5gt->get policy
WEBUI Policy > Policies
JNCIA-FWV Lab Manual
26
Lab # 5
1.Multi cell Policy
Configuration
Creating object for trust host
Ns5gt-> Set address trust insidepc1 10.0.0.1/32
Ns5gt-> Set address trust insidepc2 10.0.0.2/32
WEBUI Policy > Policy Elements > Addresses > Configuration
Creating object for untrust host
Ns5gt-> Set address untrust outsidepc1 20.0.0.1/32
Ns5gt-> Set address untrust outsidepc2 20.0.0.2/32
WEBUI Policy > Policy Elements > Addresses > Configuration
IP Address 10.0.0.1
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
IP Address 10.0.0.2
IP Address 20.0.0.2
IP Address 20.0.0.1
JNCIA-FWV Lab Manual
27
Calling object to create a multi cell policy
Ns5gt-> Set policy id 1 from trust to untrust insidepc1 outsidepc1 ftp
permit
Ns5gt->set policy id 1
Ns5gt (policy:1) -> set src-address insidepc2
Ns5gt (policy:1) -> set dst-address outsidepc2
Ns5gt (policy:1) -> set service http
Ns5gt (policy:1) -> set service icmp-any
WEBUI Policy > Policies >New
Verifying commands
Ns5gt->get config
Ns5gt->get policy
WEBUI Policy > Policies
JNCIA-FWV Lab Manual
28
2.Group Policy
Configuration
Creating object for trust host
Ns5gt-> Set address trust insidepc1 10.0.0.1/32
Ns5gt-> Set address trust insidepc2 10.0.0.2/32
WEBUI Policy > Policy Elements > Addresses > Configuration
Creating object for untrust host
Ns5gt-> Set address untrust outsidepc1 20.0.0.1/32
Ns5gt-> Set address untrust outsidepc2 20.0.0.2/32
WEBUI Policy > Policy Elements > Addresses > Configuration
IP Address 10.0.0.1
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
IP Address 10.0.0.2
IP Address 20.0.0.2
IP Address 20.0.0.1
JNCIA-FWV Lab Manual
29
Making a group for trust interface
Ns5gt-> Set group address trust groupnamein
Ns5gt-> Set group address trust groupnamein add insidepc1
Ns5gt-> Set group address trust groupnamein add insidepc2
WEBUI Policy > Policy Elements > Addresses > Groups >
Configuration
Making a group for untrust interface
Ns5gt-> Set group address untrust groupnameout
Ns5gt-> Set group address untrust groupnameout add outsidepc1
Ns5gt-> Set group address untrust groupnameout add outsidepc2
WEBUI Policy > Policy Elements > Addresses > Groups >
Configuration
Calling group to create a group policy
Set policy id 1 from trust to untrust groupnamein groupnameout ftp
permit
Ns5gt->set policy id 1
Ns5gt (policy:1) -> set service http
Ns5gt (policy:1) -> set service icmp-any
WEBUI Policy > Policies >New
Verifying commands
Ns5gt->get config
Ns5gt->get policy
WEBUI Policy > Policies
JNCIA-FWV Lab Manual
30
Lab # 6
Advance Policy Configuration
Configuration
1.Logging
Creating log file through this command
Ns5gt->Set policy id 1 from trust to untrust any any any permit log
WEBUI Policy > Policies (From Trust To Untrust)
IP Address 10.0.0.1
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
IP Address 10.0.0.2
IP Address 20.0.0.2
IP Address 20.0.0.1
JNCIA-FWV Lab Manual
31
2.Counting
Creating counting graph through this command
Ns5gt->Set policy id 1 from trust to untrust any any any permit count
WEBUI Policy > Policies (From Trust To Untrust)
3.Scheduling
Set the schedule through this command
Ns5gt->Set scheduler tempwork once start 2/16/2010 23:1 stop
2/16/2010 23:5
Calling schedule to create a policy
Ns5gt->Set policy from trust to untrust any any any permit schedule
tempwork
WEBUI Policy > Policies >New
4.Authentication
With Local database
Create user name and password
Ns5gt->Set user esp uid 1
Ns5gt->Set user esp type auth
Ns5gt->Set user esp hash-password netscreen
Ns5gt->Set user esp enable
Calling authentication in the following policy
Ns5gt-> Set policy from untrust to trust any any any permit auth
WEBUI Policy > Policies >New
With webauth
Set webauth ip on untrust interface
Ns5gt-> Set interface untrust webauth
Ns5gt-> Set interface untrust webauth-ip 20.0.0.51
JNCIA-FWV Lab Manual
32
Calling authentication in the following policy
Ns5gt-> Set policy from untrust to trust any any any permit webauth
With AAA server
Browse http://127.0.0.1:1812
Username and Password of Local windows Database
Username : administrator
Password : abc123
AAA Server Configuration with Steel-belted Radius
JNCIA-FWV Lab Manual
33
User database on ACS
JNCIA-FWV Lab Manual
34
AAA Client Configuration
Ns5gt-> set auth-server aaaserver id 1
Ns5gt-> set auth-server aaaserver server-name 20.0.0.2
Ns5gt-> set auth-server aaaserver account-type auth
Ns5gt-> set auth-server aaaserver radius secret juniper123
WEBUI Configuration > Auth > Auth Servers > Edit
JNCIA-FWV Lab Manual
35
Calling authentication in the following policy
set policy id 1 from Untrust to Trust Any Any ANY permit auth server
aaaserver
Verifying commands
Ns5gt->get config
Ns5gt->get policy
Ns5gt->get interface
Ns5gt->get auth table
Ns5gt->clear auth table
WEBUI Policy > Policies
JNCIA-FWV Lab Manual
36
Lab # 7
Site-to-site vpn
Configuration
Configure Router A as show below.
first enable isakmp policy
RouterA(config)# crypto isakmp enable ( optional )
RouterA(config)# crypto isakmp policy 10
RouterA(config-isakmp)# authentication pre-share
RouterA(config-isakmp)# encryption des
RouterA(config-isakmp)# hash md5
RouterA(config-isakmp)# group 2
IP Address 20.0.0.1
IP Address 10.0.0.1
IP Address 10.0.0.10
trust
IP Address 15.0.0.1
untrust
IP Address 10.0.0.2
IP Address 20.0.0.2
RA
IP Address 15.0.0.2
Fa0/0
IP Address
20.0.0.10
Fa0/1
JNCIA-FWV Lab Manual
37
RouterA(config)# crypto isakmp key cisco123 address 15.0.0.2
Configure IPSec transform-set
RouterA(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac
Configure cryto ACL to define which traffic to protect
RouterA(config)# access-list 111 permit ip 10.0.0.0 0.255.255.255
20.0.0.0 0.255.255.255
Configure Crypto-map
RouterA(config)# crypto map mymap 10 ipsec-isakmp
RouterA(config-crypto-map)# match address 111
RouterA(config-crypto-map)# set peer 15.0.0.2
RouterA(config-crypto-map)# set transform-set aset
Apply the crypto map to the WAN interface
RouterA(config)# int s 0
RouterA(config-if)# crypto map mymap
Configure Firewall as show below.
WEB UI Network >Routing >Destination >New
Configure ike policy
Ns5gt> set ike gateway ikepolicy address 15.0.0.1 Main outgoing-
interface untrust preshare Cisco123 pre-g2-des-md5
Ns5gt> set ike respond-bad-spi 1 VPNs > AutoKey Advanced > Gateway >
Edit
JNCIA-FWV Lab Manual
38
WEBUI VPNs > AutoKey Advanced > Gateway > Edit (click on
advance)
JNCIA-FWV Lab Manual
39
Configure ipsec
Ns5gt> set vpn ipsec gateway ikepolicy no-replay tunnel idletime 0
proposal nopfs-esp-des-md5
WEBUI VPNs > AutoKey IKE > Edit
Configure Acl
ns5gt>set policy id 1 from Trust to Untrust 20.0.0.0/8 10.0.0.0/8 ANY
tunnel vpn ipsec id 1 pair-policy 2
ns5gt>set policy id 2 from Untrust to Trust 10.0.0.0/8 20.0.0.0/8 ANY
tunnel vpn ipsec id 1 pair-policy 1
WEBUI Policy > Policies
Verifying commands
ns5gt> get ike cookie
ns5gt> get sa active
JNCIA-FWV Lab Manual
40
Lab 8 #
Transparent Firewall
Configuration
Ns5gt>set interface vlan1 ip 50.0.0.50/8
Ns5gt>set interface trust zone V1-Trust
Ns5gt>set interface untrust zone V1-Untrust
Ns5gt>set policy id 1 from V1-Trust to V1-Untrust Any Any ANY permit
Ns5gt>set policy id 2 from V1-Untrust to V1-Trust Any Any ANY permit
Verifying commands
Ns5gt>get interface
Ns5gt>get policy
IP Address 10.0.0.1
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
IP Address 10.0.0.2
IP Address 20.0.0.2
IP Address 20.0.0.1
JNCIA-FWV Lab Manual
41
Lab 9 #
Debug Commands
Configuration
Ns5gt->set ffilter src-ip 10.0.0.1 dst-ip 20.0.0.1
ns5gt-> debug flow basic
ns5gt-> get dbuf stream
Flow Basic Output
****** 02599.0: <Trust/trust> packet received [60]******
ipid = 6937(1b19), @05a27cd0
packet passed sanity check.
flow_decap_vector IPv4 process
trust:10.0.0.1/44289->20.0.0.1/512,1(8/0)<Root>
no session found
flow_first_sanity_check: in <trust>, out <N/A>
chose interface trust as incoming nat if.
IP Address 10.0.0.1
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
IP Address 10.0.0.2
IP Address 20.0.0.2
IP Address 20.0.0.1
JNCIA-FWV Lab Manual
42
flow_first_routing: in <trust>, out <N/A>
search route to (trust, 10.0.0.1->20.0.0.1) in vr trust-vr for vsd-
0/flag-0/if p-null
[ Dest] 3.route 20.0.0.1->20.0.0.1, to untrust
routed (x_dst_ip 20.0.0.1) from trust (trust in 0) to untrust
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root,
ip 20.0.0.1, port 40538, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 1/0/0x9
Permitted by policy 1
dip id = 2, 10.0.0.1/44289->20.0.0.10/1710
choose interface untrust as outgoing phy if
no loop on ifp untrust.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <trust>, out <untrust>
existing vector list 1-61a3d14.
Session (id:2054) created for first pak 1
flow_first_install_session======>
route to 20.0.0.1
arp entry found for 20.0.0.1
ifp2 untrust, out_ifp untrust, flag 10800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (untrust, 20.0.0.1->10.0.0.1) in vr trust-vr for vsd-
0/flag-30
00/ifp-trust
[ Dest] 1.route 10.0.0.1->10.0.0.1, to trust
route to 10.0.0.1
arp entry found for 10.0.0.1
ifp2 trust, out_ifp trust, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 2054
flow_main_body_vector in ifp trust out ifp untrust
flow vector index 0x1, vector addr 0x1c16050, orig vector 0x1c16050
post addr xlation: 20.0.0.10->20.0.0.1.
JNCIA-FWV Lab Manual
43
No Route to Destination
Ns5gt->set ffilter src-ip 10.0.0.1 dst-ip 30.0.0.1
ns5gt-> debug flow basic
ns5gt-> get dbuf stream
Output
****** 05026.0: <Trust/trust> packet received [60]******
ipid = 9268(2434), @05a16cd0
packet passed sanity check.
flow_decap_vector IPv4 process
trust:10.0.0.1/46081->30.0.0.1/512,1(8/0)<Root>
no session found
flow_first_sanity_check: in <trust>, out <N/A>
chose interface trust as incoming nat if.
flow_first_routing: in <trust>, out <N/A>
search route to (trust, 10.0.0.1->30.0.0.1) in vr trust-vr for vsd-0/flag-
0/if
p-null
no route to (10.0.0.1->30.0.0.1) in vr trust-vr/0
packet dropped, no route
Verifying commands
ns5gt-> clear dbuf
ns5gt-> get ffilter
ns5gt-> unset ffilter 0
JNCIA-FWV Lab Manual
44
Lab 10 #
a.SYSLOG
Configuration
ns5gt-> set syslog config 10.0.0.1 log all
ns5gt-> set syslog src-interface trust
ns5gt-> set syslog enable
WEB UI Configuration >ReportSetting > Syslog
IP Address 10.0.0.1
IP Address 10.0.0.10
trust
IP Address 20.0.0.10
untrust
IP Address 10.0.0.2
IP Address 20.0.0.2
IP Address 20.0.0.1
JNCIA-FWV Lab Manual
45
Verifying
PING 20.0.0.1
JNCIA-FWV Lab Manual
46
b.SNMP
Configuration
Ns5gt-> set snmp community public read-write version v1
Ns5gt-> set snmp host public 10.0.0.1/32