Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2177
  • Last Modified:

Juniper SSH Problem

I have juniper ssg 520 but it does not allow me to connect ssh from trusted or untrusted networks. My running config attached below

how should i over come this issue
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "root"
set admin password "****************************"
set admin http redirect
set admin mail alert
set admin mail server-name "mail.salay.com.tr"
set admin mail mail-addr1 "c.e@salay.com.tr"
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Untrust" no-dhcp-relay
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Trust" screen icmp-flood
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen icmp-large
set zone "V1-Untrust" screen on-tunnel
set zone "V1-Untrust" screen icmp-flood
set zone "V1-Untrust" screen udp-flood
set zone "V1-Untrust" screen winnuke
set zone "V1-Untrust" screen ip-sweep
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ip-spoofing
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "V1-Untrust" screen syn-frag
set zone "V1-Untrust" screen tcp-no-flag
set zone "V1-Untrust" screen ip-bad-option
set zone "V1-Untrust" screen ip-record-route
set zone "V1-Untrust" screen ip-timestamp-opt
set zone "V1-Untrust" screen ip-security-opt
set zone "V1-Untrust" screen ip-loose-src-route
set zone "V1-Untrust" screen ip-strict-src-route
set zone "V1-Untrust" screen ip-stream-opt
set zone "V1-Untrust" screen icmp-fragment
set zone "V1-Untrust" screen icmp-large
set zone "V1-Untrust" screen syn-fin
set zone "V1-Untrust" screen fin-no-ack
set zone "V1-Untrust" screen limit-session source-ip-based
set zone "V1-Untrust" screen syn-ack-ack-proxy
set zone "V1-Untrust" screen block-frag
set zone "V1-Untrust" screen limit-session destination-ip-based
set zone "V1-Untrust" screen icmp-id
set zone "V1-Untrust" screen ip-sweep threshold 1000
set zone "V1-Untrust" screen udp-flood threshold 250
set zone "V1-Untrust" screen limit-session source-ip-based 16
set zone "V1-Untrust" screen limit-session destination-ip-based 512
set zone "V1-Untrust" screen syn-ack-ack threshold 32
set zone "Trust" screen syn-flood timeout 50
set zone "V1-Untrust" screen syn-flood alarm-threshold 16
set zone "V1-Untrust" screen syn-flood attack-threshold 8
set zone "V1-Untrust" screen syn-flood source-threshold 8
set interface "ethernet0/0" zone "V1-Trust"
set interface "ethernet0/1" zone "V1-Trust"
set interface "ethernet0/2" zone "V1-Trust"
set interface "ethernet0/3" zone "V1-Untrust"
set interface vlan1 ip xxx.xxx.xxx.37/24
set interface "ethernet0/1" pmtu ipv4
set interface "ethernet0/2" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 manage-ip xxx.xxx.xxx.38
set interface vlan1 ip manageable
set interface vlan1 manage mtrace
set zone V1-Untrust manage ping
set zone V1-Untrust manage ssh
set zone V1-Untrust manage telnet
set zone V1-Untrust manage snmp
set zone V1-Untrust manage ssl
set zone V1-Untrust manage web
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain firewall.salay.com.tr
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 208.67.222.222 src-interface vlan1
set dns host dns2 208.67.220.220 src-interface vlan1
set dns host dns3 0.0.0.0
set group address "V1-Untrust" "Syn"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set attack db sigpack base
set av all fail-mode traffic permit
set url protocol websense
set server src-interface vlan1
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set policy id 2 from "V1-Untrust" to "V1-Trust"  "Any" "Any" "ANY" permit log 
set policy id 2 av "ns-profile"
set policy id 2 anti-spam ns-profile
set policy id 2
set log session-init
exit
set policy id 3 from "V1-Trust" to "V1-Untrust"  "Any" "Any" "ANY" permit log 
set policy id 3
exit
set syslog src-interface vlan1
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp community "PRTG" Read-Write Trap-on  traffic version v2c
set snmp host "PRTG" xxx.xxx.xxx.7 255.255.255.255 src-interface vlan1 trap v2
set snmp location "Izmir"
set snmp contact "Cahit Eyigünlü"
set snmp name "SSG520"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Open in new window

0
3XLcom
Asked:
3XLcom
  • 2
1 Solution
 
dpk_walCommented:
Have a look at KB below:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB6713

Please implement and update.

Thank you.

0
 
3XLcomAuthor Commented:
unfortunately now i am not able to connect to the console at the moment is there any alternate way ?
0
 
3XLcomAuthor Commented:
I've done the instructions from telnet and issue resolved kindly thanks
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now