SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SSX change SSH port, monitor traffic interface command

    Posted 06-09-2023 16:44

    Hello all!

    A have srx345 behind home SOHO router and want to have remote access to it via SSH, and I also want to change the default port to 22022.
    But I encountered some problems already in local network with ping, ssh and "monitor traffic interface" command.
    SOHO router is directly connected to SRX (port ge-0/0/0 192.168.1.3), to notebook (192.168.1.32) and to the Internet.
    I changed default port for SSH:
    srx345> show configuration system services
    ssh {
        root-login deny;
        protocol-version v2;
        port 22022;

    But when I try to connect from notebook to SRX via ssh port 22022, I got disconnect timeout, and when I look at the SRX output of "monitor traffic interface ge-0/0/0 matching "host 192.168.1.32" command I see no packets.
    But when I try to connect via default 22 port - I instantly receive reject on putty client, and see some traffic on SRX.
    And the thing with pings: when they are not allowed on the untrust zone - I cannot ping the srx and see no traffic on the interface, when pings are allowed - I can ping srx, but still does not see any traffic on the interface.
    Here are some outputs, you can see some packets, when ssh to 22 port was rejected, but no ICMP or tcp 22022 traffic, but you can see some ARP resolutions at 22:31:06.852517 - it was attempt to connect via ssh port 22022:test@srx345> ...ce ge-0/0/0 matching "host 192.168.1.32"
    verbose output suppressed, use <detail> or <extensive> for full protocol decode
    Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
    Address resolution timeout is 4s.
    Listening on ge-0/0/0, capture size 96 bytes

    Reverse lookup for 192.168.1.1 failed (check DNS reachability).
    Other reverse lookup failures will not be reported.
    Use <no-resolve> to avoid reverse lookups on IP addresses.

    22:30:30.791306  In arp who-has 192.168.1.1 tell 192.168.1.32
    22:30:31.405485  In arp who-has 192.168.1.81 tell 192.168.1.32
    22:30:32.020337  In arp who-has 192.168.1.81 tell 192.168.1.32
    22:30:32.849393  In arp who-has 192.168.1.81 tell 192.168.1.32
    22:30:37.502732  In arp who-has 192.168.1.81 tell 192.168.1.32
    22:30:37.989450  In IP 192.168.1.32.65271 > 192.168.1.3.ssh: S 2036772548:2036772548(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK>
    22:30:37.989550 Out IP 192.168.1.3.ssh > 192.168.1.32.65271: R 0:0(0) ack 2036772549 win 0
    22:30:38.341689  In arp who-has 192.168.1.81 tell 192.168.1.32
    22:30:38.506667  In IP 192.168.1.32.65271 > 192.168.1.3.ssh: S 2036772548:2036772548(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK>
    22:30:38.506764 Out IP 192.168.1.3.ssh > 192.168.1.32.65271: R 0:0(0) ack 1 win 0
    22:30:39.023607  In IP 192.168.1.32.65271 > 192.168.1.3.ssh: S 2036772548:2036772548(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK>
    22:30:39.023705 Out IP 192.168.1.3.ssh > 192.168.1.32.65271: R 0:0(0) ack 1 win 0
    22:30:39.355865  In arp who-has 192.168.1.81 tell 192.168.1.32
    22:30:39.538031  In IP 192.168.1.32.65271 > 192.168.1.3.ssh: S 2036772548:2036772548(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK>
    22:30:39.538130 Out IP 192.168.1.3.ssh > 192.168.1.32.65271: R 0:0(0) ack 1 win 0
    22:30:40.054284  In IP 192.168.1.32.65271 > 192.168.1.3.ssh: S 2036772548:2036772548(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK>
    22:30:40.054385 Out IP 192.168.1.3.ssh > 192.168.1.32.65271: R 0:0(0) ack 1 win 0
    22:30:43.035088  In arp who-has 192.168.1.3 (d0:07:ca:e6:17:49) tell 192.168.1.32
    22:30:43.035206 Out arp reply 192.168.1.3 is-at d0:07:ca:e6:17:49
    22:30:43.625648  In arp who-has 192.168.1.81 tell 192.168.1.32
    22:30:44.615509  In arp who-has 192.168.1.81 tell 192.168.1.32
    22:30:45.538372  In arp who-has 192.168.1.1 tell 192.168.1.32
    22:30:45.538995  In arp who-has 192.168.1.81 tell 192.168.1.32
    22:30:49.625507  In arp who-has 192.168.1.81 tell 192.168.1.32
    22:30:50.353538  In arp who-has 192.168.1.81 tell 192.168.1.32
    22:30:51.345083  In arp who-has 192.168.1.81 tell 192.168.1.32
    22:31:06.852517  In arp who-has 192.168.1.3 (d0:07:ca:e6:17:49) tell 192.168.1.32
    22:31:06.852638 Out arp reply 192.168.1.3 is-at d0:07:ca:e6:17:49
    22:31:18.752914  In arp who-has 192.168.1.1 tell 192.168.1.32
    22:31:24.857533  In arp who-has 192.168.1.1 tell 192.168.1.32
    22:31:52.508360  In arp who-has 192.168.1.3 (d0:07:ca:e6:17:49) tell 192.168.1.32
    22:31:52.508483 Out arp reply 192.168.1.3 is-at d0:07:ca:e6:17:49
    22:31:57.971779  In arp who-has 192.168.1.1 tell 192.168.1.32

    ^C
    412 packets received by filter

    I don't get why I do not see traffic on SRX for icmp, ssh port 22022, also for telnet 23.. but see for ssh port 22 (no matter if the ssh mgmt port is set to default or not) or to tcp 443, when connect to the SRX via web.
    Maybe I use this "monitor traffic interface" somehow wrong?
    And why can't I connect to the SRX via ssh port 22022?

    If any additional outputs or info is needed, please tell.



    ------------------------------
    Vladlen London
    ------------------------------


  • 2.  RE: SSX change SSH port, monitor traffic interface command

    This message was posted by a user wishing to remain anonymous
    Posted 06-10-2023 10:57
    This message was posted by a user wishing to remain anonymous

    How to change ssh default port for extra security in srx1500 | SRX (juniper.net)




  • 3.  RE: SSX change SSH port, monitor traffic interface command

    Posted 06-12-2023 05:47

    Possibly very obvious, but do you specify the new power on your ash client, and you sure with this? 




  • 4.  RE: SSX change SSH port, monitor traffic interface command

    Posted 06-13-2023 08:48

    Hello Arentas Butkus,

    I do not quite understand your question, what is "the new power"? If you meant port - yes, I do change it, and even if I didn't or something is wrong with the client - perhaps I would see the same messages for ssh port 22 again, unless putty is broken on my laptop and works only with default default port 22..



    ------------------------------
    Vladlen London
    ------------------------------



  • 5.  RE: SSX change SSH port, monitor traffic interface command

    Posted 06-13-2023 12:44

    I use PuTTY all the time for SSH both on port 22 (the default) and non-standard ports.

    You have to change the port number on connect when connecting randomly on-demand. But if this is your home router (for example), there's no reason you can't save a profile with the port being whatever you'd like for that session be it 22 or 2222 or 22022 (or whatever)

     Cheers,

     -Ben



    ------------------------------
    Ben Kamen
    ------------------------------



  • 6.  RE: SSX change SSH port, monitor traffic interface command

    Posted 06-15-2023 10:30

    I use putty as well, and each time I connect I specify the port number.



    ------------------------------
    Vladlen London
    ------------------------------



  • 7.  RE: SSX change SSH port, monitor traffic interface command

    Posted 06-13-2023 14:33

    Yes, you are right, I was talking about the port number, just mistyped something. 

    In case you not trust putty, then win CMD also can ssh. if you're using the command line ssh client, you can specify the port as ssh -p <port> user@server.




  • 8.  RE: SSX change SSH port, monitor traffic interface command

    Posted 06-15-2023 10:32
    Edited by Vladlen London 06-15-2023 10:33

    If it is not possible to change SSH port, then what this command does?

    srx345> show configuration system services
    ssh {
        port 22022;

    }

    And here it is stated that it is possible

    https://supportportal.juniper.net/s/article/ScreenOS-How-to-change-the-default-management-ports-on-the-Juniper-firewall-SSH-TELNET-HTTP-and-HTTPS?language=en_US

    ------------------------------
    Vladlen London
    ------------------------------



  • 9.  RE: SSX change SSH port, monitor traffic interface command

    Posted 06-15-2023 12:42

    Hi,

    The url that u give is for very old juniper firewall product not for SRX.

    Thanks