Hi,
Here's the answer to some of your questions -
1. Can we incrase the bandwidth of the internal interface joining RE and PFE or it is the same for all the device models or does it vary from model to model . I suppose that the bandwidth is 100 mbps as per juniper datasheets. Correct me if i am wrong
-->I think it is not possible to change the bandwidth as that is something internal .
" The Internal Ethernet interface is configured, addressed, and enabled automatically
when the JUNOS software boots. There is never a reason to configure or
disable the fxp1 interface. Altering the default behavior can seriously impair
the router’s ability to perform its functions." - JNCIA-M Study Guide
2. Do we have any limit on the number of terms i can define with in a routing policy and a firewall filter?
-->Don't know
3. What is the default interface mtu size in junos platforms?
-->http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-network-interfaces/interfaces-configuring-the-media-mtu.html
4. Maximum number of VLAN's that can be created on a physical interface ? Is it the 4096 or 1024 in Junos?
--> Range: 1 through 4094 (for EX Series)
http://www.juniper.net/techpubs/en_US/junos9.3/topics/reference/configuration-statement/vlan-id-edit-interfaces-interfaces-ex-series.html
5. The switch which is connected to the 2 physical interfaces , which are combined together to form a Reth interface should it necessarily be a L2 switch or an L3 switch will also do the same functionality?
-->Either L2 or L3 will do .
6. When i use Radius server in my authentication order , do i still need to have users mapped in my device? If yes how do i map only the usernames , because anyways authorization is already defined on the radius server
-->There is standard user called "remote" for external authentication .If you do not use this user to map , in the radius server ,we need to configure the return list to return the local user name to which that user should be mapped.
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21685
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16607
http://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-admin-guide/template-accounts.html
7.In Firewall Authentication, lets say there is a NAT enabled device before the firewall , once the user who has the right credential gets authenticated subsequently all the users will be given access to my server because authentication table entry is stored based on the ip address and not usernames. So how do i restrict that other users who dont have the credentials without accessing my server?
--> I think, it is not possible with just SRX
8. Shoud i use application as telnet , ftp and http in the security policy when i am using pass through authentication? Because pass through supports only ftp,http and telnet traffic?
--> You can use other applications as well in the security policies with firewall authentication, but firewall authentication is triggered by only telnet/ftp/http. Once it is triggered , other traffic also can pass through.
9. Can we use the primary interface ip address as the web authentication ip address or is it mandatory that we define one more ip address on the interface as web auth ip
--> It is recommended to use a second ip address ( but it should be in the same network) for web authentication purpose , if you use the main ip address, you will land at J-web page.
10. When is a real time scenario that we have 2 ip address defined on the interface and both being actually used?
-->when multiple addressess are there on an interface , depending on what destination traffic is going to , one of them will be used as the source address.
A single interface can serve as default gateway for multiple IP networks.
NAT questions :
11. How many actual translations can we have with 1 public IP when i disable PAT ?
-->In Junos (SRX) , we can not have a single ip and PAT disabled , at least we need to have two addresses. Each address can take care of around 64k translations (ideally).But in this case multiple internal hosts might be translated to same outside ip and port number .
12. What does this actually mean D-NAT will generate allow incoming packets for voip algs?
--> This may help - http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/alg-security-h323-and-nat-incoming-call-enabling-cli.html
13. Can we use the same ip for S NAT and D NAT then wat is the use of static NAT?
--> In Static nat, you configure in one direction like a destination nat and automatically , in the reverse direction source translation happens (with out PAT).
14. When we r doing Static NAT , can we have both the internal and external communication happen at the same time , because there can be only one translation per one public IP when i disable PAT?
--> Yes,you can have them at the same time .In the configured direction destination NAT happens and in the other direction source NAT happens
15. In source NAT with address shifting , the user will bind private IP range to public ip range .
Lets imagine my private range starts from 10.1.10.5 to 10.1.10.254
My public pool is from 100.1.1.1 to 100.1.1.200
I map my private base address to public address from 10.1.10.5 to 100.1.1.1
So lets say 10.1.10.5 gets translated to 100.1.1.1
What happens if 10.1.10.7 intiates a session before 10.1.10.6 will he be assigned 100.1.1.3 or 100.1.1.2
--> always 10.1.10.6 translates to 100.1.1.2 and
10.1.10.7 translates to 100.1.1.3 and so on .....