I don’t know how many people will find it useful but I hope it will be for those who use SRX for
the first time in their life. Let’s get started.
Our topology in this tutorial is below;
We will configure the followings from scratch:
- Loading default config and setting the root password
- Configuring interfaces and default route
- Configuring security zones
- Configuring address book entries
- Creating security policies
- Creating source nat for internal clients
Loading default config and setting the root password
I assume you are connected to the SRX device via console[stextbox id="grey" caption=CLI]
[edit]
root# load factory-default
warning: activating factory configuration
[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root# set system host-name srx220
[edit]
root# commit
commit complete
[edit]
root@srx220#
[/stextbox]
Once we commit the changes, we should see the new hostname srx220 in the prompt.
Configuring interfaces and default route
Interfaces
[stextbox id="grey" caption="CLI"]
#delete interfaces ge-0/0/0
#delete interfaces ge-0/0/1
#set interfaces ge-0/0/0 unit 0 family inet address 192.168.100.38/24
#set interfaces ge-0/0/1 unit 0 family inet address 192.168.239.1/24
[/stextbox]
Default route
[stextbox id="grey" caption="CLI"]
#set routing-options static route 0.0.0.0/0 next-hop 192.168.100.1
[/stextbox]
Configuring security zones
SRX is a zone based firewall and you must assign each interface to a zone to be able to pass traffic through.There must be two default zones trust and untrust coming with the factory-default config but we will delete them
and configure our own zones. Following will be our zone configuration;
- Our zone facing pc clients is named internal
- zone facing internet is named internet
- Internal clients will be able to reach SRX i.e ping and ssh service will be enabled towards SRX
#set security zones security-zone internal interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
#set security zones security-zone internal interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
#set security zones security-zone internet interfaces ge-0/0/0.0
[/stextbox]
Now we have assigned interfaces to each zone.
Configuring address book entries
If you want to configure a security policy you must create an address book entry for the network ranges you would like to use.We will create one address book entry for our internal network block 192.168.239.0/24 as follows;
[stextbox id="grey" caption="Address Book "]
#set security zones security-zone internal address-book address network_239 192.168.239.0/24
[/stextbox]
Our address book entry is also ready for security policy. Now it is time to enforce the security policy to allow internal users to access outside networks.
Creating security policies
We first start with deleting already existing policies[stextbox id="grey" caption="Security Policies"]
#delete security policies
#set security policies from-zone internal to-zone internet policy allow-internal-clients match source-address network_239
#set security policies from-zone internal to-zone internet policy allow-internal-clients match destination-address any
#set security policies from-zone internal to-zone internet policy allow-internal-clients match application any
#set security policies from-zone internal to-zone internet policy allow-internal-clients then permit
[/stextbox]
A policy is must be placed within a context which means the direction of the policy e.g from internal zone to internet zone
with this configuration we enabled traffic from internal clients to internet zone.
Creating source nat for internal clients
You may also need to source NAT internal clients with your outside interface IP address. Here is how we configure source nat in SRX:First start deleting previous left over nat rules.
[stextbox id="grey" caption="CLI"]
#delete security nat
#set security nat source rule-set internal-to-internet from zone internal
#set security nat source rule-set internal-to-internet to zone internet
#set security nat source rule-set internal-to-internet rule internet-access match source-address 192.168.239.0/24
#set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
#set security nat source rule-set internal-to-internet rule internet-access then source-nat interface
[/stextbox]
and last commit the changes!
As you can see source NAT is also a context based configuration. You define from which zone you are coming and to which zone you are heading.
After these configuration your internal clients whose gateway is 192.168.239.1 should be able to reach Internet if I haven’t made any mistake so far.
source : http://rtoodtoo.net/2012/12/12/juniper-srx-for-beginners/#more-938
Không có nhận xét nào:
Đăng nhận xét