Quelle: http://3fives.com/juniper-srx-crash-course/
The first thing you want to do is console in, login as root (no password), jump into the CLI with the “cli” command, and delete the current configuration:
root@R1> edit Entering configuration mode [edit] root@R1# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
Now show your configuration to be sure it’s clean:
[edit] root@R1# show [edit] root@R1#
Without setting a root password, Junos will not allow you to commit your configuration:
root@R1# set system root-authentication plain-text-password New password: Retype new password:
Of course, we’ll want to set a hostname, and configure the router for SSH authentication, and add a user:
[edit] root@R1# set system host-name R1 [edit] root@R1# set system services ssh root@R1# set system login user cjones class super-user full-name "Chris Jones" authentication plain-text-password New password: Retype new password:
Let’s have a look at our config so far:
[edit] cjones@R1# show ## Last changed: 2011-08-08 21:26:28 UTC system { host-name R1; root-authentication { encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"; ## SECRET-DATA } login { user cjones { full-name "Chris Jones"; class super-user; authentication { encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."; ## SECRET-DATA } } } services { ssh; } }
Looks good! We can also see the commands that would be required to re-create the configuration:
[edit] cjones@R1# show | display set set system host-name R1 set system root-authentication encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0" set system login user cjones full-name "Chris Jones" set system login user cjones class super-user set system login user cjones authentication encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l." set system services ssh
NOTE: If you wanted to paste in a section of “set-based” configuration, you would use:
load set terminal
NOTE: If you wanted to paste in a section of “standard” configuration, you would use:
load merge terminal
NOTE: If you wanted to paste in an entire “standard” configuration, you would use:
load override terminal
Back to our config. The next thing you might want to do is set up an interface on a management subnet. For this we will use virtual-routers in order to keep the management routes separate from the main RIB. In this case, our management network is 10.255.255.0/24 with a gateway of .254
Configure the interface (fe-0/0/7.0 in this case) and assign the IP address:
[edit] cjones@R1# set interfaces fe-0/0/7 unit 0 family inet address 10.255.255.1/24
Create the VR and assign fe-0/0/7.0 to it:
[edit] cjones@R1# set routing-instances MANAGEMENT instance-type virtual-router interface fe-0/0/7.0
Add a static default route to the MANAGEMENT VR:
[edit] cjones@R1# set routing-instances MANAGEMENT routing-options static route 0.0.0.0/0 next-hop 10.255.255.254
NOTE: The configuration heirarchy within a VR is the same as always, for example OSPF configuration would be found under “routing-instances protocols ospf” just as it would usually be under “protocols ospf”
Again, let’s take a look at our configuration:
[edit] cjones@R1# show ## Last changed: 2011-08-08 21:56:40 UTC system { host-name R1; root-authentication { encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"; ## SECRET-DATA } login { user cjones { full-name "Chris Jones"; class super-user; authentication { encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."; ## SECRET-DATA } } } services { ssh; } } interfaces { fe-0/0/7 { unit 0 { family inet { address 10.255.255.1/24; } } } } routing-instances { MANAGEMENT { instance-type virtual-router; interface fe-0/0/7.0; routing-options { static { route 0.0.0.0/0 next-hop 10.255.255.254; } } } } [edit] cjones@R1# show | display set set system host-name R1 set system root-authentication encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0" set system login user cjones full-name "Chris Jones" set system login user cjones class super-user set system login user cjones authentication encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l." set system services ssh set interfaces fe-0/0/7 unit 0 family inet address 10.255.255.1/24 set routing-instances MANAGEMENT instance-type virtual-router set routing-instances MANAGEMENT interface fe-0/0/7.0 set routing-instances MANAGEMENT routing-options static route 0.0.0.0/0 next-hop 10.255.255.254
NOTE: You’ll notice the “set” display format is significantly shorter, and is therefore a good way of using a text editor to edit repetitive tasks, which can be pasted in using “load set terminal”
Now we add untrust (outside) and trust (inside) interfaces. Our link to the service provider is 1.2.2.2/30 with a gateway of 1.2.2.1, and our link facing our internal network is 10.0.0.1/24:
[edit] cjones@R1# set interfaces ge-0/0/1 unit 0 family inet address 1.2.2.2/30 [edit] cjones@R1# set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.1/24
Add a default route:
[edit] cjones@R1# set routing-options static route 0.0.0.0/0 next-hop 1.2.2.1
Now, if you were running in packet mode, you’d be done. Assuming you want your shiny new SRX to function as a firewall too, you will need to set up security.
NOTE: Packet mode is what most Juniper routers run (M/MX, and older J-Series). Flow mode is what new J-Series and branch SRX run. Packet mode works as a traditional router, whereas flow mode integrates features from ScreenOS such as a stateful firewall. To convert your SRX to packet mode (which you don’t want to do in this case), issue the following commands:
delete security set security forwarding-options family inet6 mode packet-based set security forwarding-options family mpls mode packet-based
To start the firewall configuration, you first need to create your zones. In our case we will create two zones, one called UNTRUST and one called TRUST. Assign interfaces, as appropriate:
[edit] cjones@R1# set security zones security-zone UNTRUST interfaces ge-0/0/1.0 [edit] cjones@R1# set security zones security-zone TRUST interfaces ge-0/0/2.0
Next we need to create policies. Unless you have Internet accessible services in the TRUST zone, you will typically want the default from UNTRUST -> TRUST, which is to deny traffic. Since this is the default, no policy is required to be configured.
To allow traffic to pass through your firewall from the TRUST zone to the Internet (UNTRUST), you will need to create a policy. In this case, we’re going to allow all outbound traffic.
[edit] cjones@R1# set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match source-address any destination-address any application any [edit] cjones@R1# set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL then permit
While not necessary in this case, as we only have one interface in the TRUST zone, we will go ahead and add a policy that allows intra-zone traffic from TRUST -> TRUST:
[edit] cjones@R1# set security policies from-zone TRUST to-zone TRUST policy PERMIT_ALL match source-address any destination-address any application any [edit] cjones@R1# set security policies from-zone TRUST to-zone TRUST policy PERMIT_ALL then permit
Now the next part is a bit tricky, and commonly confuses Junos newbies. While your traffic will now flow, if you want to be able to ping your interfaces (among other things, including routing protocols like OSPF), you will need to allow host-inbound-traffic in the zone. Let’s allow ping to all interfaces in the TRUST zone:
[edit] cjones@R1# set security zones security-zone TRUST host-inbound-traffic system-services ping
You can configure host-inbound-traffic more specifically per interface as well (we aren’t going to be using OSPF here, but we’ll include it as an example):
[edit] cjones@R1# set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services ping [edit] cjones@R1# set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic protocols ospf
NOTE: interface-level host-inbound-traffic configuration completely overrides the zone-level configuration, which means we must configure both ping and OSPF to be allowed at the interface-level.
Now, if you think back to what we have done so far… what are we missing? Of course! We’re missing the ability to send SSH host-inbound-traffic to the management interface we had configured! Let’s add this to our configuration:
[edit] cjones@R1# set security zones security-zone MANAGEMENT interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh
NOTE: Since there will never be traffic THROUGH the MANAGEMENT VR, we have no need for an inter-zone or intra-zone firewall policy.
Finally, we will need to add NAT to our configuration. Configuring simple source NAT on the SRX in flow mode is easy. In packet mode, not so much. Here we are going to simply NAT everything in the TRUST zone to the IP address of the UNTRUST interface ge-0/0/1.0:
[edit] cjones@R1# set security nat source rule-set ALL_TRUST from zone TRUST [edit] cjones@R1# set security nat source rule-set ALL_TRUST to zone UNTRUST [edit] cjones@R1# set security nat source rule-set ALL_TRUST rule RULE_1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 [edit] cjones@R1# set security nat source rule-set ALL_TRUST rule RULE_1 then source-nat interface
Let’s take a look at our NAT configuration:
cjones@R1# show security nat source { rule-set ALL_TRUST { from zone TRUST; to zone UNTRUST; rule RULE_1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } [edit] cjones@R1# show security nat | display set set security nat source rule-set ALL_TRUST from zone TRUST set security nat source rule-set ALL_TRUST to zone UNTRUST set security nat source rule-set ALL_TRUST rule RULE_1 match source-address 0.0.0.0/0 set security nat source rule-set ALL_TRUST rule RULE_1 match destination-address 0.0.0.0/0 set security nat source rule-set ALL_TRUST rule RULE_1 then source-nat interface
And our entire security section:
[edit] cjones@R1# show security nat { source { rule-set ALL_TRUST { from zone TRUST; to zone UNTRUST; rule RULE_1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone TRUST to-zone UNTRUST { policy PERMIT_ALL { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone UNTRUST { interfaces { ge-0/0/1.0; } } security-zone TRUST { host-inbound-traffic { system-services { ping; } } interfaces { ge-0/0/2.0 { host-inbound-traffic { system-services { ping; } protocols { ospf; } } } } } security-zone MANAGEMENT { interfaces { fe-0/0/7.0 { host-inbound-traffic { system-services { ssh; } } } } } } [edit] cjones@R1# show security | display set set security nat source rule-set ALL_TRUST from zone TRUST set security nat source rule-set ALL_TRUST to zone UNTRUST set security nat source rule-set ALL_TRUST rule RULE_1 match source-address 0.0.0.0/0 set security nat source rule-set ALL_TRUST rule RULE_1 match destination-address 0.0.0.0/0 set security nat source rule-set ALL_TRUST rule RULE_1 then source-nat interface set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match source-address any set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match destination-address any set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match application any set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL then permit set security zones security-zone UNTRUST interfaces ge-0/0/1.0 set security zones security-zone TRUST host-inbound-traffic system-services ping set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services ping set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic protocols ospf set security zones security-zone MANAGEMENT interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh
And that’s it! You now have a fully functional and (mostly) secure firewall! There are plenty of other options that could be configured, including critical system services like NTP and AAA, but this is definitely a good start.
Let’s have a look at our final configuration before committing:
[edit] cjones@R1# show ## Last changed: 2011-08-08 22:35:43 UTC system { host-name R1; root-authentication { encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"; ## SECRET-DATA } login { user cjones { full-name "Chris Jones"; class super-user; authentication { encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."; ## SECRET-DATA } } } services { ssh; } } interfaces { ge-0/0/1 { unit 0 { family inet { address 1.2.2.2/30; } } } ge-0/0/2 { unit 0 { family inet { address 10.0.0.1/24; } } } fe-0/0/7 { unit 0 { family inet { address 10.255.255.1/24; } } } } security { nat { source { rule-set ALL_TRUST { from zone TRUST; to zone UNTRUST; rule RULE_1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone TRUST to-zone UNTRUST { policy PERMIT_ALL { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone UNTRUST { interfaces { ge-0/0/1.0; } } security-zone TRUST { host-inbound-traffic { system-services { ping; } } interfaces { ge-0/0/2.0 { host-inbound-traffic { system-services { ping; } protocols { ospf; } } } } } security-zone MANAGEMENT { interfaces { fe-0/0/7.0 { host-inbound-traffic { system-services { ssh; } } } } } } } routing-instances { MANAGEMENT { instance-type virtual-router; interface fe-0/0/7.0; routing-options { static { route 0.0.0.0/0 next-hop 10.255.255.254; } } } } [edit] cjones@R1# show |display set set system host-name R1 set system root-authentication encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0" set system login user cjones full-name "Chris Jones" set system login user cjones class super-user set system login user cjones authentication encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l." set system services ssh set interfaces ge-0/0/1 unit 0 family inet address 1.2.2.2/30 set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.1/24 set interfaces fe-0/0/7 unit 0 family inet address 10.255.255.1/24 set security nat source rule-set ALL_TRUST from zone TRUST set security nat source rule-set ALL_TRUST to zone UNTRUST set security nat source rule-set ALL_TRUST rule RULE_1 match source-address 0.0.0.0/0 set security nat source rule-set ALL_TRUST rule RULE_1 match destination-address 0.0.0.0/0 set security nat source rule-set ALL_TRUST rule RULE_1 then source-nat interface set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match source-address any set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match destination-address any set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match application any set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL then permit set security zones security-zone UNTRUST interfaces ge-0/0/1.0 set security zones security-zone TRUST host-inbound-traffic system-services ping set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services ping set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic protocols ospf set security zones security-zone MANAGEMENT interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh set routing-instances MANAGEMENT instance-type virtual-router set routing-instances MANAGEMENT interface fe-0/0/7.0 set routing-instances MANAGEMENT routing-options static route 0.0.0.0/0 next-hop 10.255.255.254
Let’s try to check our work:
[edit] cjones@R1# commit check configuration check succeeds
Looks good! Go ahead and commit:
[edit] cjones@R1# commit and-quit commit complete Exiting configuration mode cjones@R1>
Hope that helps!