Академический Документы
Профессиональный Документы
Культура Документы
Specialist-JNCIS
M. Irfan Ghauri
M. Tanzeel Nasir
1 Junos Basic 3
2 Customize zones 11
4 NAT 24
1.MIP
2.DIP
a. DIP with ip pool
b. DIP with ip shift
c. DIP with different ip (PAT)
d. DIP with egress interface
3.VIP
4.Destination Nat
6 POLICY 32
1. Multi cell Policy
2. Group Policy
8 Routing 49
a.Static Routing
b.Dynamic Routing
a.RIP
b.OSPF
10 Dynamic Vpn 56
11 SreenOptions 63
12 DHCP 65
13 Inter-vlan Routing 67
a.With BVI
b.With Routed Port
3
JNCIS-SEC Lab Manual
Lab # 1
Junos Basic
Configuration
LOGIN:root
PASSWORD:abc123
Root @%
To Enter Into Operational Mode From Unix Shell & Vice- Versa.
Root @% cli
Root >
Root> configure
Entering configuration mode
Root #
Root# commit
Root>show interface
Root>show interfaces extensive
Root>show interface detail
(in this example you will move the configuration for fe-0/0/0 to fe-0/0/1)
Root>show configuration
or
Root>show system rollback 0
or
Root#show
Root#rollback 2
Root#commit
Root#deactivate Anyconfiguration
For example
Root#show
interfaces{
inactive fe-0/0/2{
}
[edit]
Root # set system root-authentication plain-text-password
New password: abc123
Retype new password: abc123
[edit]
Root # commit
Root #set security policies from-zone untrust to-zone trust policy allow
match source-address any
Root #set security policies from-zone untrust to-zone trust policy allow
match destination-address any
Root #set security policies from-zone untrust to-zone trust policy allow
match application any
set security policies from-zone untrust to-zone trust policy allow then
permit
Flow Table
Configuration
Verifying Command
In Operational mode type following cmds
show interfaces
show interface terse
show interface description
show interfaces terse | match fe
11
JNCIS-SEC Lab Manual
Lab # 2
Zone customization
IP Address 10.0.0.10 IP Address 20.0.0.10
trust untrust
IP Address 10.0.0.1
IP Address 20.0.0.1
Configuration
Delete All Configuration
In configuration mode type following cmds
delete
Lab # 3
Accessing SRX through Telnet/SSH/HTTP
Configuration
Configuring telnet on R1.
In configuration mode type following cmds
Login:R1
Password:abc123
Verifying Commands
In Operational mode type following cmds
Lab # 4
1.Mapped ip
(Static NAT)
IP Address 10.0.0.10
IP Address 20.0.0.10
trust
untrust
Host A
IP Address 10.0.0.1
IP Address 20.0.0.1
Server
IP Address 10.0.0.2
Configuration
set security policies from-zone untrust to-zone trust policy allow match
source-address any
set security policies from-zone untrust to-zone trust policy allow match
destination-address any
set security policies from-zone untrust to-zone trust policy allow match
application any
set security policies from-zone untrust to-zone trust policy allow then
permit
commit
Verifying commands
In Operational mode type following cmds
2. DIP
a.DIP with ip pool
(Dynamic NAT)
Host A
IP Address 10.0.0.1
IP Address 20.0.0.1
Host B
IP Address 10.0.0.2
Configuration
In configuration mode type following cmds
commit
set security policies from-zone trust to-zone untrust policy allow match
source-address any
set security policies from-zone trust to-zone untrust policy allow match
destination-address any
set security policies from-zone trust to-zone untrust policy allow match
application any
set security policies from-zone trust to-zone untrust policy allow then
permit
commit
Verifying commands
In Operational mode type following cmds
Host A
IP Address 10.0.0.1
IP Address 20.0.0.1
Host B
IP Address 10.0.0.2
Configuration
set security policies from-zone trust to-zone untrust policy allow match
source-address any
set security policies from-zone trust to-zone untrust policy allow match
destination-address any
set security policies from-zone trust to-zone untrust policy allow match
application any
set security policies from-zone trust to-zone untrust policy allow then
permit
commit
Verifying commands
In Operational mode type following cmds
Host A
IP Address 10.0.0.1
IP Address 20.0.0.1
Host B
IP Address 10.0.0.2
Configuration
set security policies from-zone trust to-zone untrust policy allow match
source-address any
set security policies from-zone trust to-zone untrust policy allow match
destination-address any
set security policies from-zone trust to-zone untrust policy allow match
application any
set security policies from-zone trust to-zone untrust policy allow then
permit
commit
Verifying commands
In Operational mode type following cmds
IP Address 10.0.0.10
trust IP Address 20.0.0.10
untrust
Host A
IP Address 10.0.0.1
IP Address 20.0.0.1
Host B
IP Address 10.0.0.2
Configuration
In configuration mode type following cmds
set security policies from-zone trust to-zone untrust policy allow match
source-address any
26
JNCIS-SEC Lab Manual
set security policies from-zone trust to-zone untrust policy allow match
destination-address any
set security policies from-zone trust to-zone untrust policy allow match
application any
set security policies from-zone trust to-zone untrust policy allow then
permit
commit
Verifying commands
In Operational mode type following cmds
3.VIP
IP Address 10.0.0.1
WEB SERVER
IP Address 20.0.0.1
IP Address 10.0.0.2
FTP SERVER
Configuration
set security nat destination rule-set vip rule ftp match destination-
address 20.0.0.51/32
set security nat destination rule-set vip rule ftp match destination-port
21
set security nat destination rule-set vip rule ftp then destination-nat pool
ftp
set security nat proxy-arp interface fe-0/0/0 address 20.0.0.51
commit
set security policies from-zone untrust to-zone trust policy allow match
source-address any
set security policies from-zone untrust to-zone trust policy allow match
destination-address any
set security policies from-zone untrust to-zone trust policy allow match
application any
set security policies from-zone untrust to-zone trust policy allow then
permit
commit
Verifying commands
In Operational mode type following cmds
4.Destination Nat
IP Address 10.0.0.1
WEB SERVER
IP Address 20.0.0.1
IP Address 10.0.0.2
Configuration
In configuration mode type following cmds
set security nat destination pool serverpool address 10.0.0.1/32
set security nat destination rule-set internet from zone untrust
set security nat destination rule-set internet rule servernat match
destination-address 20.0.0.51/32
set security nat destination rule-set internet rule servernat then
destination-nat pool serverpool
set security nat proxy-arp interface fe-0/0/0 address 20.0.0.51
commit
Verifying commands
In Operational mode type following cmds
show security nat source summary
show security flow session
clear security flow session all
30
JNCIS-SEC Lab Manual
Lab # 5
Creating object and policy
IP Address 10.0.0.1
IP Address 20.0.0.1
IP Address 10.0.0.2
Configuration
set security policies from-zone trust to-zone untrust policy allow match
source-address insidepc
set security policies from-zone trust to-zone untrust policy allow match
destination-address outsidepc
set security policies from-zone trust to-zone untrust policy allow match
application any
set security policies from-zone trust to-zone untrust policy allow then
permit
commit
Verifying commands
In Operational mode type following cmds
show
32
JNCIS-SEC Lab Manual
Lab # 6
1.Multi cell Policy
IP Address 10.0.0.1
IP Address 20.0.0.1
Configuration
Creating object for trust host
In configuration mode type following cmds
set security policies from-zone trust to-zone untrust policy allow match
source-address insidepc1
set security policies from-zone trust to-zone untrust policy allow match
source-address insidepc2
set security policies from-zone trust to-zone untrust policy allow match
destination-address outsidepc1
set security policies from-zone trust to-zone untrust policy allow match
application any
set security policies from-zone trust to-zone untrust policy allow then
permit
commit
Verifying commands
In configuration mode type following cmds
show
show security policies | display set
show security zones security-zone trust address-book
2.Group Policy
IP Address 10.0.0.1
IP Address 20.0.0.1
Configuration
set security policies from-zone trust to-zone untrust policy allow match
source-address trustedpcs
set security policies from-zone trust to-zone untrust policy allow match
destination-address untrustedpcs
set security policies from-zone trust to-zone untrust policy allow match
application any
set security policies from-zone trust to-zone untrust policy allow then
permit
Verifying commands
In configuration mode type following cmds
Lab # 7
IP Address 10.0.0.1
IP Address 20.0.0.1
Configuration
a.Logging
Output of logging
Feb 18 20:11:16 RT_FLOW: RT_FLOW_SESSION_CREATE: session
created 10.0.0.1/2690->20.0.0.1/80 junos-http 20.0.0.10/28723-
>20.0.0.1/80 source-nat-rule None 6 trust-to-untrust trust untrust 6894
Verifying commands
In configuration mode type following cmds
Verifying commands
In operational mode type following cmds
*Logging at console
b.Counting
Calling Count into policy
In configuration mode type following cmds
set security policies from-zone trust to-zone untrust policy
outgoingtraffic match source-address any
set security policies from-zone trust to-zone untrust policy
outgoingtraffic match destination-address any
set security policies from-zone trust to-zone untrust policy
outgoingtraffic match application any
set security policies from-zone trust to-zone untrust policy
outgoingtraffic then permit
set security policies from-zone trust to-zone untrust policy
outgoingtraffic then count
commit
Verifying commands
In configuration mode type following cmds
show security policies detail
40
JNCIS-SEC Lab Manual
c.Scheduling
Create a scheduler
In configuration mode type following cmds
set schedulers scheduler testscheduler daily start-time 22:24 stop-time
22:25
Verifying commands
In configuration mode type following cmds
d.SNMP
Verifying commands
In Operational mode type following cmds
show snmp statistics
42
JNCIS-SEC Lab Manual
e.Authentication
Verifying commands
In operational mode type following cmds
Verifying commands
In Operational mode type following cmds
Verifying commands
In configuration mode type following cmds
show security firewall-authentication users
clear security firewall-authentication users
45
JNCIS-SEC Lab Manual
46
JNCIS-SEC Lab Manual
Verifying commands
In Operational mode type following cmds
Lab # 8
Routing
IP Address 10.0.0.1
IP Address 20.0.0.1
IP Address 10.0.0.2
IP Address 20.0.0.2
Configuration
a.Static Routing
b.Dynamic Routing
1.RIP
2.OSPF
set security policies from-zone trust to-zone untrust policy allow match
source-address any
set security policies from-zone trust to-zone untrust policy allow match
destination-address any
set security policies from-zone trust to-zone untrust policy allow match
application any
set security policies from-zone trust to-zone untrust policy allow then
permit
commit
51
JNCIS-SEC Lab Manual
Verifying Command
In Operatioal mode type following cmds
show route
show route protocol static
show configuration
show interfaces terse
show route protocol rip
show ospf interface
show ospf neighbor
show route protocol ospf
52
JNCIS-SEC Lab Manual
Lab # 9
Site-to-site Vpn
IP Address 10.0.0.1
IP Address 20.0.0.1
IP Address 10.0.0.2
IP Address 20.0.0.2
Configuration
Define ip address on interfaces
In configuration mode type following cmds
Define Routing
In configuration mode type following cmds
Configure Crypto-map
Configure ipsec
In configuration mode type following cmds
Configure Acl
Trust to Untrust
In configuration mode type following cmds
UnTrust to Trust
In configuration mode type following cmds
Verifying commands
In Operational mode type following cmds
Lab # 10
Dynamic Vpn
IP Address 10.0.0.1
IP Address 20.0.0.1
Configuration
Allow http on Outside Interface
In configuration mode type following cmds
Add a access profile and users definition for ipsec client authentication
(used with xauth)
58
JNCIS-SEC Lab Manual
Verifying commands
In Operational mode type following cmds
Lab # 11
Screen Options
IP Address 15.0.0.1 IP Address 15.0.0.2
IP Address 10.0.0.10 untrust Fa0/0
trust IP Address
20.0.0.10
Fa0/1
RA
IP Address 10.0.0.1
IP Address 20.0.0.1
IP Address 10.0.0.2
IP Address 20.0.0.2
Configuration
Define Routing
In configuration mode type following cmds
To Block IP FRAGMENT
In configuration mode type following cmds
Verifying commands
In Operational mode type following cmds
Lab # 12
DHCP
DHCP SERVER
IP Address Acquired
from dhcp IP Address 20.0.0.1
IP Address Acquired
from dhcp IP Address 20.0.0.2
Configuration
In configuration mode type following cmds
On pc
Verifying Commands.
In Operational mode type following cmds
Lab # 13
INTER-VLAN ROUTING WITH BVI
SRX
Fa 0/1 Fa 0/0
10.0.0.10 20.0.0.10
Vlan 10 Vlan 20
Host A Host B
10.0.0.1/8 20.0.0.1/8
10.0.0.10 20.0.0.10
Configuration
Configure intervlan Routing
In configuration mode type following cmds
set interfaces fe-0/0/0 unit 0 family ethernet-switching
set interfaces fe-0/0/1 unit 0 family ethernet-switching
Verifying Commands.
In Operational mode type following cmds
show vlans
show route
show ethernet-switching interfaces
show interface terse
69
JNCIS-SEC Lab Manual
Trust Untrust
10.0.0.10 / 8 20.0.0.10 / 8
Fa 0/23
Fa 0/1 Fa 0/13
EX2200
Vlan 20
Vlan 10
Configuration
70
JNCIS-SEC Lab Manual
SRX Configuration
Configure intervlan Routing
set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/0 unit 10 vlan-id 10
set interfaces fe-0/0/0 unit 10 family inet address 10.0.0.10/8
set interfaces fe-0/0/0 unit 20 vlan-id 20
set interfaces fe-0/0/0 unit 20 family inet address 20.0.0.10/8
Switch Configuration
Configure Vlan
set vlans vlan10 vlan-id 10
set vlans vlan20 vlan-id 20
Verifying Commands.
In Operational mode type following cmds
show vlans
show route
show interface terse
show vlans brief