Jncis-Sec-Srx Lab Manual PDF

Juniper Networks Certified Internet
Specialist-JNCIS
JNCIS-SEC Lab Manual

Developed by
M. Irfan Ghauri
M. Tanzeel Nasir
C-32/1 Block-5 Gulshan-e-Iqbal, Karachi ESP Press

Ph #0213-6034003 Copyrights 2011
1
LAB. LABS DESCRIPTION PAGE

NO.
1 Junos Basic 3
2 Customize zones 11
3 Accessing Firewall usin Console/Telnet/SSH/HTTP 17
4 NAT 24
1.MIP
2.DIP
a. DIP with ip pool
b. DIP with ip shift
c. DIP with different ip (PAT)
d. DIP with egress interface
3.VIP
4.Destination Nat
5 Creating Object and Policy 30
6 POLICY 32
1. Multi cell Policy
2. Group Policy
7 Advance Group Policy 36

a. Logging
b. Counting
c. Scheduling
d. Snmp
e. Authentication with (Local,webauth and
AAA)
2
8 Routing 49
a.Static Routing
b.Dynamic Routing
a.RIP
b.OSPF
9 Site to Site VPN 52
10 Dynamic Vpn 56
11 SreenOptions 63
12 DHCP 65
13 Inter-vlan Routing 67
a.With BVI
b.With Routed Port
3
Lab # 1
Junos Basic
Configuration
After connecting your PC to the Console Port.
LOGIN:root
PASSWORD:abc123
Root @%
To Enter Into Operational Mode From Unix Shell & Vice- Versa.
Root @% cli
Root >
To Enter Into Configuration Mode.
Root> configure
Entering configuration mode
Root #
Jweb equivalent : Configuration
Use Commit command to activate your changes.
Root# commit
To change the Host Name of Router.
Root# set system host-name host

Root# commit
4
Set the System Date & Time on the Router
Root> set date 12:10:8 (hh:mm:ss)

Root> set date 2009-10-6 (YY-MM-DD)
Root# commit
Verify the System Date & Time on the Router
Root> show system uptime

Current time: 2009-08-17 11:55:58 UTC
Display the Version Information of the Router.
Root>show system software

Or
Root>show version
Show interface summary
Root> show interfaces terse
Display the Interface
Root>show interface
Root>show interfaces extensive
Root>show interface detail
Displays per-second real-time statistics for a physical interface
Root> monitor interface se-0/0/2
Command prints packet headers to your terminal screen for

information sent or received by the Routing Engine
Root>monitor traffic interface se-0/0/2

5
Move connection to another port for testing purpose
Root#rename interfaces fe-0/0/0 to fe-0/0/1
(in this example you will move the configuration for fe-0/0/0 to fe-0/0/1)
Ruplicate an existing configuration and change a few components.
Root#copy interfaces fe-0/0/0 to fe-0/0/1
(we are replicating an existing configuration so we can change a few

components)
Show Active Configuration.
Root>show configuration
or
Root>show system rollback 0
or
Root#show
Show Active Configuration in set display

Root # Show | display set
Show Active Configuration in xml format

Root # Show | display xml
show candidate Configuration.
Root> show system rollback 2
(Temporary Configuration and becomes active when commit it)
Compare Rollback Configuration.
Root> show system rollback 0 compare 2

6
Configure Rollback Configuration.
Root#rollback 2
Root#commit
Deactivate or Activate configuration.
Root#deactivate Anyconfiguration
For example
Root#deactivate interfaces fe-0/0/2
Root#show
interfaces{
inactive fe-0/0/2{
}
Shut down an Interface
Root# set interfaces se-0/0/2 disable
Root# delete interface se-0/0/2 disable
Set Rescue Configuration.
Root> request System configuration rescue save
(Save Active configuration as rescue configuration)
Commit Rescue Configuration.
Root> rollback rescue

Or
(Reset CONFIG button on the front of j-series router will load and
commit the rescue configuration )
7
Show Rescue Configuration.
Root> Show System configuration rescue
To look how many users are logged in junos
Root>show system user
To look at files stored in Flash memory
Root>show system storage
To look at used tcp and udp ports
Root>show system connection
To look at system license
Root>show system license
To look at system firmware
Root>show system firmware
Show chassis component and temperature of cpu
Root > show chassis environment
Show chassis hardware
Root > show chassis hardware detail
Set the password of Root in clear text.
Root# set system root-authentication plain-text-password

New Password: abc123
Retype new password: abc123
8
Set the password of Root in encrypted text.
Root# set system root-authentication encrypted-password abc123
To shutdown and restart the router
Root> request system poweroff

Root> request system reboot
To make the router on factory default setting
Root # load factory-default

warning: activating factory configuration
[edit]
Root # set system root-authentication plain-text-password
New password: abc123
[edit]
Root # commit
Policy from Untrust to Trust
Root #set security policies from-zone untrust to-zone trust policy allow
match source-address any
match destination-address any
match application any
set security policies from-zone untrust to-zone trust policy allow then
permit
Flow Table
root> show security flow session

9
Assigning member to zone
Root #set security zones security-zone dmz

Root #set interfaces interface-range dmz member-range fe-0/0/1 to fe-
0/0/5
Allowing all services on untrust interface
Root #set security zones security-zone untrust interfaces fe-0/0/0.0

host-inbound-traffic system-services all
Security zones detail

Root>show security zones trust detail
Root>show security zones untrust detail
Delete All Configuration

Root # delete
Then yes
Root #set system root-authentication encrypted-password

10
Assign the IP Address on the Ethernet

Interface of the SRX.
Configuration
Assign the IP Address on the VLAN Interface of the SRX.

In configuration mode type following cmds
set interfaces vlan unit 0 family inet address 10.0.0.10/8
Assign the IP Address on the Ethernet Interface of the SRX.

set interfaces fe-0/0/0 unit 0 family inet address 20.0.0.10/8

edit interface fe-0/0/0
Set description "This is the Ethernet management interface"
top
commit
Delete the IP Address on the Ethernet Interface of the SRX.

delete interface fe-0/0/0 unit 0 family inet address 20.0.0.10/8
Rename the IP Address on the Ethernet Interface of the SRX.

rename interface fe-0/0/0 unit 0 family inet address 20.0.0.10/8 to

address 15.0.0.10/8
Verifying Command
In Operational mode type following cmds
show interfaces
show interface terse
show interface description
show interfaces terse | match fe
11
Lab # 2
Zone customization
IP Address 10.0.0.10 IP Address 20.0.0.10
trust untrust
IP Address 10.0.0.1
IP Address 20.0.0.1
Configuration
Delete All Configuration
delete
Configure web management

set system services web-management http
Assign the IP Address on the Ethernet Interface of the SRX.

12
Creating your own Zones and Assign interface to zones

set security zones security-zone trust interfaces fe-0/0/1.0 host-

inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/0.0 host-
Creating Policies for Zones

set security policies from-zone trust to-zone untrust policy

outgoingtraffic match source-address any
outgoingtraffic match destination-address any
outgoingtraffic match application any
outgoingtraffic then permit
set security policies from-zone untrust to-zone trust policy

incomingtraffic match source-address any
incomingtraffic match destination-address any
incomingtraffic match application any
incomingtraffic then permit
Before Commit configure root password

set system root-authentication plain-text-password

13
Lab # 3
Accessing SRX through Telnet/SSH/HTTP
Configuration
Configuring telnet on R1.
set system services telnet

set system services ssh
set system login user R1 class super-user authentication plain-text-
password
Enter password: abc123
Retype password: abc123
Now accessing firewall through pc using telnet

Start >Run>Cmd
C:\> ping 10.0.0.10
C:\> telnet 10.0.0.10
Login:R1
Password:abc123
Now accessing firewall through pc using ssh

First open the putty software
14
Then press open

15
Now accessing firewall through pc using http

First open internet explorer then type
http://10.0.0.10
16
Verifying Commands
show system users

show configuration
show system
17
Lab # 4
1.Mapped ip
(Static NAT)
IP Address 10.0.0.10
trust
untrust
Host A
IP Address 10.0.0.1
IP Address 20.0.0.1
Server
IP Address 10.0.0.2
Configuration
First map ip on untrust interface

set security nat static rule-set r1 from zone untrust

set security nat static rule-set r1 rule 1 match destination-address
20.0.0.51/32
set security nat static rule-set r1 rule 1 then static-nat prefix
10.0.0.1/32
set security nat static rule-set r1 rule 2 match destination-address
20.0.0.52/32
18
set security nat static rule-set r1 rule 2 then static-nat prefix

10.0.0.2/32
set security nat proxy-arp interface fe-0/0/0.0 address 20.0.0.51/32 to
20.0.0.52/32
commit
Allow the traffic using the following policy

set security policies from-zone untrust to-zone trust policy allow match
source-address any
destination-address any
application any
permit
commit
Verifying commands
show security nat source summary

show security flow session
clear security flow session all
show security policies detail
19
2. DIP
a.DIP with ip pool
(Dynamic NAT)

trust untrust
Host A
IP Address 10.0.0.1
IP Address 20.0.0.1
Host B
IP Address 10.0.0.2
Configuration
set security nat source pool ippool address 20.0.0.50/32 to 20.0.0.60/32

set security nat source pool ippool port no-translation
set security nat source rule-set outgoingnat from zone trust
set security nat source rule-set outgoingnat to zone untrust
set security nat source rule-set outgoingnat rule outgoingnatrule match
source-address 10.0.0.0/8
set security nat source rule-set outgoingnat rule outgoingnatrule then
source-nat pool ippool
set security nat proxy-arp interface fe-0/0/0 address 20.0.0.50 to
20.0.0.60
20
commit
allow the traffic using the following policy

set security policies from-zone trust to-zone untrust policy allow match
source-address any
application any
set security policies from-zone trust to-zone untrust policy allow then
permit
commit
Verifying commands

21
b.DIP with ip shift

(Dynamic NAT)

trust untrust
Host A
IP Address 10.0.0.1
IP Address 20.0.0.1
Host B
IP Address 10.0.0.2
Configuration
Make a pool of shifting ip’s on untrust interface

set security nat source pool A address 20.0.0.50/32 to 20.0.0.60/32

set security nat source pool A host-address-base 10.0.0.1/32
set security nat source rule-set 1A from zone trust
set security nat source rule-set 1A to zone untrust
set security nat source rule-set 1A rule 1 match source-address
10.0.0.0/8
set security nat source rule-set 1A rule 1 then source-nat pool A
set security nat proxy-arp interface fe-0/0/0.0 address 20.0.0.50/32 to
20.0.0.60/32
commit
22

source-address any
application any
permit
commit
Verifying commands

23
c.DIP with different ip

(PAT)

trust untrust
Host A
IP Address 10.0.0.1
IP Address 20.0.0.1
Host B
IP Address 10.0.0.2
Configuration
Set public ip on untrust interface

set security nat source pool ippool address 20.0.0.75

source-nat pool ippool
24
set security nat proxy-arp interface fe-0/0/0 address 20.0.0.75

source-address any
application any
permit
commit
Verifying commands

show security nat source pool all
show security nat source rule all
25
d.DIP with egress interface

(PAT with outside interface)
trust IP Address 20.0.0.10
untrust
Host A
IP Address 10.0.0.1
IP Address 20.0.0.1
Host B
IP Address 10.0.0.2
Configuration

source-nat interface
Apply nat source on the following policy

source-address any
26
application any
permit
commit
Verifying commands

show security nat source rule all
27
3.VIP

trust untrust
IP Address 10.0.0.1
WEB SERVER
IP Address 20.0.0.1
IP Address 10.0.0.2
FTP SERVER
Configuration
Set virtual ip on untrust interface

set security nat destination pool http address 10.0.0.1/32

set security nat destination pool http address port 80
set security nat destination pool ftp address 10.0.0.2/32
set security nat destination pool ftp address port 21
set security nat destination rule-set vip from zone untrust
set security nat destination rule-set vip rule http match destination-
address 20.0.0.51/32
set security nat destination rule-set vip rule http match destination-port
80
set security nat destination rule-set vip rule http then destination-nat
pool http
28
set security nat destination rule-set vip rule ftp match destination-
address 20.0.0.51/32
set security nat destination rule-set vip rule ftp match destination-port
21
set security nat destination rule-set vip rule ftp then destination-nat pool
ftp
commit
Apply vip on the following policy

source-address any
application any
permit
commit
Verifying commands

29
4.Destination Nat

trust untrust
IP Address 10.0.0.1
WEB SERVER
IP Address 20.0.0.1
IP Address 10.0.0.2
Configuration
set security nat destination pool serverpool address 10.0.0.1/32
set security nat destination rule-set internet from zone untrust
set security nat destination rule-set internet rule servernat match
destination-address 20.0.0.51/32
set security nat destination rule-set internet rule servernat then
destination-nat pool serverpool
commit
Verifying commands
30
Lab # 5
Creating object and policy

trust untrust
IP Address 10.0.0.1
IP Address 20.0.0.1
IP Address 10.0.0.2
Configuration
Create object for trust host pc

set security zones security-zone trust address-book address insidepc

10.0.0.1/32
Create object for untrust host pc

set security zones security-zone untrust address-book address outsidepc

20.0.0.1/32
31
Calling object to create a policy

source-address insidepc
destination-address outsidepc
application any
permit
commit
Verifying commands
show
32
Lab # 6
1.Multi cell Policy

trust untrust
IP Address 10.0.0.1
IP Address 20.0.0.1
Configuration
Creating object for trust host
set security zones security-zone trust address-book address insidepc1

10.0.0.1/32
10.0.0.2/32
33
Creating object for untrust host

set security zones security-zone untrust address-book address

outsidepc1 20.0.0.1/32
Calling object to create a multi cell policy

source-address insidepc1
source-address insidepc2
destination-address outsidepc1
application any
permit
commit
Verifying commands
show
show security policies | display set
show security zones security-zone trust address-book
show security policies

34
2.Group Policy

trust untrust
IP Address 10.0.0.1
IP Address 20.0.0.1
Configuration
Creating object for trust host


10.0.0.1/32
10.0.0.2/32
Creating object for untrust host


35

Making a group for trust interface

set security zones security-zone trust address-book address-set

trustedpcs address insidepc1
set security zones security-zone trust address-book address-set
trustedpcs address insidepc2
commit
Making a group for untrust interface

set security zones security-zone untrust address-book address-set

untrustedpcs address outsidepc1
set security zones security-zone untrust address-book address-set
untrustedpcs address outsidepc2
commit
Calling group to create a group policy

source-address trustedpcs
destination-address untrustedpcs
application any
permit
Verifying commands
show security policies | display set

show security zones security-zone trust address-book

Root>show security policies
Root>show security policies detail
36
Lab # 7
Advance Policy Configuration

trust untrust
IP Address 10.0.0.1
IP Address 20.0.0.1
Configuration
a.Logging
*Logging of Flow Session
Creating log file through this command

set system syslog file log-file any any

set system syslog file log-file match RT_FLOW_SESSION
37
Calling log into policy


outgoingtraffic then log session-init
outgoingtraffic then log session-close
Output of logging
Feb 18 20:11:16 RT_FLOW: RT_FLOW_SESSION_CREATE: session
created 10.0.0.1/2690->20.0.0.1/80 junos-http 20.0.0.10/28723-
>20.0.0.1/80 source-nat-rule None 6 trust-to-untrust trust untrust 6894
Verifying commands

Verifying commands
In operational mode type following cmds
show log log-file

clear log log-file
*Logging at console
Enable log through this command

set system syslog console any any
38

*Logging with syslog server (kiwi syslog server)

Enable log through this command
set system syslog host 10.0.0.2 any any

39
b.Counting
Calling Count into policy
outgoingtraffic then count
commit
Verifying commands
40
c.Scheduling
To check the system date & time

show system uptime
To set the system date & time

set date 201103262210
Create a scheduler
set schedulers scheduler testscheduler daily start-time 22:24 stop-time
22:25
Creating policy and adding scheduler in policy


outgoingtraffic scheduler-name testscheduler
41
Verifying commands

show schedulers scheduler-name testscheduler
d.SNMP
Configure Snmp Commands

set snmp community public

set snmp trap-group testgroup targets 10.0.0.3
Verifying commands
show snmp statistics
42
e.Authentication
*Device management Authentication
Telnet SRX and verifying user with local database

set system root-authentication encrypted-password abc123

set system login user admin class super-user
set system login user admin authentication plain-text-password
New password:
Retype new password:
Telnet SRX and verifing user with AAA

set system authentication-order radius

set system root-authentication encrypted-password abc123
set system radius-server 10.0.0.1 secret juniper123
set system login user remote class super-user

Verifying commands
show system users

43
*Pass through Authentication

Create user name and password
set access profile testprofile client admin firewall-user password

admin123
set access firewall-authentication pass-through default-profile testprofile
set access firewall-authentication pass-through http banner success
"welcome to ESP"
Calling authentication in the following policy


incomingtraffic then permit firewall-authentication pass-through client-
match admin
Verifying commands
show security firewall-authentication users
clear security firewall-authentication users

44
*Webauth with Local Database
Create user name and password

set access profile testprofile client user1 firewall-user password user1

set access firewall-authentication web-authentication default-profile
testprofile
set access firewall-authentication web-authentication banner success "
welcome to esp"
Set webauth ip on untrust interface

set interfaces fe-0/0/0 unit 0 family inet address 20.0.0.20/8 web-
authentication http
set system services web-management http interface fe-0/0/1.0

set system services web-management http interface fe-0/0/0.0



incomingtraffic then permit firewall-authentication web-authentication
client-match user1
Verifying commands
45
46
*Webauth with AAA server
Configuration on ACS server

47
User database on ACS

48
AAA Client Configuration

set access profile testprofile authentication-order radius

set access profile testprofile radius-server 10.0.0.2 secret juniper123
set access firewall-authentication web-authentication default-profile
testprofile
set access firewall-authentication web-authentication banner success "
welcome to esp"
set interfaces fe-0/0/0 unit 0 family inet address 20.0.0.20/8 web-

authentication http
set system services web-management http interface [fe-0/0/1 fe-0/0/0]



incomingtraffic then permit firewall-authentication web-authentication
Verifying commands

49
Lab # 8
Routing

IP Address 10.0.0.10 untrust Fa0/0
trust IP Address
20.0.0.10
Fa0/1
RA
IP Address 10.0.0.1
IP Address 20.0.0.1
IP Address 10.0.0.2
IP Address 20.0.0.2
Configuration
a.Static Routing
b.Dynamic Routing
1.RIP
2.OSPF
Define ip address on interfaces


50
Configure Static Routing

set routing-options static route 20.0.0.0/8 next-hop 15.0.0.2

commit
Configure Dynamic Routing (RIP)


set protocols rip group abc export policy1

set protocols rip group abc neighbor fe-0/0/0.0
set policy-options policy-statement policy1 from protocol direct

set policy-options policy-statement policy1 then accept
set security zones security-zone trust host-inbound-traffic system-

services all
set security zones security-zone trust host-inbound-traffic protocols all
Configure Dynamic Routing (OSPF)

set protocols ospf area 0 interface all
set security zones security-zone untrust host-inbound-traffic protocols

all
Allow the traffic using the following policy

source-address any
application any
permit
commit
51
Verifying Command
In Operatioal mode type following cmds
show route
show route protocol static
show configuration
show interfaces terse
show route protocol rip
show ospf interface
show ospf neighbor
show route protocol ospf
52
Lab # 9
Site-to-site Vpn

trust IP Address
20.0.0.10
Fa0/1
RA
IP Address 10.0.0.1
IP Address 20.0.0.1
IP Address 10.0.0.2
IP Address 20.0.0.2
Configuration

Define Routing

53
Configure Router A as show below.
first enable isakmp policy
RouterA(config)# crypto isakmp enable ( optional )

RouterA(config)# crypto isakmp policy 10
RouterA(config-isakmp)# authentication pre-share
RouterA(config-isakmp)# encryption des
RouterA(config-isakmp)# hash md5
RouterA(config-isakmp)# group 2
RouterA(config)# crypto isakmp key cisco123 address 15.0.0.1
Configure IPSec transform-set
RouterA(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac
Configure cryto ACL to define which traffic to protect
RouterA(config)# access-list 111 permit ip 20.0.0.0 0.255.255.255

10.0.0.0 0.255.255.255
Configure Crypto-map
RouterA(config)# crypto map mymap 10 ipsec-isakmp

RouterA(config-crypto-map)# match address 111
RouterA(config-crypto-map)# set peer 15.0.0.1
RouterA(config-crypto-map)# set transform-set aset
Apply the crypto map to the WAN interface
RouterA(config)# int fa0/0

RouterA(config-if)# crypto map mymap
54
Configure Firewall as show below.
Configure ike policy

set security ike proposal ikeproposal authentication-method pre-shared-

keys
set security ike proposal ikeproposal dh-group group2
set security ike proposal ikeproposal authentication-algorithm md5
set security ike proposal ikeproposal encryption-algorithm des-cbc
set security ike policy ikepolicy mode main
set security ike policy ikepolicy proposals ikeproposal
set security ike policy ikepolicy pre-shared-key ascii-text juniper123
set security ike gateway ikegateway ike-policy ikepolicy
set security ike gateway ikegateway address 15.0.0.2
set security ike gateway ikegateway external-interface fe-0/0/0
Configure ipsec
set security ipsec proposal ipsecproposal protocol esp

set security ipsec proposal ipsecproposal authentication-algorithm hmac-
md5-96
set security ipsec proposal ipsecproposal encryption-algorithm des-cbc
set security ipsec policy ipsecpolicy proposals ipsecproposal
set security ipsec vpn s2svpn ike gateway ikegateway
set security ipsec vpn s2svpn ike ipsec-policy ipsecpolicy
set security ipsec vpn s2svpn establish-tunnels on-traffic
Configure Acl
Trust to Untrust
set security policies from-zone trust to-zone untrust policy trust-to-

untrust match source-address any
untrust match destination-address any
untrust match application any
55

untrust then permit tunnel ipsec-vpn s2svpn
UnTrust to Trust

untrusttotrust match source-address any
untrusttotrust match destination-address any
untrusttotrust match application any
untrusttotrust then permit
Verifying commands
show security ike security-associations

show security ipsec security-associations
show security ipsec statistics
clear security ipsec statistics
clear security ike security-associations
clear security ipsec security-associations
56
Lab # 10
Dynamic Vpn

trust untrust
IP Address 10.0.0.1
IP Address 20.0.0.1
Configuration
Allow http on Outside Interface
set security zone security-zone untrust interface fe-0/0/0 host-inbound-

traffic system-services all
set system services web-management https interface fe-0/0/0.0

set system services web-management https system-generated-certificate
57
Configure Dynamic VPN.

IKE phase 1 proposal
set security ike proposal p1-dynamic-aes authentication-method pre-

shared-keys
set security ike proposal p1-dynamic-aes dh-group group2
set security ike proposal p1-dynamic-aes authentication-algorithm sha1
set security ike proposal p1-dynamic-aes encryption-algorith aes-128-cbc
IKE phase 2 proposal (IPSEC)
set security ipsec proposal p2-dynamic-aes protocol esp

set security ipsec proposal p2-dynamic-aes authentication-algorithm
hmac-sha1-96
set security ipsec proposal p2-dynamic-aes encryption-algorithm aes-
128-cbc
Phase 1 - gateway definition
set security ike policy dynvpn mode aggressive

set security ike policy dynvpn proposals p1-dynamic-aes
set security ike policy dynvpn pre-shared-key ascii-text juniper
set security ike gateway gw-dyn dynamic hostname dynvpn.juniper.net

set security ike gateway gw-dyn external-interface fe-0/0/0
set security ike gateway gw-dyn ike-policy dynvpn
set security ike gateway gw-dyn xauth access-profile radius_profile
Phase 2 - vpn definition
set security ipsec policy dynvpn proposals p2-dynamic-aes

set security ipsec policy dynvpn perfect-forward-secrecy keys group2
set security ipsec vpn ipsec-dyn ike gateway gw-dyn

set security ipsec vpn ipsec-dyn ike ipsec-policy dynvpn
Add a access profile and users definition for ipsec client authentication
(used with xauth)
58
set access profile radius_profile authentication-order radius

set access profile radius_profile radius-server 10.0.0.2 secret juniper123
set access firewall-authentication pass-through default-profile

radius_profile
Creating security policy to permit vpn client
set security policies from-zone untrust to-zone trust policy policy-dynvpn

match source-address any destination-address any application any
set security policies from-zone untrust to-zone trust policy policy-dynvpn
then permit tunnel ipsec-vpn ipsec-dyn
Security policy delivered to client
set security dynamic-vpn force-upgrade

set security dynamic-vpn access-profile radius_profile
set security dynamic-vpn clients irfan remote-protected-resources

10.0.0.0/8
set security dynamic-vpn clients irfan ipsec-vpn ipsec-dyn
set security dynamic-vpn clients irfan user irfan

set security dynamic-vpn clients irfan ipsec-vpn ipsec-dyn user irfan
run request security pki generate-key-pair certificate-id https

Client run on XP
59
60
61
62
Verifying commands
show security dynamic-vpn users

show security dynamic-vpn client version
show security ike security-associations
show security ipsec security-associations
show security ipsec statistics
63
Lab # 11
Screen Options
trust IP Address
20.0.0.10
Fa0/1
RA
IP Address 10.0.0.1
IP Address 20.0.0.1
IP Address 10.0.0.2
IP Address 20.0.0.2
Configuration

delete
set system services web-management http

64

Define Routing
Define Policy from Untrust


untrusttotrust match source-address any
untrusttotrust match destination-address any
untrusttotrust match application any
untrusttotrust then permit
To Block Large ICMP (greater than 1024bytes)

set security screen ids-option test icmp large

set security zones security-zone untrust screen test
To Block IP FRAGMENT
set security screen ids-option test icmp fragment

set security zones security-zone untrust screen test
Verifying commands
show security screen ids-option test

show security screen statistics zone untrust | match icmp
65
Lab # 12
DHCP

trust untrust
DHCP SERVER
IP Address Acquired
from dhcp IP Address 20.0.0.1
IP Address Acquired
from dhcp IP Address 20.0.0.2
Configuration
set system services dhcp router 10.0.0.10

set system services dhcp pool 10.0.0.0/8 address-range low 10.0.0.2
set system services dhcp pool 10.0.0.0/8 address-range high 10.0.0.254
On pc
C :\> ipconfig /release

C :\> ipconfig /renew (Noth that the PC will get an ip address from the
pool)
66
Not apply DHCP on this interface

set system services dhcp propagate-settings fe-0/0/0.0
Verifying Commands.
show system services dhcp bindings

show system services dhcp pool
show system services dhcp statistics
67
Lab # 13
INTER-VLAN ROUTING WITH BVI
SRX
Fa 0/1 Fa 0/0
10.0.0.10 20.0.0.10
Vlan 10 Vlan 20
Host A Host B
10.0.0.1/8 20.0.0.1/8
10.0.0.10 20.0.0.10
Configuration
Configure intervlan Routing
set interfaces fe-0/0/0 unit 0 family ethernet-switching
set interfaces fe-0/0/1 unit 0 family ethernet-switching

Assign interface to Vlan

set vlans vlan-10 vlan-id 10
set vlans vlan-10 interface fe-0/0/1.0
set vlans vlan-10 l3-interface vlan.10
68
set vlans vlan-20 vlan-id 20

set vlans vlan-20 interface fe-0/0/0.0
set vlans vlan-20 l3-interface vlan.20
Assign Vlan interface to Zone

set security zones security-zone trust interfaces vlan.10
set security zones security-zone untrust interfaces vlan.20
Create Policy from trust to untrust

Verifying Commands.
show vlans
show route
show ethernet-switching interfaces
69
INTER-VLAN ROUTING WITH

ROUTED PORT
Trust Untrust
10.0.0.10 / 8 20.0.0.10 / 8
Fa 0/23
Fa 0/1 Fa 0/13
EX2200
Vlan 20
Vlan 10
WEB Server FTP Server

10.0.0.1/8 20.0.0.1/8
10.0.0.10 20.0.0.10
Configuration
70
SRX Configuration
Configure intervlan Routing
set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/0 unit 10 vlan-id 10
set interfaces fe-0/0/0 unit 20 vlan-id 20
Assign interface to Zone

set security zones security-zone trust interfaces fe-0/0/0.10
set security zones security-zone untrust interfaces fe-0/0/0.20
Allow trust inbound Services

set security zones security-zone trust host-inbound-traffic system-
services all
Create Policy from trust to untrust

Switch Configuration
Configure Vlan
set vlans vlan10 vlan-id 10
set vlans vlan20 vlan-id 20
Assign interface to the Vlan

set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode
access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members
vlan10
access
71

vlan20
Configure Trunk Port

set interfaces ge-0/0/23 description "trunk to SRX"
trunk
vlan10
vlan20
Verifying Commands.
show vlans
show route
show vlans brief

Jncis-Sec-Srx Lab Manual PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Jncis-Sec-Srx Lab Manual PDF

Загружено:

Авторское право:

Доступные форматы

Juniper Networks Certified Internet

JNCIS-SEC Lab Manual

C-32/1 Block-5 Gulshan-e-Iqbal, Karachi ESP Press

LAB. LABS DESCRIPTION PAGE

3 Accessing Firewall usin Console/Telnet/SSH/HTTP 17

5 Creating Object and Policy 30

7 Advance Group Policy 36

9 Site to Site VPN 52

After connecting your PC to the Console Port.

To Enter Into Configuration Mode.

Jweb equivalent : Configuration

Use Commit command to activate your changes.

To change the Host Name of Router.

Root# set system host-name host

Set the System Date & Time on the Router

Root> set date 12:10:8 (hh:mm:ss)

Verify the System Date & Time on the Router

Root> show system uptime

Display the Version Information of the Router.

Root>show system software

Show interface summary

Root> show interfaces terse

Display the Interface

Displays per-second real-time statistics for a physical interface

Root> monitor interface se-0/0/2

Command prints packet headers to your terminal screen for

Root>monitor traffic interface se-0/0/2

Move connection to another port for testing purpose

Root#rename interfaces fe-0/0/0 to fe-0/0/1

Ruplicate an existing configuration and change a few components.

Root#copy interfaces fe-0/0/0 to fe-0/0/1

(we are replicating an existing configuration so we can change a few

Show Active Configuration.

Show Active Configuration in set display

Show Active Configuration in xml format

show candidate Configuration.

Root> show system rollback 2

(Temporary Configuration and becomes active when commit it)

Compare Rollback Configuration.

Root> show system rollback 0 compare 2

Configure Rollback Configuration.

Deactivate or Activate configuration.

Root#deactivate interfaces fe-0/0/2

Shut down an Interface

Root# set interfaces se-0/0/2 disable

Root# delete interface se-0/0/2 disable

Set Rescue Configuration.

Root> request System configuration rescue save

(Save Active configuration as rescue configuration)

Commit Rescue Configuration.

Root> rollback rescue

Show Rescue Configuration.

Root> Show System configuration rescue

To look how many users are logged in junos

Root>show system user

To look at files stored in Flash memory

Root>show system storage

To look at used tcp and udp ports

Root>show system connection

To look at system license

Root>show system license

To look at system firmware

Root>show system firmware