Junos OS for SRX Overview

Lab Guide

Worldwide Education Services

1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Course Number: SSSRX03

This document is produced by Juniper Networks, Inc. This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission of Juniper Networks Education Services. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Junos OS for SRX Overview Revision A Copyright 2010, Juniper Networks, Inc. All rights reserved. Printed in USA. The information in this document is current as of the date listed above. The information in this document has been carefully verified and is believed to be accurate for software Release 10.0R1.8. Juniper Networks assumes no responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary, incidental or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.

Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. YEAR 2000 NOTICE Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. SOFTWARE LICENSE The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should consult the software license for further details.

Contents
Lab 0: Introduction to the Juniper Networks Virtual Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .0-1
Part 1: Accessing the Virtual Lab Homepage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part 2: Accepting the EULA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part 3: Logging in to the TrueLab Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part 4: Selecting Your Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part 5: Creating an On-Demand Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part 6: Creating a Dynamic Session (If the On-Demand Session Is Unavailable) . . . . . . . . . . . . . . . . . . . . . . Part 7: Starting the Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part 8: Additional Information and Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0-2 0-2 0-2 0-3 0-4 0-5 0-6 0-9

Lab 1: Lab 2:

Configuring Interfaces on Junos OS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1

Part 1: Configuring Interfaces and Verifying Operational State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1

Part 1: Configuring Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Part 2: Reviewing the Default Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8 Part 3: Configuring Address Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 Part 4: Configuring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 Part 5: Monitoring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20

Lab 3:

Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1

Part 1: Interface-Based Source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Part 2: Pool-Based Destination NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8

www.juniper.net

Contents iii

iv Contents

www.juniper.net

Document Conventions
CLI and GUI Text
Frequently throughout this course, we refer to text that appears in a command-line interface (CLI) or a graphical user interface (GUI). To make the language of these documents easier to read, we distinguish GUI and CLI text from chapter text according to the following table. Style Franklin Gothic Courier New Description Normal text. Console text: Screen captures Noncommand-related syntax Menu names Text field entry commit complete Exiting configuration mode Select File > Open, and then click Configuration.conf in the Filename text box. Usage Example Most of what you read in the Lab Guide and Student Guide.

GUI text elements:

Input Text Versus Output Text

You will also frequently see cases where you must enter input text yourself. Often this will be shown in the context of where you must enter it. We use bold style to distinguish text that is input versus text that is simply displayed. Style Normal CLI Normal GUI Description No distinguishing variant. Usage Example Physical interface:fxp0, Enabled View configuration history by clicking Configuration > History. CLI Input GUI Input Text that you must enter. lab@San_Jose> show route Select File > Save, and enter config.ini in the Filename field.

Document Conventions v

Defined and Undefined Syntax Variables

Finally, this course distinguishes between regular text and syntax variables, and it also distinguishes between syntax variables where the value is already assigned (defined variables) and syntax variables where you must assign the value (undefined variables). Note that these styles can be combined with the input style as well. Style CLI Variable GUI variable CLI Undefined GUI Undefined Text where the variables value is the users discretion and text where the variables value as shown in the lab guide might differ from the value the user must input. Type set policy policy-name. ping 10.0.x.y Select File > Save, and enter filename in the Filename field. Description Text where variable value is already assigned. Usage Example policy my-peers Click on my-peers in the dialog.

vi Document Conventions

Additional Information
Education Services Offerings
You can obtain information on the latest Education Services offerings, course dates, and class locations from the World Wide Web by pointing your Web browser to: http://www.juniper.net/training/education/.

About This Publication

The Junos OS for SRX Overview Lab Guide was developed and tested using software Release 10.0R1.8. Previous and later versions of software might behave differently so you should always consult the documentation and release notes for the version of code you are running before reporting errors. This document is written and maintained by the Juniper Networks Education Services development team. Please send questions and suggestions for improvement to training@juniper.net.

Technical Publications
You can print technical manuals and release notes directly from the Internet in a variety of formats: Go to http://www.juniper.net/techpubs/. Locate the specific software or hardware release and title you need, and choose the format in which you want to view or print the document.

Documentation sets and CDs are available through your local Juniper Networks sales office or account representative.

Juniper Networks Support

For technical support, contact Juniper Networks at http://www.juniper.net/customers/ support/, or at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).

Additional Information vii

viii Additional Information

Lab 0
Introduction to the Juniper Networks Virtual Lab

Overview
This lab shows the basic procedures for how to access the Juniper Networks Virtual Lab (vLab) using a standard Web browser.

The Purpose of the Virtual Labs

The Virtual Labs help partners receive hands-on training through a virtual portal which is available 24 hours a day, 7 days a week. This is not a simulator, but live equipment to promote learning and development for interested partners to the Juniper Networks Partner Learning Academy. JNSS labs are an online class with a series of modules and lab exercises to assist a student to become proficient at installing, configuring, and troubleshooting Juniper products. Each course design takes approximately 8 hours to complete. Once connected to the JNSS site, you will need to register (with a valid e-mail address) and then log in. Access is granted on a first come, first served basis through the training section of the Partner Center. The Virtual Labs (vLabs) are also available for dedicated Leader Led courses on an as needed basis. The system will check to see if one of the selected labs is available. If a vLab is available, access is granted. If no lab is available, you will be asked to try again later. Each of the vLabs is duplicated multiple times. In the case of the Router/Firewall lab there are extra cross connects between the labs so that in a classroom environment they can be connected in interesting network topologies. Note We recommend that you download and read the lab details and guides associated with each of the corresponding labs. These details and guides provide passwords to access the equipment.

Introduction to the Juniper Networks Virtual Lab Lab 01

Part 1: Accessing the Virtual Lab Homepage

The first step in accessing the Virtual Lab is to login to the Virtual Lab homepage. To access the Virtual Lab home page, copy and paste the below URL into a browser window: https://virtuallabs.juniper.net

Part 2: Accepting the EULA

You will need to accept the End User License Agreement to log in and begin your work in the Virtual Lab.

Part 3: Logging in to the TrueLab Manager

If you are already logged in to the Partner Learning Academy on the Juniper Partner Center, you will not need to log in to TrueLab Manager. However, if you are not logged in to the Partner Center, you can log in on this screen.

Lab 02 Introduction to the Juniper Networks Virtual Lab

Part 4: Selecting Your Time Zone

Next, you must specify a time zone. Once your correct time zone has been specified, click Update in the bottom left corner of the screen.

Step 4.1
You can modify your user name, password, and time zone if necessary by clicking on the Profile tab. Once you have made the updates, you must click Update to save these changes.

Introduction to the Juniper Networks Virtual Lab Lab 03

Part 5: Creating an On-Demand Session

You will then create a session under the Sessions tab and select the lab that you want to use. First, identify the correct row for your course under the Event heading. Next, select the course title from the Purpose drop down menu under the Session Information column and click Open.

Note Click the View Event Details link under each Event description to access the course lab guide and credentials.

Lab 04 Introduction to the Juniper Networks Virtual Lab

Part 6: Creating a Dynamic Session (If the On-Demand Session Is Unavailable)

To reserve a dynamic session, first identify the correct row for your course under the Event heading. Next, select the course title from the Purpose drop down menu under the Session Information column and the lab you want to schedule under the Lab Option drop down menu. Click Reserve to schedule a session.

Introduction to the Juniper Networks Virtual Lab Lab 05

Step 6.1
Click Start Session Now.

Step 6.2
Click Finish to return to the Sessions tab.

Note The system will send you a reminder e-mail prior to your session start time.

Part 7: Starting the Session

Once the Start Session Now link has been clicked (under the session link), you will be prompted to click OK to continue and log in.

Lab 06 Introduction to the Juniper Networks Virtual Lab

Note Each session can be a maximum of 3 hours.

Step 7.1
Click OK to see the following screen.

Note Do not close the browser window. Closing your browser window will disconnect your Virtual Lab session connected.

Introduction to the Juniper Networks Virtual Lab Lab 07

Step 7.2
Once you have an active session, you will see the following virtual desktop screen. On this virtual desktop, you must double-click on the Secure CRT icon to begin your lab.

Note The Help tab also has links to the related course lab guide and vLab environment help guides.

Lab 08 Introduction to the Juniper Networks Virtual Lab

Step 7.3
Choose the device you will be working with in the Secure CRT session and click Connect.

Note Make sure that you consult your lab guide before opening any of the VT100 terminal sessions.

Part 8: Additional Information and Feedback

Connection Test You can test your ability to connect by navigating to http://truelab.hatsize.com/syscheck/. Virtual Lab Support For support, please call 1-866-933-5487 (207-319-1142 if outside North America) Go to: https://support.hatsize.com/ Or send an e-mail to support@hatsize.com Feedback If you would like to provide feedback on ways we can improve your vLab experience, please an e-mail to salestraining@juniper.net.

STOP

Introduction to the Juniper Networks Virtual Lab Lab 09

Lab 010 Introduction to the Juniper Networks Virtual Lab

Lab 1
Configuring Interfaces on Junos OS Devices

Overview
In this lab, you use the CLI to perform basic interface configuration. By completing this lab, you will perform the following tasks: Perform basic interface configuration.

Configuring Interfaces on Junos OS Devices Lab 11 10.a.10.0R1.8

Junos OS for SRX Overview

Part 1: Configuring Interfaces and Verifying Operational State

The objective of this lab part is to perform interface configuration and verify the operational state of interfaces using the Junos OS CLI.

Step 1.1
Access the CLI using SecureCRT. Double click on the SecureCRT 5.0 icon located on the desktop to open the connection manager. Highlight SRX1 and click the connect button.

Step 1.2
Log in as user lab with the password lab123. host1-b (ttyp0) login: lab Password: --- JUNOS 9.6R1.13 built 2009-11-03 10:06:39 UTC lab@host1-b>

Step 1.3
Issue the show interfaces terse CLI command to check the state of your devices interfaces. root@host1-b> show interfaces terse Interface Admin Link Proto ge-0/0/0 up up ge-0/0/0.0 up up inet ...TRIMMED.. ge-0/0/1 up up ge-0/0/1.0 up up ge-0/0/2 up up ge-0/0/2.0 up up ge-0/0/3 up up ge-0/0/3.0 up up ...TRIMMED.. Local 10.210.14.133/27 Remote

Lab 12 Configuring Interfaces on Junos OS Devices

Junos OS for SRX Overview

lo0 lo0.0 ...TRIMMED..

up up

up up

Notice that several interfaces are up, but only the ge-0/0/0 interface has been configured.

Step 1.4
Enter configuration mode. root@host1-b> configure Entering configuration mode [edit] root@host1-b#

Step 1.5
Refer to the network diagram for this lab and configure the ge-0/0/3 and loopback interfaces. Use logical unit 0 on both interfaces. [edit] root@host1-b# edit interfaces [edit interfaces] root@host1-b# set ge-0/0/3 unit 0 family inet address 172.18.1.2/30 [edit interfaces] root@host1-b# set lo0 unit 0 family inet address 192.168.1.1/32 [edit interfaces] root@host1-b#

Step 1.6
Enable vlan-tagging on the ge-0/0/4 interface using the set ge-0/0/4 vlan-tagging command. [edit interfaces] lab@host1-b# set ge-0/0/4 vlan-tagging [edit interfaces] lab@host1-b#

Step 1.7
Configure the ge-0/0/4 interface as shown on the network topology diagram. Use the VLAN Assignments table on the topology diagram to determine the correct value for the v variable associated with your assigned device. This variable is used for the vlan-id, unit number and IP address.

Configuring Interfaces on Junos OS Devices Lab 13

Junos OS for SRX Overview

[edit interfaces] lab@host1-b# set ge-0/0/4 unit 10v vlan-id 10v [edit interfaces] lab@host1-b# set ge-0/0/4 unit 10v family inet address 172.20.10v.1/24 [edit interfaces] lab@host1-b# set ge-0/0/4 unit 20v vlan-id 20v [edit interfaces] lab@host1-b# set ge-0/0/4 unit 20v family inet address 172.20.20v.1/24 [edit interfaces] lab@host1-b# [edit interfaces] lab@host1-b# show ge-0/0/4 vlan-tagging; unit 102 { vlan-id 102; family inet { address 172.20.102.1/24; } } unit 202 { vlan-id 202; family inet { address 172.20.202.1/24; } }

Step 1.8
Configure a static default route that points to the IP address associated with the remote end of the ge-0/0/3 interface for your device. Commit the configuration and return to operational mode. [edit interfaces] lab@host1-b# up [edit] lab@host1-b# edit routing-options

Lab 14 Configuring Interfaces on Junos OS Devices

Junos OS for SRX Overview

[edit routing-options] lab@host1-b# set static route 0/0 next-hop 172.18.1.1 [edit routing-options] lab@host1-b# commit and-quit commit complete Exiting configuration mode lab@host1-b>

Step 1.9
Issue the show interfaces terse CLI command to verify the state of the configured interfaces. root@host1-b> show interfaces terse Interface Admin Link Proto ge-0/0/0 up up ge-0/0/0.0 up up inet ...TRIMMED.. ge-0/0/3 up up ge-0/0/3.0 up up inet ge-0/0/4 up up ge-0/0/4.102 up up inet ge-0/0/4.202 up up inet ...TRIMMED.. lo0 up up lo0.0 up up inet ...TRIMMED.. Local 10.210.14.133/27 Remote

172.18.1.2/30 172.20.102.1/24 172.20.202.1/24

192.168.1.1

--> 0/0

Question: What is the Admin and Link state of the recently configured interfaces?

Answer: All configured interfaces should show an Admin and Link state of up, as shown in the sample capture.

Step 1.10
Enter configuration mode again and navigate to the [edit interfaces ge-0/0/3] hierarchy level. lab@host1-b> configure Entering configuration mode [edit] lab@host1-b# edit interfaces ge-0/0/3 [edit interfaces ge-0/0/3] lab@host1-b#

Configuring Interfaces on Junos OS Devices Lab 15

Junos OS for SRX Overview

Step 1.11
Add a second IP address, 5.5.5.5/30, to the ge-0/0/3 interface. [edit interfaces ge-0/0/3] lab@host1-b# set unit 0 family inet address 5.5.5.5/30 [edit interfaces ge-0/0/3] lab@host1-b#

Step 1.12
Now make the original IP address the primary address. [edit interfaces ge-0/0/3] lab@host1-b# set unit 0 family inet address 172.18.1.2/30 primary [edit interfaces ge-0/0/3] lab@host1-b#

Step 1.13
Activate the configuration and return to operational mode. [edit interfaces ge-0/0/3] root@host1-b# commit and-quit commit complete Exiting configuration mode root@host1-b>

Step 1.14
Issue the show interfaces terse CLI command to verify the changes you made to the ge-0/0/3 interface. root@host1-b> show interfaces terse Interface Admin Link Proto ge-0/0/0 up up ge-0/0/0.0 up up inet ...TRIMMED... ge-0/0/3 up up ge-0/0/3.0 up up inet ge-0/0/4 ge-0/0/4.102 ge-0/0/4.202 ...TRIMMED... lo0 lo0.0 ...TRIMMED.. up up up up up up up up up up Local 10.210.14.133/27 Remote

5.5.5.5/30 172.18.1.2/30 172.20.102.1/24 172.20.202.1/24

inet inet

inet

192.168.1.1

--> 0/0

Lab 16 Configuring Interfaces on Junos OS Devices

Junos OS for SRX Overview Question: Do you see the additional IP address? Can you tell which IP address is the primary?

Answer: The 5.5.5.5/30 address should appear, but it is not clear which IP address is the primary address for the interface.

Step 1.15
Issue the show interfaces ge-0/0/3 CLI command to determine which IP address is the primary address. lab@host1-b> show interfaces ge-0/0/3 Physical interface: ge-0/0/3, Enabled, Physical link is Up Interface index: 134, SNMP ifIndex: 138 Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Current address: 00:26:88:fb:a4:03, Hardware address: 00:26:88:fb:a4:03 Last flapped : 2010-03-12 09:59:57 UTC (4w0d 16:34 ago) Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Active alarms : None Active defects : None Logical interface ge-0/0/3.0 (Index 71) (SNMP ifIndex 506) Flags: SNMP-Traps Encapsulation: ENET2 Input packets : 9975735 Output packets: 9054489 Security: Zone: Null Protocol inet, MTU: 1500 Flags: None Addresses, Flags: Is-Preferred Destination: 5.5.5.4/30, Local: 5.5.5.5, Broadcast: 5.5.5.7 Addresses, Flags: Primary Is-Preferred Is-Primary Destination: 172.18.1.0/30, Local: 172.18.1.2, Broadcast: 172.18.1.3 lab@host1-b> Question: Can you determine which IP address is the primary?

Answer: Yes, at the bottom of the CLI output you can see the Is-Primary flag assigned to the 172.20.77.1 IP address.

Configuring Interfaces on Junos OS Devices Lab 17

Junos OS for SRX Overview

Step 1.16
Re-enter configuration mode. lab@host1-b> configure Entering configuration mode [edit] lab@host1-b#

Step 1.17
Delete the 5.5.5.5 IP address as well as the primary flag on the 172.18.x.2 IP address. [edit] lab@host1-b# edit interfaces ge-0/0/3 [edit interfaces ge-0/0/3] lab@host1-b# delete unit 0 family inet address 5.5.5.5/30 [edit interfaces ge-0/0/3] lab@host1-b# edit unit 0 family inet address 172.18.1.2/30 [edit interfaces ge-0/0/3 unit 0 family inet address 172.18.1.2/30] lab@host1-b# delete primary [edit interfaces ge-0/0/3 unit 0 family inet address 172.18.1.2/30] lab@host1-b# top [edit] lab@host1-b# show interfaces ge-0/0/3 unit 0 { family inet { address 172.18.1.2/30; } }

Step 1.18
Activate the configuration and return to operational mode. [edit] root@host1-b# commit and-quit commit complete Exiting configuration mode root@host1-b>

STOP

Lab 18 Configuring Interfaces on Junos OS Devices

Lab 2
Security Policy

Overview
In this lab, you will implement security policies designed to allow only necessary traffic between zones within your pod. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. By completing this lab, you will perform the following tasks: Define security zones and assign interfaces to security zones. Define zone address books necessary for security policy. Implement security policies between zones within your assigned pod. Monitor the effects of your configuration.

Security Policy Lab 21 10.a.10.0R1.8

Junos OS for SRX Overview

Part 1: Configuring Zones

In this lab part, you will remove the current zone configuration and reassign your device interfaces to various security and functional zones.

Step 1.1
Access the CLI using SecureCRT. Double click on the SecureCRT 5.0 icon located on the desktop to open the connection manager. Highlight SRX1 and click the connect button.

Step 1.2
Log in as user lab with the password lab123. host1-b (ttyp0) login: lab Password: --- JUNOS 9.6R1.13 built 2009-11-03 10:06:39 UTC lab@host1-b>

Step 1.3
Enter Configuration mode using the configure command. lab@host1-b> configure Entering configuration mode [edit] lab@host1-b#

Step 1.4
Using the load override command, load the file host1-X_L4_SecEna.config from the /cf/root/ directory. This will load the basic configuration needed to complete the lab. Use the commit command to apply the changes. [edit] lab@host1-b# load override /cf/root/host1-X_L4_SecEna.config

Lab 22 Security Policy

Junos OS for SRX Overview

[edit] lab@host1-b# commit commit complete [edit] lab@host1-b#

Step 1.5
Open a new SecureCRT tab and connect to the SRX2 device. Enter configuration mode and load the host2-X_L4_SecEna.config file from the /cf/root/ directory. Commit the changes and exit when complete. Click File > Connect in Tab from the SecureCRT window.

Select SRX2 from the available devices and click connect

Log in as user lab with the password lab123.

Security Policy Lab 23

Junos OS for SRX Overview

host2-b (ttyp0) login: lab Password: --- JUNOS 9.6R1.13 built 2009-11-03 10:06:39 UTC lab@host2-b> Enter configuration mode. lab@host2-b> configure Entering configuration mode [edit] lab@host2-b# Load the configuration file and then exit. Exit the device and close the tab and return to the SRX1 device. [edit] lab@host2-b# load override /cf/root/host2-X_L4_SecEna.config [edit] lab@host2-b# commit and-quit commit complete Exiting configuration mode lab@host2-b> exit

host2-b (ttyu0) login:

Step 1.6
Navigate to the [edit security] configuration hierarchy. [edit] lab@host1-b# edit security [edit security] lab@host1-b#

Step 1.7
View the [edit security] configuration stanza and answer the question that follows. [edit security] lab@host1-b# show forwarding-options { family { mpls { mode packet-based; } } }

Lab 24 Security Policy

Junos OS for SRX Overview Question: What do you notice about the security configuration that is set up on your device?

Answer: As indicated by the output from host1-b, currently the device is in packet-based mode that disables the flow-based security features of Junos OS.

Step 1.8
Delete the current security configuration. [edit security] lab@host1-b# delete Delete everything under this level? [yes,no] (no) yes

[edit security] lab@host1-b# show [edit security] lab@host1-b#

Step 1.9
Refer to the lab diagram and configure the untrust, hr (human resources), and eng (engineering) zones. Configure these zones as security zones. Add the appropriate network interfaces under each security zone. [edit security] lab@host1-b# set zones security-zone hr interfaces ge-0/0/4.10v [edit security] lab@host1-b# set zones security-zone eng interfaces ge-0/0/4.20v [edit security] lab@host1-b# set zones security-zone untrust interfaces ge-0/0/3.0

Step 1.10
Next, configure a functional zone and associate it with your devices management interface. [edit security] lab@host1-b# set zones functional-zone ? Possible completions: > management Host for out of band management interfaces [edit security] lab@host1-b# set zones functional-zone management interfaces ge-0/0/0.0

Security Policy Lab 25

Junos OS for SRX Overview Question: What name did you assign to the functional zone of your device? Why?

Answer: Each student should assign a functional zone name of management. As shown in the output, the Junos OS predefines this name. management is the only name the Junos OS allows for a functional zone.

Step 1.11
Configure the functional zone so that it allows SSH, Telnet, ping, traceroute, HTTP, and SNMP local inbound traffic. [edit security] lab@host1-b# edit zones functional-zone management [edit security zones functional-zone management] lab@host1-b# set host-inbound-traffic system-services ssh [edit security zones functional-zone management] lab@host1-b# set host-inbound-traffic system-services telnet [edit security zones functional-zone management] lab@host1-b# set host-inbound-traffic system-services ping [edit security zones functional-zone management] lab@host1-b# set host-inbound-traffic system-services traceroute [edit security zones functional-zone management] lab@host1-b# set host-inbound-traffic system-services http [edit security zones functional-zone management] lab@host1-b# set host-inbound-traffic system-services snmp [edit security zones functional-zone management] lab@host1-b# show interfaces { ge-0/0/0.0; } host-inbound-traffic { system-services { ssh; telnet; ping; traceroute; http; snmp; } } [edit security zones functional-zone management] lab@host1-b# Lab 26 Security Policy

Junos OS for SRX Overview Question: If you needed to allow all services but Telnet using the host-inbound-traffic statement, what would be the quickest method?

Answer: You could use the system-services all and the system-services Telnet except configuration statements to achieve this task with the most efficiency.

Step 1.12
Commit your configuration and exit configuration mode. [edit security zones functional-zone management] lab@host1-b# commit and-quit commit complete Exiting configuration mode lab@host1-b>

Security Policy Lab 27

Junos OS for SRX Overview

Part 2: Reviewing the Default Security Policy

The goal of this lab part is to review the default security policy that denys all traffic between zones. You will monitor the policy using multiple ping tests. Note The next lab steps require you to log in to the virtual router attached to your teams device. The virtual routers are logical devices created on a J Series Services Router. Refer to the management network diagram for the IP address of the vr-device.

Step 2.1
Open a separate Telnet session to the virtual router (10.210.14.139) attached to your team device.

Step 2.2
Log in to the virtual router using the login information shown in the following table:

Virtual Router Login Details

Student Device host1-a host1-b host1-c host1-d login: 1b Password: --- JUNOS 10.1R1.8 built 2010-02-12 17:00:46 UTC User Name 1a 1b 1c 1d Password lab123 lab123 lab123 lab123

Lab 28 Security Policy

Junos OS for SRX Overview

NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. 1b@vr-device>

Step 2.3
Attempt to ping the virtual routers attached to the remote student device within your pod. Ensure you source the ping from the appropriate routing-instance. Refer to the lab diagram as needed. 1b@vr-device> ping 172.20.10v.10 routing-instance vr10v count 5 PING 172.20.103.10 (172.20.103.10): 56 data bytes --- 172.20.103.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss 1b@vr-device> ping 172.20.20v.10 routing-instance vr10v count 5 PING 172.20.203.10 (172.20.203.10): 56 data bytes --- 172.20.203.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss 1b@vr-device> ping 172.20.10v.10 routing-instance vr20v count 5 PING 172.20.103.10 (172.20.103.10): 56 data bytes --- 172.20.103.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss 1b@vr-device> ping 172.20.20v.10 routing-instance vr20v count 5 PING 172.20.203.10 (172.20.203.10): 56 data bytes --- 172.20.203.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss Question: Did the ping test succeed? Why or why not?

Answer: As demonstrated in the output, the ping test should not succeed. Your assigned device has no configured security policy. The default security policy action is to deny all transit traffic.

Step 2.4
Return to the terminal session opened to your assigned device and view the default security policy. lab@host1-b> show security policies

Security Policy Lab 29

Junos OS for SRX Overview

Default policy: deny-all

Part 3: Configuring Address Books

In this part, you will configure the address book entries necessary for implementing security policies within your pod.

Step 3.1
Return to the session opened with your assigned device. Referring to the lab diagram, configure the networks associated with the remote teams virtual routers under the untrust zone as address book addresses. Ensure you include the entire /24 network associated with each remote virtual router and name the address book entries after their associated virtual router names. lab@host1-b> configure Entering configuration mode [edit] lab@host1-b# [edit] lab@host1-b# edit security zones security-zone untrust [edit security zones security-zone untrust] lab@host1-b# set address-book address vr10v 172.20.10v.0/24 [edit security zones security-zone untrust] lab@host1-b# set address-book address vr20v 172.20.20v.0/24 [edit security zones security-zone untrust] lab@host1-b# show address-book address vr103 172.20.103.0/24; address vr203 172.20.203.0/24; [edit security zones security-zone untrust] lab@host1-b#

Step 3.2
Add the remote /30 network between the Internet and the remote student device in your pod to the untrust zone address book. Configure this address entry to use the same name as the remote student device in your pod. [edit security zones security-zone untrust] lab@host1-b# set address-book address host2-x 172.18.2.0/30 [edit security zones security-zone untrust] lab@host1-b# show address-book address vr103 172.20.103.0/24; address vr203 172.20.203.0/24; address host2-b 172.18.2.0/30;

Lab 210 Security Policy

Junos OS for SRX Overview

Step 3.3
For the virtual routers attached to your assigned device, configure the /24 network addresses as address book entries within their respective zones. Name these address book entries with the same name as their associated virtual routers. [edit security zones security-zone untrust] lab@host1-b# up [edit security zones] lab@host1-b# set security-zone hr address-book address vr10v 172.20.10v.0/24 [edit security zones] lab@host1-b# set security-zone eng address-book address vr20v 172.20.20v.0/24 [edit security zones] lab@host1-b#

Part 4: Configuring Security Policies

In this part of the lab you will establish and configure security policies that enable the necessary traffic flow between the security zones.

Step 4.1
Create security policies named intrazone-zone that allow all intra-zone traffic associated with your attached virtual routers to pass through your assigned device, where zone represents the source or destination zone. (Hint: Use the any keyword to save keystrokes.) [edit security zones] lab@host1-b# up [edit security] lab@host1-b# edit policies from-zone hr to-zone hr policy intrazone-hr [edit security policies from-zone hr to-zone hr policy intrazone-hr] lab@host1-b# set match source-address any [edit security policies from-zone hr to-zone hr policy intrazone-hr] lab@host1-b# set match destination-address any [edit security policies from-zone hr to-zone hr policy intrazone-hr] lab@host1-b# set match application any [edit security policies from-zone hr to-zone hr policy intrazone-hr] lab@host1-b# set then permit [edit security policies from-zone hr to-zone hr policy intrazone-hr] lab@host1-b# show match { source-address any; destination-address any; application any;

Security Policy Lab 211

Junos OS for SRX Overview

} then { permit; } [edit security policies from-zone hr to-zone hr policy intrazone-hr] lab@host1-b# up 2 [edit security policies] lab@host1-b# edit from-zone eng to-zone eng policy intrazone-eng [edit security policies from-zone eng to-zone eng policy intrazone-eng] lab@host1-b# set match source-address any [edit security policies from-zone eng to-zone eng policy intrazone-eng] lab@host1-b# set match destination-address any [edit security policies from-zone eng to-zone eng policy intrazone-eng] lab@host1-b# set match application any [edit security policies from-zone eng to-zone eng policy intrazone-eng] lab@host1-b# set then permit [edit security policies from-zone eng to-zone eng policy intrazone-eng] lab@host1-b# show match { source-address any; destination-address any; application any; } then { permit; } [edit security policies from-zone eng to-zone eng policy intrazone-eng] lab@host1-b#

Step 4.2
Configure security policies allowing all traffic from the virtual router zones to the untrust zone. Name these policies internet-zone, where zone represents the source zone. For this step, match on the appropriate source address using the associated virtual router address book entries. [edit security policies from-zone eng to-zone eng policy intrazone-eng] lab@host1-b# up 2 [edit security policies] lab@host1-b# edit from-zone hr to-zone untrust policy internet-hr [edit security policies from-zone hr to-zone untrust policy internet-hr] lab@host1-b# set match source-address vr10v [edit security policies from-zone hr to-zone untrust policy internet-hr]

Lab 212 Security Policy

Junos OS for SRX Overview

lab@host1-b# set match destination-address any [edit security policies from-zone hr to-zone untrust policy internet-hr] lab@host1-b# set match application any [edit security policies from-zone hr to-zone untrust policy internet-hr] lab@host1-b# set then permit [edit security policies from-zone hr to-zone untrust policy internet-hr] lab@host1-b# show match { source-address vr102; destination-address any; application any; } then { permit; } [edit security policies from-zone hr to-zone untrust policy internet-hr] lab@host1-b# up 2 [edit security policies] lab@host1-b# edit from-zone eng to-zone untrust policy internet-eng [edit security policies from-zone eng to-zone untrust policy internet-eng] lab@host1-b# set match source-address vr20v [edit security policies from-zone eng to-zone untrust policy internet-eng] lab@host1-b# set match destination-address any [edit security policies from-zone eng to-zone untrust policy internet-eng] lab@host1-b# set match application any [edit security policies from-zone eng to-zone untrust policy internet-eng] lab@host1-b# set then permit [edit security policies from-zone eng to-zone untrust policy internet-eng] lab@host1-b# show match { source-address vr202; destination-address any; application any; } then { permit; } [edit security policies from-zone eng to-zone untrust policy internet-eng] lab@host1-b#

Security Policy Lab 213

Junos OS for SRX Overview

Step 4.3
Next define a security policy the rejects FTP connections sourced from the hr and dc zones that are destined to the untrust zone. Name this policy deny-ftp-hr. [edit security policies from-zone eng to-zone untrust policy internet-eng] lab@host1-b# up 2 [edit security policies] lab@host1-b# edit from-zone hr to-zone untrust policy deny-ftp-hr [edit security policies from-zone hr to-zone untrust policy deny-ftp-hr] lab@host1-b# set match source-address any [edit security policies from-zone hr to-zone untrust policy deny-ftp-hr] lab@host1-b# set match destination-address any [edit security policies from-zone hr to-zone untrust policy deny-ftp-hr] lab@host1-b# set match application junos-ftp [edit security policies from-zone hr to-zone untrust policy deny-ftp-hr] lab@host1-b# set then reject [edit security policies from-zone hr to-zone untrust policy deny-ftp-hr] lab@host1-b# show match { source-address any; destination-address any; application junos-ftp; } then { reject; }

Step 4.4
Commit the configuration. [edit security policies from-zone hr to-zone untrust policy deny-ftp-hr] lab@host1-b# commit commit complete

Step 4.5
Return to the session opened to the vr-device. Ensure that you cannot open an FTP session to the remote Internet host located at 172.31.15.1. Remember to source the FTP from the routing-instance associated with the hr zone or the dc zone depending upon your assigned device. Use the Ctrl+C key sequence to close the FTP connection. 1b@vr-device> ftp 172.31.15.1 routing-instance vr10v Connected to 172.31.15.1. 220 vr-device FTP server (Version 6.00LS) ready. Name (172.31.15.1:1b): ^C 1b@vr-device>

Lab 214 Security Policy

Junos OS for SRX Overview Question: Were you able to initiate an FTP session to the Internet host? Why or why not?

Answer: As demonstrated in the output, the FTP session should succeed. Although you configured a security policy explicitly rejecting this connection, policy ordering has effectively caused the device to ignore this policy.

Step 4.6
Return to the session opened to your assigned device. Reorder the policies so that the deny-ftp-hr policy appears in the list before the internet-hr policy. [edit security policies from-zone hr to-zone untrust policy deny-ftp-hr] lab@host1-b# up [edit security policies from-zone hr to-zone untrust] lab@host1-b# show policy internet-hr { match { source-address vr102; destination-address any; application any; } then { permit; } } policy deny-ftp-hr { match { source-address any; destination-address any; application junos-ftp; } then { reject; } } [edit security policies from-zone hr to-zone untrust] lab@host1-b# insert policy deny-ftp-hr before policy internet-hr [edit security policies from-zone hr to-zone untrust] lab@host1-b# show policy deny-ftp-hr { match { source-address any; destination-address any; application junos-ftp; } then {

Security Policy Lab 215

Junos OS for SRX Overview

reject; } } policy internet-hr { match { source-address vr102; destination-address any; application any; } then { permit; } } [edit security policies from-zone hr to-zone untrust] lab@host1-b# commit commit complete [edit security policies from-zone hr to-zone untrust] lab@host1-b#

Step 4.7
Return to the session opened to the vr-device and try the FTP connection again. (Note: Exit the FTP application by issuing the bye command.) Note Keep in mind that when working with virtual routers and routing-instances, command syntax can differ. If needed, please reference the detailed lab guide for sample command syntax for the individual verification tasks performed within this lab. 1b@vr-device> ftp 172.31.15.1 routing-instance vr10v ftp: connect: Connection refused ftp> bye 1b@vr-device> Question: Were you able to initiate an FTP session to the Internet host this time?

Answer: As demonstrated in the output, the FTP session does not succeed. The reordering of policies produces the expected behavior. Question: Are you able to ping the Internet host?

Answer: As demonstrated in the following output, a ping to the Internet host should succeed.

Lab 216 Security Policy

Junos OS for SRX Overview

1b@vr-device> ping 172.31.15.1 routing-instance vr10v rapid count 5 PING 172.31.15.1 (172.31.15.1): 56 data bytes !!!!! --- 172.31.15.1 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.080/12.962/47.159/17.112 ms

Step 4.8
Return to the session opened to your assigned device. Create a custom application named hr-gizmo that uses UDP, a source port of 50000 and a destination port of 50001. [edit security policies from-zone hr to-zone untrust] lab@host1-b# top [edit] lab@host1-b# edit applications application hr-gizmo [edit applications application hr-gizmo] lab@host1-b# set source-port 50000 [edit applications application hr-gizmo] lab@host1-b# set destination-port 50001 [edit applications application hr-gizmo] lab@host1-b# set protocol udp [edit applications application hr-gizmo] lab@host1-b# show protocol udp; source-port 50000; destination-port 50001; [edit applications application hr-gizmo] lab@host1-b#

Step 4.9
Create an application set named internal-apps that includes the hr-gizmo, junos-telnet, and junos-ping applications. [edit applications application hr-gizmo] lab@host1-b# up [edit applications] lab@host1-b# edit application-set internal-apps [edit applications application-set internal-apps] lab@host1-b# set application hr-gizmo [edit applications application-set internal-apps] lab@host1-b# set application junos-telnet [edit applications application-set internal-apps]

Security Policy Lab 217

Junos OS for SRX Overview

lab@host1-b# set application junos-ping [edit applications application-set internal-apps] lab@host1-b# show application hr-gizmo; application junos-telnet; application junos-ping;

Step 4.10
Configure security policies that permit the internal-apps applications between the hr and dc security zones. Because the hr and dc zones are separated by the Internet, you must reference the untrust zone when configuring the security policies. Name the policy dc-to-hr [edit applications application-set internal-apps] lab@host1-b# top [edit] lab@host1-b# edit security policies from-zone untrust to-zone hr [edit security policies from-zone untrust to-zone hr] lab@host1-b# set policy dc-to-hr match source-address vr10v [edit security policies from-zone untrust to-zone hr] lab@host1-b# set policy dc-to-hr match destination-address vr10v [edit security policies from-zone untrust to-zone hr] lab@host1-b# set policy dc-to-hr match application internal-apps [edit security policies from-zone untrust to-zone hr] lab@host1-b# set policy dc-to-hr then permit [edit security policies from-zone untrust to-zone hr] lab@host1-b# show policy dc-to-hr { match { source-address vr103; destination-address vr102; application internal-apps; } then { permit; } } [edit security policies from-zone untrust to-zone hr] lab@host1-b#

Lab 218 Security Policy

Junos OS for SRX Overview Question: How many new policies must you define to allow internal-apps traffic bi-directionally?

Answer: Both devices within your assigned pod already have policies defined allowing all internal traffic destined to the untrust zone (with the exception of FTP traffic). For each device you must configure one policy allowing the internal-apps to the appropriate zone from the untrust zone.

Step 4.11
Add a logging action to the dc-to-hr policy. Log both session initiations and session closes. [edit security policies from-zone untrust to-zone hr] lab@host1-b# set policy dc-to-hr then log session-init [edit security policies from-zone untrust to-zone hr] lab@host1-b# set policy dc-to-hr then log session-close [edit security policies from-zone untrust to-zone hr] lab@host1-b# show policy dc-to-hr { match { source-address vr103; destination-address vr102; application internal-apps; } then { permit; log { session-init; session-close; } } }

Step 4.12
Commit the configuration and return to operational mode. [edit security policies from-zone untrust to-zone hr] lab@host1-b# commit and-quit commit complete Exiting configuration mode lab@host1-b>

Security Policy Lab 219

Junos OS for SRX Overview Question: Does the commit operation succeed?

Answer: As demonstrated in the output, the commit should succeed.

Part 5: Monitoring Security Policies

In this part of the lab, you will monitor the results of your configuration with command outputs and logging.

Step 5.1
View the security policies in effect on your assigned device by issuing the show security policies command and answer the following questions. lab@host1-b> show security policies Default policy: deny-all From zone: hr, To zone: hr Policy: intrazone-hr, State: enabled, Index: 4, Sequence number: 1 Source addresses: any Destination addresses: any Applications: any Action: permit From zone: hr, To zone: untrust Policy: deny-ftp-hr, State: enabled, Index: 7, Sequence number: 1 Source addresses: any Destination addresses: any Applications: junos-ftp Action: reject Policy: internet-hr, State: enabled, Index: 6, Sequence number: 2 Source addresses: vr102 Destination addresses: any Applications: any Action: permit From zone: eng, To zone: eng Policy: intrazone-eng, State: enabled, Index: 5, Sequence number: 1 Source addresses: any Destination addresses: any Applications: any Action: permit From zone: eng, To zone: untrust Policy: internet-eng, State: enabled, Index: 8, Sequence number: 1 Source addresses: vr202 Destination addresses: any Applications: any Action: permit From zone: untrust, To zone: hr Policy: dc-to-hr, State: enabled, Index: 9, Sequence number: 1 Source addresses: vr103 Destination addresses: vr102 Applications: internal-apps Action: permit, log

Lab 220 Security Policy

Junos OS for SRX Overview Question: What is the total number of active security policies on your assigned device?

Answer: You should see a total of six enabled security policies. If you do not see six enabled security policies, review your configuration steps. Question: What command can you use to view more detailed information about security policies such as the address book prefixes and application port information?

Answer: Use the same command with the detail option to view a more verbose output: lab@host1-b> show security policies ? Possible completions: <[Enter]> Execute this command detail Show the detailed information from-zone Show the policy information matching the given source zone policy-name Show the policy information matching the given policy name to-zone Show the policy information matching the given destination zone | Pipe through a command lab@host1-b> show security policies detail Default policy: deny-all Policy: intrazone-hr, action-type: permit, State: enabled, Index: 4 Sequence number: 1 From zone: hr, To zone: hr Source addresses: any: 0.0.0.0/0 Destination addresses: any: 0.0.0.0/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Policy: deny-ftp-hr, action-type: reject, State: enabled, Index: 7 Sequence number: 1 From zone: hr, To zone: untrust Source addresses: any: 0.0.0.0/0 Destination addresses: any: 0.0.0.0/0 Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21]

Security Policy Lab 221

Junos OS for SRX Overview

Policy: internet-hr, action-type: permit, State: enabled, Index: 6 Sequence number: 2 From zone: hr, To zone: untrust Source addresses: vr102: 172.20.102.0/24 Destination addresses: any: 0.0.0.0/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Policy: intrazone-eng, action-type: permit, State: enabled, Index: 5 Sequence number: 1 From zone: eng, To zone: eng Source addresses: any: 0.0.0.0/0 Destination addresses: any: 0.0.0.0/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Policy: internet-eng, action-type: permit, State: enabled, Index: 8 Sequence number: 1 From zone: eng, To zone: untrust Source addresses: vr202: 172.20.202.0/24 Destination addresses: any: 0.0.0.0/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Policy: dc-to-hr, action-type: permit, State: disabled, Index: 9 Sequence number: 1 From zone: untrust, To zone: hr Source addresses: vr103: 172.20.103.0/24 Destination addresses: vr102: 172.20.102.0/24 Application: internal-apps IP protocol: udp, ALG: 0, Inactivity timeout: 60 Source port range: [50000-50000] Destination port range: [50001-50001] IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [23-23] IP protocol: 1, ALG: 0, Inactivity timeout: 60 ICMP Information: type=255, code=0 Session log: at-create, at-close

Lab 222 Security Policy

Junos OS for SRX Overview

Step 5.2
Return to the session opened on the vr-device and open a Telnet session between the virtual router associated with the hr zone and the virtual router associated with the dc zone. You will initiate a Telnet session with the virtual router interface associated with the dc zone. Log in with the same username and password as your current session. 1b@vr-device> telnet 172.20.10v.10 routing-instance vr10v Trying 172.20.103.10... Connected to 172.20.103.10. Escape character is '^]'. vr-device(ttyp0) login: 1b Password: --- JUNOS 10.1R1.8 built 2010-02-12 17:00:46 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. 1b@vr-device>

Step 5.3
Return to the session opened on your assigned device and issue the show security flow session command. lab@host1-b> show security flow session Session ID: 26, Policy name: internet-hr/7, Timeout: 1660 In: 172.20.102.10/56628 --> 172.20.103.10/23;tcp, If: ge-0/0/4.102 Out: 172.20.103.10/23 --> 172.20.102.10/56628;tcp, If: ge-0/0/3.0 Session ID: 29, Policy name: self-traffic-policy/1, Timeout: 56 In: 10.210.14.133/123 --> 10.210.14.130/123;udp, If: .local..0 Out: 10.210.14.130/123 --> 10.210.14.133/123;udp, If: ge-0/0/0.0 2 sessions displayed Question: What is the session ID for the Telnet session you opened?

Answer: The answer varies, but in the output from host1-b, the session ID is 26.

Security Policy Lab 223

Junos OS for SRX Overview

Step 5.4
Using the session ID, view a more detailed output of the open Telnet session and answer the following question. lab@host1-b> show security flow session session-identifier 26 Session ID: 26, Status: Normal Flag: 0x40 Policy name: internet-hr/7 Source NAT pool: Null, Application: junos-telnet/10 Maximum timeout: 1800, Current timeout: 1632 Start time: 1651, Duration: 177 In: 172.20.102.10/56628 --> 172.20.103.10/23;tcp, Interface: ge-0/0/4.102, Session token: 0x180, Flag: 0x4129 Route: 0x70010, Gateway: 172.20.102.10, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Out: 172.20.103.10/23 --> 172.20.102.10/56628;tcp, Interface: ge-0/0/3.0, Session token: 0x200, Flag: 0x4128 Route: 0x50010, Gateway: 172.18.1.1, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, 1 sessions displayed Question: How many seconds remain before the Telnet session times out (without further activity)?

Answer: The answer varies, but in the output from host1-b, 1632 seconds remain. If there is no further activity during this period, the session closes.

Step 5.5
Return to the vr-device and end the open Telnet session by entering the exit command. 1b@vr-device> exit Connection closed by foreign host. 1b@vr-device>

Step 5.6
Return to your assigned device and view the configuration hierarchy associated with the syslog settings. lab@host1-b> show configuration system syslog user * { any emergency;

Lab 224 Security Policy

Junos OS for SRX Overview

} file messages { any any; authorization info; } file interactive-commands { interactive-commands any; } Question: Is your devices syslog configuration sufficient to record security policy log actions?

Answer: Yes. On branch security platforms running the Junos operating system, local data plane logging is enabled by configuring a local syslog with a facility of user and a severity of info. Because the file messages configuration logs any facility at any severity, security policies that are configured with a log action should automatically record entries in the messages log file.

Step 5.7
View security policy log entries by issuing the show log messages | match RT_FLOW command. Note Recall that the security policy log action configuration was only for specific traffic ingressing your assigned device from the untrust zone. To see log entries, you must ensure the other team in your pod has initiated (and exited) the Telnet session associated with this lab part. lab@host1-b> show log messages | match RT_FLOW Apr 2 04:38:34 host1-b RT_FLOW: RT_FLOW_SESSION_CREATE: session created 172.20.103.10/52119->172.20.102.10/23 junos-telnet 172.20.103.10/ 52119->172.20.102.10/23 None None 6 dc-to-hr untrust hr 12881 Apr 2 04:38:43 host1-b RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 172.20.103.10/52119->172.20.102.10/23 junos-telnet 172.20.103.10/ 52119->172.20.102.10/23 None None 6 dc-to-hr untrust hr 12881 41(2303) 30(2023) 9 Apr 2 04:39:21 host1-b mgd[944]: UI_CMDLINE_READ_LINE: User 'lab', command 'run show log messages | match RT_FLOW '

Security Policy Lab 225

Junos OS for SRX Overview Question: Do you see the appropriate log entries recording the opening and closing of the remote teams Telnet session?

Answer: Provided the remote team is keeping up with your team, the answer should be yes.

Step 5.8
Issue the show interfaces extensive command for the ge-0/0/3 interface. lab@host1-b> show interfaces extensive ge-0/0/3 Physical interface: ge-0/0/3, Enabled, Physical link is Up Interface index: 134, SNMP ifIndex: 127, Generation: 137 Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:26:88:02:71:83, Hardware address: 00:26:88:02:71:83 Last flapped : 2009-09-14 23:28:19 PDT (10:44:34 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 7304 0 bps Output bytes : 7379 0 bps Input packets: 107 0 pps Output packets: 109 0 pps Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 Egress queues: 8 supported, 4 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 107 107 0 1 expedited-fo 0 0 0 2 assured-forw 0 0 0 3 network-cont 0 0 0 Active alarms : None Active defects : None MAC statistics: Receive Transmit

Lab 226 Security Policy

Junos OS for SRX Overview

Total octets 74204 9011 Total packets 1124 107 Unicast packets 102 103 Broadcast packets 1022 4 Multicast packets 0 0 CRC/Align errors 0 0 FIFO errors 0 0 MAC control frames 0 0 MAC pause frames 0 0 Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Filter statistics: Input packet count 0 Input packet rejects 0 Input DA rejects 0 Input SA rejects 0 Output packet count 0 Output packet pad count 0 Output packet error count 0 CAM destination filters: 2, CAM source filters: 0 Autonegotiation information: Negotiation status: Complete Link partner: Link mode: Full-duplex, Flow control: None, Remote fault: OK, Link partner Speed: 1000 Mbps Local resolution: Flow control: None, Remote fault: Link OK Packet Forwarding Engine configuration: Destination slot: 0 Direction : Output CoS transmit queue Bandwidth Buffer Priority Limit % bps % usec 0 best-effort 95 950000000 95 0 low none 3 network-control 5 50000000 5 0 low none Logical interface ge-0/0/3.0 (Index 69) (SNMP ifIndex 147) (Generation 134) Flags: SNMP-Traps Encapsulation: ENET2 Traffic statistics: Input bytes : 7304 Output bytes : 7179 Input packets: 107 Output packets: 109 Local statistics: Input bytes : 960 Output bytes : 952 Input packets: 14 Output packets: 16 Transit statistics:

Security Policy Lab 227

Junos OS for SRX Overview

Input bytes : 6344 0 bps Output bytes : 6227 0 bps Input packets: 93 0 pps Output packets: 93 0 pps Security: Zone: untrust Flow Statistics : Flow Input statistics : Self packets : 5 ICMP packets : 30 VPN packets : 0 Multicast packets : 0 Bytes permitted by policy : 6879 Connections established : 1 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 6702 Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 0 Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet, MTU: 1500, Generation: 147, Route table: 0 Flags: None Addresses, Flags: Is-Preferred Is-Primary Destination: 172.18.1.0/30, Local: 172.18.1.2, Broadcast: 172.18.1.3, Generation: 144 Question: What is the value of the Policy denied counter within the interface flow statistics?

Answer: The answer might vary, but in the output taken from host1-b, the value is 0. The purpose of this question is to establish a baseline value.

Lab 228 Security Policy

Junos OS for SRX Overview

Step 5.9
Return to the session opened on the vr-device. Once again, issue a Telnet session to the remote virtual router associated with your partner teams hr or dc zone. But this time, source the Telnet session from the eng or it virtual router, depending on your assigned device. 1b@vr-device> telnet 172.20.10v.10 routing-instance vr20v Trying 172.20.103.10... ^C 1b@vr-device> Question: Was the Telnet session successful?

Answer: The Telnet session should not be successful. The active security policies applied to traffic from the untrust zone on the remote teams device do not allow this traffic.

Step 5.10
Make sure that the remote team within your pod has completed the previous step. Once this has been confirmed, return to your assigned device and issue the show interfaces extensive command for the ge-0/0/3 interface again. lab@host1-b> show interfaces extensive ge-0/0/3 | find "Flow Statistics" Flow Statistics : Flow Input statistics : Self packets : 5 ICMP packets : 30 VPN packets : 0 Multicast packets : 0 Bytes permitted by policy : 6879 Connections established : 1 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 6830 Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0

Security Policy Lab 229

Junos OS for SRX Overview

No zone or NULL zone binding 0 Policy denied: 2 Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet, MTU: 1500, Generation: 147, Route table: 0 Flags: None Addresses, Flags: Is-Preferred Is-Primary Destination: 172.18.1.0/30, Local: 172.18.1.2, Broadcast: 172.18.1.3, Generation: 144 Question: Did the value of the Policy denied counter increment?

Answer: The answer should be yes. In the output taken from host1-b, the value is 2. Previously, this value was 0.

STOP

Lab 230 Security Policy

Lab 3
Network Address Translation

Overview
In this lab, you will implement Network Address Translation (NAT). The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. By completing this lab, you will perform the following tasks: Configure and monitor interface-based source NAT. Configure and monitor pool-based destination NAT.

Network Address Translation Lab 31 10.a.10.0R1.8

Junos OS for SRX Overview

Part 1: Interface-Based Source NAT

In this lab part, you will enable interface-based source NAT. Traffic originating from the virtual routers attached to your assigned device and destined for the Internet host will be subject to NAT.

Step 1.1
Access the CLI using SecureCRT. Double click on the SecureCRT 5.0 icon located on the desktop to open the connection manager. Highlight SRX1 and click the connect button.

Step 1.2
Log in as user lab with the password lab123. host1-b (ttyp0) login: lab Password: --- JUNOS 9.6R1.13 built 2009-11-03 10:06:39 UTC lab@host1-b>

Step 1.3
Enter Configuration mode using the configure command. lab@host1-b> configure Entering configuration mode [edit] lab@host1-b#

Step 1.4
Using the load override command, load the file host1-X_L5_SecEna.config from the /cf/root/ directory. This will load the basic configuration needed to complete the lab. Use the commit-and quit command to apply the changes and exit configuration mode. [edit]

Lab 32 Network Address Translation

Junos OS for SRX Overview

lab@host1-b# load override /cf/root/host1-X_L5_SecEna.config [edit] lab@host1-b# commit-and quit commit complete [edit] lab@host1-b#

Step 1.5
Open a new SecureCRT tab and connect to the SRX2 device. Enter configuration mode and load the host2-X_L5_SecEna.config file from the /cf/root/ directory. Commit the changes and exit when complete. Click File > Connect in Tab from the SecureCRT window.

Select SRX2 from the available devices and click connect

Network Address Translation Lab 33

Junos OS for SRX Overview Log in as user lab with the password lab123. host2-b (ttyp0) login: lab Password: --- JUNOS 9.6R1.13 built 2009-11-03 10:06:39 UTC lab@host2-b> Enter configuration mode. lab@host2-b> configure Entering configuration mode [edit] lab@host2-b# Load the configuration file and then exit. Exit the device and close the tab and return to the SRX1 device. [edit] lab@host2-b# load override /cf/root/host2-X_L5_SecEna.config [edit] lab@host2-b# commit and-quit commit complete Exiting configuration mode lab@host2-b> exit

host2-b (ttyu0) login:

Step 1.6
Enter configuration mode and navigate to the [edit security nat source] hierarchy. lab@host1-b> configure Entering configuration mode [edit] lab@host1-b# edit security nat source [edit security nat source] lab@host1-b#

Step 1.7
Create a rule-set named internet-bound. Associate the rule-set with a context matching traffic coming from both interfaces connected to the virtual routers and destined to the untrust zone. [edit security nat source] lab@host1-b# set rule-set internet-bound from interface ge-0/0/4.10v

Lab 34 Network Address Translation

Junos OS for SRX Overview

[edit security nat source] lab@host1-b# set rule-set internet-bound from interface ge-0/0/4.20v [edit security nat source] lab@host1-b# set rule-set internet-bound to zone untrust Question: What other contexts could you use for the from statement?

Answer: You could use a from context referencing the source security zones, but in this case, two rule-sets would be necessary. Because no configured routing-instances are on your assigned device, the from routing-instance context is not applicable to this step.

Step 1.8
Navigate to the [edit security nat source rule-set internet-bound] configuration hierarchy. Create a NAT rule named 1. The rule should apply interface-based NAT to all traffic with a destination address of the Internet host as depicted on your lab diagram. [edit security nat source] lab@host1-b# edit rule-set internet-bound [edit security nat source rule-set internet-bound] lab@host1-b# set rule 1 match destination-address 172.31.15.1/32 [edit security nat source rule-set internet-bound] lab@host1-b# set rule 1 then source-nat interface [edit security nat source rule-set internet-bound] lab@host1-b# show from interface [ ge-0/0/4.102 ge-0/0/4.202 ]; to zone untrust; rule 1 { match { destination-address 172.31.15.1/32; } then { source-nat interface; } } [edit security nat source rule-set internet-bound] lab@host1-b#

Step 1.9
Commit your configuration and return to operational mode. [edit security nat source rule-set internet-bound]

Network Address Translation Lab 35

Junos OS for SRX Overview

lab@host1-b# commit and-quit commit complete Exiting configuration mode lab@host1-b> Note The next lab steps require you to log in to the virtual router attached to your teams device. The virtual routers are logical devices created on a J Series Services Router. Refer to the management network diagram for the IP address of the vr-device.

Step 1.10
Open a separate Telnet session to the virtual router (10.210.14.139) attached to your team device.

Step 1.11
Log in to the virtual router using the login information shown in the following table:

Virtual Router Login Details

Student Device host1-a host1-b host1-c host1-d User Name 1a 1b 1c 1d Password lab123 lab123 lab123 lab123

Lab 36 Network Address Translation

Junos OS for SRX Overview

vr-device (ttyp0) login: 1b Password: --- JUNOS 10.0R1.8 built 2009-11-03 10:06:39 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. 1b@vr-device>

Step 1.12
Initiate a Telnet session to the Internet host device from one of the virtual routers attached to your assigned device. Use the same login credentials as used for your current vr-device Telnet session. 1b@vr-device> telnet 172.31.15.1 routing-instance vr10v Trying 172.31.15.1... Connected to 172.31.15.1. Escape character is '^]'. vr-device (ttyp1) login: 1b Password: --- JUNOS 10.1R1.8 built 2010-02-12 17:00:46 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. 1b@vr-device>

Step 1.13
Return to the terminal session opened to your assigned device and view the session table. lab@host1-b> show security flow session Session ID: 622, Policy name: internet-hr/8, Timeout: 674 In: 172.20.102.10/54072 --> 172.31.15.1/23;tcp, If: ge-0/0/4.102 Out: 172.31.15.1/23 --> 172.18.1.2/1024;tcp, If: ge-0/0/3.0 1 sessions displayed

Network Address Translation Lab 37

Junos OS for SRX Overview Question: Do the session table results indicate expected behavior?

Answer: Yes. As indicated by the output taken from host1-b, the Telnet session sources from the internal IP address 172.20.102.10, but the return traffic has a destination of the WAN interface address.

Step 1.14
Issue the show security nat source rule all command and answer the question that follows. lab@host1-b> show security nat source rule all Total rules: 1 source NAT rule: 1 Rule-Id From interface To zone Destination addresses Action Translation hits Rule-set: internet-bound 1 ge-0/0/4.102 ge-0/0/4.202 untrust 172.31.15.1 - 172.31.15.1 interface 1

: : : : : : :

Question: How many hits has this NAT rule received?

Answer: The answer might vary, but the Translation hits counter should show one hit at a minimum.

Step 1.15
Return to the session opened with the vr-device and exit the extra Telnet session using the exit command. 1b@vr-device> exit Connection closed by foreign host. 1b@vr-device>

Part 2: Pool-Based Destination NAT

In this part of the lab, you will configure pool-based destination NAT for traffic originating from the remote device in your assigned pod. You will use the loopback IP address of your assigned device as a public address that will be translated to an internal address belonging to a virtual router attached to your device.

Lab 38 Network Address Translation

Junos OS for SRX Overview

Step 2.1
Enter configuration mode and navigate to the [edit security nat destination] hierarchy. lab@host1-b> configure Entering configuration mode [edit] lab@host1-b# edit security nat destination [edit security nat destination] lab@host1-b#

Step 2.2
Configure a destination NAT pool named webserver that contains a single host address. The host address should match the IP address of the virtual router associated with the eng zone if you are assigned to host1. The host address should match the IP address of the virtual router associated with it zone if you are assigned to host2. [edit security nat destination] lab@host1-b# set pool webserver address 172.20.20v.10/32

Step 2.3
Configure a destination NAT rule-set named from-internet. The associated context should be from the untrust zone. [edit security nat destination] lab@host1-b# set rule-set from-internet from zone untrust

Step 2.4
Under the from-internet rule-set, configure a destination NAT rule named 1. The rule should apply destination NAT to traffic that originates from the network associated with your remote teams ge-0/0/3 interface and that has your loopback address as its destination. This translation should utilize the webserver pool you configured. [edit security nat destination] lab@host1-b# edit rule-set from-internet rule 1 [edit security nat destination rule-set from-internet rule 1] lab@host1-b# set match source-address 172.18.2/30 [edit security nat destination rule-set from-internet rule 1] lab@host1-b# set match destination-address 192.168.1.1 [edit security nat destination rule-set from-internet rule 1] lab@host1-b# set then destination-nat pool webserver [edit security nat destination rule-set from-internet rule 1] lab@host1-b# up 2 [edit security nat destination]

Network Address Translation Lab 39

Junos OS for SRX Overview

lab@host1-b# show pool webserver { address 172.20.202.10/32; } rule-set from-internet { from zone untrust; rule 1 { match { source-address 172.18.2.0/30; destination-address 192.168.1.1/32; } then { destination-nat pool webserver; } } } Question: Are any changes required to your security policy configuration to allow this traffic?

Answer: Yes. Currently, no security policy exists in the configuration that allows traffic from the untrust zone to the eng or it zone (depending on your assigned device).

Step 2.5
Navigate to the [edit security policy from-zone untrust to-zone eng]. [edit security nat destination] lab@host1-b# top edit security policies from-zone untrust to-zone eng [edit security policies from-zone untrust to-zone eng] lab@host1-b#

Step 2.6
Configure a security policy that allows HTTP and Telnet traffic sourced from the remote student device in your pod to reach the virtual router associated with the eng zone or the it zone depending on your assigned device. The necessary address book entries should already exist in your zone configuration hierarchies. Name the new security policy webserver. [edit security policies from-zone untrust to-zone eng] lab@host1-b# top show security zones security-zone untrust address-book address vr103 172.20.103.0/24; address vr203 172.20.203.0/24; address host2-b 172.18.2.0/30; [edit security policies from-zone untrust to-zone eng] lab@host1-b# top show security zones security-zone eng address-book address vr202 172.20.202.0/24; [edit security policies from-zone untrust to-zone eng]

Lab 310 Network Address Translation

Junos OS for SRX Overview

lab@host1-b# set policy webserver match source-address host2-x [edit security policies from-zone untrust to-zone eng] lab@host1-b# set policy webserver match destination-address vr20v [edit security policies from-zone untrust to-zone eng] lab@host1-b# set policy webserver match application junos-telnet [edit security policies from-zone untrust to-zone eng] lab@host1-b# set policy webserver match application junos-http [edit security policies from-zone untrust to-zone eng] lab@host1-b# set policy webserver then permit [edit security policies from-zone untrust to-zone eng] lab@host1-b# show policy webserver { match { source-address host2-b; destination-address vr202; application [ junos-telnet junos-http ]; } then { permit; } }

Step 2.7
Commit your configuration and return to operational mode. [edit security policies from-zone untrust to-zone eng] lab@host1-b# commit and-quit commit complete Exiting configuration mode

Network Address Translation Lab 311

Junos OS for SRX Overview

Step 2.8
Note In this step, you are initiating a Telnet session directly from your assigned device. When both teams in your assigned pod finish performing the above configuration, attempt a Telnet session to the loopback IP address of your remote teams device. Initiate this Telnet session from your assigned SRX Series device. When prompted for a login, use the login information shown in the following table:

Virtual Router Login Details

Student Device host1-a host1-b host1-c host1-d lab@host1-b> telnet 192.168.2.1 Trying 192.168.2.1... Connected to 192.168.2.1. Escape character is '^]'. vr-device (ttyp1) login: 1b Password: --- JUNOS 10.1R1.8 built 2010-02-12 17:00:46 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. 1b@vr-device> Question: From your observations, is destination NAT operating correctly on your partnering teams assigned device? User Name 1a 1b 1c 1d Password lab123 lab123 lab123 lab123

Answer: Provided the Telnet session successfully established with the vr-device, the output indicates traffic destined to the remote teams loopback interface IP address is translating to the appropriate IP address.

Lab 312 Network Address Translation

Junos OS for SRX Overview Question: Why did the remote teams assigned device not respond to the Telnet request instead of the remote virtual router?

Answer: Recall that destination NAT occurs before routing and policy checks in the packet flow.

Step 2.9
Open a second Telnet session to your assigned device for monitoring the sessions in progress. Log in as user lab.

host1-b (ttyp1) login: lab Password: --- JUNOS 9.6R1.13 built 2009-08-01 09:23:09 UTC lab@host1-b>

Step 2.10
Issue the show security flow session command and answer the question that follows. lab@host1-b> show security flow session Session ID: 683, Policy name: self-traffic-policy/1, Timeout: 1726 In: 172.18.1.2/61224 --> 192.168.2.1/23;tcp, If: .local..0 Out: 192.168.2.1/23 --> 172.18.1.2/61224;tcp, If: ge-0/0/3.0 Session ID: 684, Policy name: self-traffic-policy/1, Timeout: 1800 In: 10.210.14.129/38213 --> 10.210.14.133/23;tcp, If: ge-0/0/0.0 Out: 10.210.14.133/23 --> 10.210.14.129/38213;tcp, If: .local..0 Session ID: 685, Policy name: webserver/12, Timeout: 1780 In: 172.18.2.2/64445 --> 192.168.1.1/23;tcp, If: ge-0/0/3.0

Network Address Translation Lab 313

Junos OS for SRX Overview

Out: 172.20.202.10/23 --> 172.18.2.2/64445;tcp, If: ge-0/0/4.202 3 sessions displayed Question: What sessions are present in the session table?

Answer: Provided the partnering team in your assigned pod initiated a Telnet session destined for your loopback IP address, at least three sessions should display. One session represents the Telnet session initiated by your team. One session represents the additional Telnet session opened directly with your assigned device. One session represents the Telnet session opened by the remote team in your assigned pod.

Step 2.11
Issue the show security nat destination pool all command and answer the question that follows. lab@host1-b> show security nat destination pool all Total destination-nat pools: 1 Pool name : Pool id : Routing instance: Total address : Translation hits: Address range 172.20.202.10 webserver 1 default 1 4 172.20.202.10 Port 0

Question: Are translation hits present for your destination NAT pool?

Answer: Provided the partnering team in your assigned pod initiated a Telnet session destined for your loopback IP address, the translation hits counter should show at least one hit.

Step 2.12
Return to the initial session opened to your device and exit the Telnet session opened with the remote virtual router.

Lab 314 Network Address Translation

Junos OS for SRX Overview

1b@vr-device> exit Connection closed by foreign host. lab@host1-b>

STOP

Network Address Translation Lab 315

Junos OS for SRX Overview

Lab 316 Network Address Translation

Junos OS for SRX Overview

Lab Diagrams

Worldwide Education Services

1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Course Number: SSSRX03

Juniper Networks, the Juniper Networks logo, Junos, NetScreen and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JunosE is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks or registered service marks are the property of their respective owners. Junos OS for SRX Overview Lab Diagrams, Revision A Copyright 2010, Juniper Networks, Inc. All rights reserved. Printed in USA. The information in this document has been carefully verified and is believed to be accurate for software Release 10.1R1.8. Juniper Networks assumes no responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary, incidental or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.SSSRX03

Juniper Networks reserves the right to change, modify, transfer or otherwise revise this publication without notice. YEAR 2000 NOTICE Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. SOFTWARE LICENSE The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should consult the software license for further details.

NETWORK DIAGRAM: LABS 13

Internet
Host 172.31.15.1

VLAN Assignments

(v=remainder of vlan-id)

Hostname

VLAN-ID VLAN ID

host1-a

100, 200

host2-a

101, 201

host1 b host1-b

102, 102 202

host2-b

103, 203

host1-c

104, 204

x = Pod (a, b, c, or d)

host2-c ost c

105, 205 05, 05

host1-d

106, 206

host2-d

107, 207

Untrust Zone

Untrust Zone
host2-x host2 x
lo0: 192.168.2.1

lo0: 192.168.1.1

host1-x host1 x

ge-0/0/4.10v (.1) ge-0/0/4.20v 172.20.20v.0/24 172 20 20 0/24 (.10) vr20v

172.20.10v.0/24 172 20 10 0/24

Tagged Interface (see table above)

ge-0/0/4.10v 172.20.10v.0/24 172 20 10 0/24 (.10) vr10v

(.1) ge-0/0/4.20v 172.20.20v.0/24 172 20 20 0/24 (.10) vr20v

(.10)

vr10v

hr zone

eng zone

Virtual Routers
Copyright 2010 Juniper Networks, Inc. www.juniper.net

dc zone

it zone