Documente Academic
Documente Profesional
Documente Cultură
I was thinking if I should write a short article for beginners to quickly configure an SRX firewall.
I dont know how many people will find it useful but I hope it will be for those who use SRX for
the first time in their life. Lets get started.
Our topology in this tutorial is below;
[edit]
root# load factory-default
w arning: activating factory con
[edit]
4
5
[edit]
New password:
9
10
[edit]
11
12
13
[edit]
14
root# commit
15
commit complete
16
17
[edit]
18
root@srx220#
Once we commit the changes, we should see the new hostname srx220 in the prompt.
Commit is required to save and activate your changes.
Default route
#set routing-options static route
Internal clients will be able to reach SRX (i.e ping and ssh service will be
enabled) towards SRX
1 #set security zones security-zone internal interfaces ge-0/0/1.0 host-inboundtraffic system-services ping
2
3
#set security zones security-zone internal interfaces ge-0/0/1.0 host-inboundtraffic system-services ssh
#set security zones security-zone internet interfaces ge-0/0/0.0
Now we have assigned interfaces to each zone. To mention again, if you dont add the services
e.g ssh&ping under internal zone, you can neither connect to the box via ssh nor ping its internal
interface IP.
Our address book entry is also ready for security policy. Now it is time to enforce the security
policy to allow internal users to access outside networks.
Note: Address book configuration has evolved over several releases. To better understand the
address book concept on SRX, you can take a look at my other post about address books once
you finish this post.
A security policy is created within a context. What does this mean? It means the context defines
the direction. For example, policy we have created named allow-internal-clients is only
matching any traffic from internal zone to internet zone. As our action is permit, we allow
traffic from network_239 address book network i.e 192.168.239.0/24 towards any address.
For simplicity we use interface based nat which means if an internal client has an IP address on
192.168.239.0/24 range, its IP packets source addresses will be replaced by the interface IP
address 192.168.100.38 when the client wants to reach Internet.
As you can see source NAT is also a context based configuration. You define from which zone
you are coming and to which zone you are heading.After these configuration your internal clients
whose gateway is 192.168.239.1 should be able to reach Internet if I havent made any mistake
so far.