Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • SRX For Beginners

    Încărcat de

    Son Tran Hong Nam
    145 vizualizări6 pagini
    srx beginner

    Titlu original

    SRX for Beginners

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    DOCX, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    srx beginner

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    145 vizualizări6 pagini

    SRX For Beginners

    Încărcat de

    Son Tran Hong Nam
    srx beginner

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 6

    SRX for beginners

    I was thinking if I should write a short article for beginners to quickly configure an SRX firewall.
    I dont know how many people will find it useful but I hope it will be for those who use SRX for
    the first time in their life. Lets get started.
    Our topology in this tutorial is below;

    We will configure the followings from scratch:


    1. Loading default config and setting the root password
    2. Configuring interfaces and default route
    3. Configuring security zones
    4. Configuring address book entries
    5. Creating security policies
    6. Creating source nat for internal clients

    Loading default config and setting the root password


    I assume you are connected to the SRX device via console

    [edit]
    root# load factory-default
    w arning: activating factory con

    [edit]

    root# load factory-default

    warning: activating factory configuration

    4
    5

    [edit]

    root# set system root-authentication plain-text-password

    New password:

    Retype new password:

    9
    10

    [edit]

    11

    root# set system host-name srx220

    12
    13

    [edit]

    14

    root# commit

    15

    commit complete

    16
    17

    [edit]

    18

    root@srx220#

    Once we commit the changes, we should see the new hostname srx220 in the prompt.
    Commit is required to save and activate your changes.

    Configuring interfaces and default route


    Interfaces

    #delete interfaces ge-0/0/0


    #delete interfaces ge-0/0/1
    #set interfaces ge-0/0/0 unit 0 f
    #set interfaces ge-0/0/1 unit 0 f

    1 #delete interfaces ge-0/0/0


    2 #delete interfaces ge-0/0/1
    3 #set interfaces ge-0/0/0 unit 0 family inet address 192.168.100.38/24
    4 #set interfaces ge-0/0/1 unit 0 family inet address 192.168.239.1/24

    Default route
    #set routing-options static route

    1 #set routing-options static route 0.0.0.0/0 next-hop 192.168.100.1

    Configuring security zones


    SRX is a zone based firewall hence you have to assign each interface to a zone to be able to pass
    traffic through and into it. There may be two default zones trust and untrust coming with the
    factory-default config but we will delete them and configure our own zones. Following will be
    our zone configuration;

    Our zone facing pc clients is named internal

    zone facing internet is named internet

    Internal clients will be able to reach SRX (i.e ping and ssh service will be
    enabled) towards SRX

    #set security zones security-zo


    #set security zones security-zo
    #set security zones security-zo

    1 #set security zones security-zone internal interfaces ge-0/0/1.0 host-inboundtraffic system-services ping

    2
    3

    #set security zones security-zone internal interfaces ge-0/0/1.0 host-inboundtraffic system-services ssh
    #set security zones security-zone internet interfaces ge-0/0/0.0

    Now we have assigned interfaces to each zone. To mention again, if you dont add the services
    e.g ssh&ping under internal zone, you can neither connect to the box via ssh nor ping its internal
    interface IP.

    Configuring address book entries


    If you want to configure a security policy you must create an address book entry for the network
    ranges you would like to use. We will create one address book entry for our internal network
    block 192.168.239.0/24 as follows;
    #set security zones security-zo

    #set security zones security-zone internal address-book address network_239


    192.168.239.0/24

    Our address book entry is also ready for security policy. Now it is time to enforce the security
    policy to allow internal users to access outside networks.
    Note: Address book configuration has evolved over several releases. To better understand the
    address book concept on SRX, you can take a look at my other post about address books once
    you finish this post.

    Creating security policies


    As this is a firewall, if you dont create a security policy allowing traffic from one zone to the
    other one, dont expect your transit traffic to work. Here, we first start by deleting already
    existing policies to make sure no other policies exist.
    #delete security policies
    #set security policies from-zone
    #set security policies from-zone
    #set security policies from-zone

    1 #delete security policies


    2 #set security policies from-zone internal to-zone internet policy allow-internal-

    clients match source-address network_239


    #set security policies from-zone internal to-zone internet policy allow-internal3 clients match destination-address any
    4 #set security policies from-zone internal to-zone internet policy allow-internal5 clients match application any
    #set security policies from-zone internal to-zone internet policy allow-internalclients then permit

    A security policy is created within a context. What does this mean? It means the context defines
    the direction. For example, policy we have created named allow-internal-clients is only
    matching any traffic from internal zone to internet zone. As our action is permit, we allow
    traffic from network_239 address book network i.e 192.168.239.0/24 towards any address.

    Creating source nat for internal clients


    You may also need to source NAT internal clients with your outside interface IP address. Here is
    how we configure source nat in SRX:
    First start deleting previous left over nat rules.
    #delete security nat
    #set security nat source rule-se
    #set security nat source rule-se
    #set security nat source rule-se

    #delete security nat


    1 #set security nat source rule-set internal-to-internet from zone internal
    2 #set security nat source rule-set internal-to-internet to zone internet
    3 #set security nat source rule-set internal-to-internet rule internet-access match
    source-address 192.168.239.0/24
    4
    5

    #set security nat source rule-set internal-to-internet rule internet-access match


    destination-address 0.0.0.0/0

    #set security nat source rule-set internal-to-internet rule internet-access then


    7 source-nat interface
    #commit

    For simplicity we use interface based nat which means if an internal client has an IP address on
    192.168.239.0/24 range, its IP packets source addresses will be replaced by the interface IP
    address 192.168.100.38 when the client wants to reach Internet.
    As you can see source NAT is also a context based configuration. You define from which zone
    you are coming and to which zone you are heading.After these configuration your internal clients
    whose gateway is 192.168.239.1 should be able to reach Internet if I havent made any mistake
    so far.

    S-ar putea să vă placă și