Enterprise Network Design (SRX As Firewall)

ENTERPRISE NETWORK DESIGN-1
(SRX AS FIREWALL )
SCENARIO
We have two Internet connections one from ISP-1 and other one from ISP-2. For fail over I have added IP
SLA tracking so that PBR will continuously monitor the ISP-1 to ensure it has not failed or gone offline.
If for any reason router PBR loses connectivity with the ISP-1, the IP SLA & Policy-Based Routing
mechanism will forward the traffic to the Internet via ISP-2 effectively.
Juniper SRX is acting as a firewall.

DVTI tunnels are established on PBR router with Remote-Site-1 and Remote-Site-2.
LAN users are able to access SERVER and INTERNET.
VC is able to access only INTERNET.
Whereas Remote-Site-1 and Remote-Site-2 both are able to access SERVER but only RemoteSite-1 is able to access INTERNET using SRX FIREWALL.
CONFIGURATION
ON SRX:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
filter {
output-list F1;
}
address 192.168.50.2/30;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.10.10.1/30;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.30.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.10.10.2;
route 192.168.10.0/24 next-hop 192.168.50.1;
route 192.168.20.0/24 next-hop 192.168.50.1;
}
}
security {
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {

policy default-permit {
match {
source-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
application any;
}
then {
deny;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
ge-0/0/1.0 {
system-services {
all;
}
protocols {
all;
}
}
}
ge-0/0/2.0 {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
}
}
}
firewall {
filter F1 {
term A {
from {
source-address {
192.168.100.0/24;
192.168.200.0/24;
}
destination-address {
192.168.10.0/24;
192.168.20.0/24;
}
}
then {
reject;
}
}
term B {
from {
source-address {
0.0.0.0/0;
}
destination-address {
192.168.50.0/30;
192.168.10.0/24;
192.168.20.0/24;
}
}
then accept;
}
}
}
ON PBR:
!
track 5 rtr 10 reachability
!
class-map match-all DATA
match access-group name DATA
!
!
policy-map DATA
class DATA
bandwidth 2048
!
!
crypto keyring DVTI
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp profile ISAKMP
keyring DVTI
match identity address 200.200.200.2 255.255.255.255
match identity address 100.100.100.2 255.255.255.255
virtual-template 1
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC
set transform-set TS
!
!
!
!
!
interface Loopback1
ip address 10.10.10.10 255.255.255.255
!
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.252
service-policy output DATA
!
ip address 10.10.10.2 255.255.255.252
ip policy route-map PBR
!
ip address 30.30.30.1 255.255.255.252
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
ip policy route-map VT
ip ospf 1 area 0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC
!
router ospf 1
network 10.10.10.10 0.0.0.0 area 0
!
ip route 40.40.40.0 255.255.255.252 20.20.20.2
ip route 50.50.50.0 255.255.255.252 30.30.30.2
ip route 100.100.100.0 255.255.255.252 20.20.20.2
ip route 192.168.10.0 255.255.255.0 10.10.10.1
ip route 192.168.20.0 255.255.255.0 10.10.10.1
ip route 200.200.200.0 255.255.255.252 20.20.20.2
!
ip access-list extended DATA
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended VT
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.200.0 0.0.0.255 any
!
access-list 1 permit 192.168.10.0 0.0.0.255
!
route-map VT permit 10
match ip address VT
set ip next-hop 10.10.10.1
!
route-map DATA permit 10
match ip address DATA
!
route-map PBR permit 10
match ip address 1
set ip next-hop verify-availability 20.20.20.2 1 track 5
!
end
ON ISP-1:
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
ip address 20.20.20.2 255.255.255.252
ip nat inside
ip virtual-reassembly
!
ip address 200.200.200.1 255.255.255.252
!
ip address 40.40.40.1 255.255.255.252
ip nat outside
!
ip address 100.100.100.1 255.255.255.252
!
ip route 8.8.8.8 255.255.255.255 40.40.40.2
ip route 192.168.10.0 255.255.255.0 20.20.20.1
ip route 192.168.20.0 255.255.255.0 20.20.20.1
ip route 192.168.30.0 255.255.255.0 20.20.20.1
ip route 192.168.100.0 255.255.255.0 20.20.20.1
!
!
ip nat inside source list 1 interface Loopback1 overload
!
!
End
ON ISP-2:
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
!
ip address 50.50.50.1 255.255.255.252
ip nat outside
!
ip address 30.30.30.2 255.255.255.252
ip nat inside
!
ip route 8.8.8.8 255.255.255.255 50.50.50.2
ip route 192.168.10.0 255.255.255.0 30.30.30.1
ip route 192.168.20.0 255.255.255.0 30.30.30.1
ip route 192.168.30.0 255.255.255.0 30.30.30.1
!
!
ip nat inside source list 1 interface Loopback1 overload
!
ON INTERNET:
!
interface Loopback0
ip address 8.8.8.8 255.255.255.255
!
ip address 50.50.50.2 255.255.255.252
!
ip address 40.40.40.2 255.255.255.252
!
ip route 1.1.1.1 255.255.255.255 40.40.40.1
ip route 2.2.2.2 255.255.255.255 50.50.50.1
!
ON Remote-Site-1:
!
crypto isakmp key cisco address 20.20.20.1
!
!
!
interface Loopback1
ip address 100.100.100.100 255.255.255.255
!
interface Tunnel1
ip ospf 1 area 0
tunnel source 100.100.100.2
tunnel destination 20.20.20.1
!
ip address 192.168.100.1 255.255.255.0
!
ip address 100.100.100.2 255.255.255.252
!
router ospf 1
network 192.168.100.0 0.0.0.255 area 0
distribute-list prefix RS1 in
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Tunnel1
ip route 20.20.20.0 255.255.255.252 100.100.100.1
!
ip prefix-list RS1 seq 1 deny 192.168.200.0/24 ge 32
ip prefix-list RS1 seq 2 permit 0.0.0.0/0 ge 32
!
ON Remote-Site-2:
!
crypto isakmp key cisco address 20.20.20.1
!
!
!
!
interface Loopback1
ip address 200.200.200.200 255.255.255.255
!
interface Tunnel2
ip ospf 1 area 0
tunnel source 200.200.200.2
tunnel destination 20.20.20.1

!
ip address 192.168.200.1 255.255.255.0
!
ip address 200.200.200.2 255.255.255.252
!
router ospf 1
network 192.168.200.0 0.0.0.255 area 0
distribute-list prefix RS2 in
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Tunnel2
ip route 20.20.20.0 255.255.255.252 200.200.200.1
ip route 192.168.10.0 255.255.255.0 200.200.200.1
!
ip prefix-list RS2 seq 1 deny 192.168.100.0/24 ge 32
ip prefix-list RS2 seq 2 permit 0.0.0.0/0 ge 32
!
VERIFICATION
ON PBR:
Router#sho ip ospf neighbor
Neighbor ID
Pri State
Dead Time Address
Interface
100.100.100.100 0 FULL/ -
00:00:38 100.100.100.2 Virtual-Access3
200.200.200.200 0 FULL/ -
00:00:30 200.200.200.2 Virtual-Access2
Router#show crypto isakmp sa

dst
src
state
conn-id slot status
20.20.20.1
100.100.100.2 QM_IDLE
3 0 ACTIVE
20.20.20.1
200.200.200.2 QM_IDLE
4 0 ACTIVE
Router#show crypto ipsec sa

interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 20.20.20.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 100.100.100.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 20.20.20.1, remote crypto endpt.: 100.100.100.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x6DB5D3FA(1840632826)
inbound esp sas:
spi: 0xC9B2A50(211495504)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4411420/3481)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6DB5D3FA(1840632826)

IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access3
Crypto map tag: Virtual-Access3-head-0, local addr 20.20.20.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 200.200.200.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 20.20.20.1, remote crypto endpt.: 200.200.200.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x82B2467D(2192721533)
inbound esp sas:
spi: 0xF2CA4F43(4073344835)

IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x82B2467D(2192721533)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

Enterprise Network Design (SRX As Firewall)

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Enterprise Network Design (SRX As Firewall)

Încărcat de

Drepturi de autor:

Formate disponibile

ENTERPRISE NETWORK DESIGN-1

Juniper SRX is acting as a firewall.

from-zone trust to-zone untrust {

tunnel destination 20.20.20.1

Dead Time Address

00:00:38 100.100.100.2 Virtual-Access3

00:00:30 200.200.200.2 Virtual-Access2

Router#show crypto isakmp sa

conn-id slot status

Router#show crypto ipsec sa

Crypto map tag: Virtual-Access2-head-0, local addr 20.20.20.1

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

S-ar putea să vă placă și