Jncis Sec(Srx)

Juniper Networks Certified Internet Specialist-JNCIS

JNCIS-SEC Lab Manual

Developed by

M. Irfan Ghauri M. Tanzeel Nasir

C-32/1 Block-5 Gulshan-e-Iqbal, Karachi ESP Press Ph #0213-6034003 Copyrights 2011


1

LAB. LABS DESCRIPTION PAGE

NO. 1

Junos Basic

3

2

Customize zones

11

3

Accessing Firewall usin Console/Telnet/SSH/HTTP

17

4

NAT 1.MIP 2.DIP a. DIP with ip pool b. DIP with ip shift c. DIP with different ip (PAT) d. DIP with egress interface 3.VIP 4.Destination Nat

24

5

Creating Object and Policy

30

6

POLICY 1. Multi cell Policy 2. Group Policy

32

7

Advance Group Policy a. Logging b. Counting c. Scheduling d. Snmp e. Authentication with (Local,webauth and AAA)

36


2

8

Routing a.Static Routing b.Dynamic Routing a.RIP b.OSPF

49

9

Site to Site VPN

52

10

Dynamic Vpn

56

11

SreenOptions

63

12

DHCP

65

13

Inter-vlan Routing a.With BVI b.With Routed Port

67


3

Lab # 1

Junos Basic Configuration After connecting your PC to the Console Port. LOGIN:root PASSWORD:abc123 Root @% To Enter Into Operational Mode From Unix Shell & Vice- Versa. Root @% cli Root > To Enter Into Configuration Mode. Root> configure Entering configuration mode Root # Jweb equivalent : Configuration Use Commit command to activate your changes. Root# commit To change the Host Name of Router. Root# set system host-name host Root# commit


4

Set the System Date & Time on the Router Root> set date 12:10:8 (hh:mm:ss) Root> set date 2009-10-6 (YY-MM-DD) Root# commit Verify the System Date & Time on the Router Root> show system uptime Current time: 2009-08-17 11:55:58 UTC Display the Version Information of the Router. Root>show system software Or Root>show version Show interface summary Root> show interfaces terse Display the Interface Root>show interface Root>show interfaces extensive Root>show interface detail Displays per-second real-time statistics for a physical interface Root> monitor interface se-0/0/2 Command prints packet headers to your terminal screen for information sent or received by the Routing Engine Root>monitor traffic interface se-0/0/2


5

Move connection to another port for testing purpose Root#rename interfaces fe-0/0/0 to fe-0/0/1 (in this example you will move the configuration for fe-0/0/0 to fe-0/0/1) Ruplicate an existing configuration and change a few components. Root#copy interfaces fe-0/0/0 to fe-0/0/1 (we are replicating an existing configuration so we can change a few components) Show Active Configuration. Root>show configuration or Root>show system rollback 0 or Root#show Show Active Configuration in set display Root # Show | display set Show Active Configuration in xml format Root # Show | display xml show candidate Configuration. Root> show system rollback 2 (Temporary Configuration and becomes active when commit it) Compare Rollback Configuration. Root> show system rollback 0 compare 2


6

Configure Rollback Configuration. Root#rollback 2 Root#commit Deactivate or Activate configuration. Root#deactivate Anyconfiguration For example Root#deactivate interfaces fe-0/0/2 Root#show interfaces{ inactive fe-0/0/2{ } Shut down an Interface Root# set interfaces se-0/0/2 disable Root# delete interface se-0/0/2 disable Set Rescue Configuration. Root> request System configuration rescue save (Save Active configuration as rescue configuration) Commit Rescue Configuration. Root> rollback rescue Or (Reset CONFIG button on the front of j-series router will load and commit the rescue configuration )


7

Show Rescue Configuration. Root> Show System configuration rescue To look how many users are logged in junos Root>show system user To look at files stored in Flash memory Root>show system storage To look at used tcp and udp ports Root>show system connection To look at system license Root>show system license To look at system firmware Root>show system firmware Show chassis component and temperature of cpu Root > show chassis environment Show chassis hardware Root > show chassis hardware detail Set the password of Root in clear text. Root# set system root-authentication plain-text-password New Password: abc123 Retype new password: abc123


8

Set the password of Root in encrypted text. Root# set system root-authentication encrypted-password abc123 To shutdown and restart the router Root> request system poweroff Root> request system reboot To make the router on factory default setting Root # load factory-default warning: activating factory configuration [edit] Root # set system root-authentication plain-text-password New password: abc123 Retype new password: abc123 [edit] Root # commit Policy from Untrust to Trust Root #set security policies from-zone untrust to-zone trust policy allow match source-address any Root #set security policies from-zone untrust to-zone trust policy allow match destination-address any Root #set security policies from-zone untrust to-zone trust policy allow match application any set security policies from-zone untrust to-zone trust policy allow then permit Flow Table root> show security flow session


9

Assigning member to zone Root #set security zones security-zone dmz Root #set interfaces interface-range dmz member-range fe-0/0/1 to fe-0/0/5 Allowing all services on untrust interface Root #set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all Security zones detail Root>show security zones trust detail Root>show security zones untrust detail

Delete All Configuration Root # delete Then yes Root #set system root-authentication encrypted-password New Password: abc123 Retype new password: abc123


10

Assign the IP Address on the Ethernet Interface of the SRX.

Configuration Assign the IP Address on the VLAN Interface of the SRX. In configuration mode type following cmds set interfaces vlan unit 0 family inet address 10.0.0.10/8 Assign the IP Address on the Ethernet Interface of the SRX. In configuration mode type following cmds set interfaces fe-0/0/0 unit 0 family inet address 20.0.0.10/8 edit interface fe-0/0/0 Set description "This is the Ethernet management interface" top commit Delete the IP Address on the Ethernet Interface of the SRX. In configuration mode type following cmds delete interface fe-0/0/0 unit 0 family inet address 20.0.0.10/8 Rename the IP Address on the Ethernet Interface of the SRX. In configuration mode type following cmds rename interface fe-0/0/0 unit 0 family inet address 20.0.0.10/8 to address 15.0.0.10/8 Verifying Command In Operational mode type following cmds show interfaces show interface terse show interface description show interfaces terse | match fe


11

Lab # 2

Zone customization

Configuration Delete All Configuration In configuration mode type following cmds delete Configure web management In configuration mode type following cmds set system services web-management http Assign the IP Address on the Ethernet Interface of the SRX. set interfaces fe-0/0/0 unit 0 family inet address 20.0.0.10/8 set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8

IP Address 10.0.0.1

IP Address 10.0.0.10 trust

IP Address 20.0.0.10 untrust

IP Address 10.0.0.2

IP Address 20.0.0.2

IP Address 20.0.0.1


12

Creating your own Zones and Assign interface to zones In configuration mode type following cmds set security zones security-zone trust interfaces fe-0/0/1.0 host-inbound-traffic system-services all set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all Creating Policies for Zones In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match application any set security policies from-zone trust to-zone untrust policy outgoingtraffic then permit set security policies from-zone untrust to-zone trust policy incomingtraffic match source-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match destination-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match application any set security policies from-zone untrust to-zone trust policy incomingtraffic then permit Before Commit configure root password In configuration mode type following cmds set system root-authentication plain-text-password New Password: abc123 Retype new password: abc123


13

Lab # 3

Accessing SRX through Telnet/SSH/HTTP

Configuration Configuring telnet on R1. In configuration mode type following cmds set system services telnet set system services ssh set system login user R1 class super-user authentication plain-text-password Enter password: abc123 Retype password: abc123 Now accessing firewall through pc using telnet Start >Run>Cmd C:\> ping 10.0.0.10 C:\> telnet 10.0.0.10 Login:R1 Password:abc123 Now accessing firewall through pc using ssh First open the putty software


14

Then press open


15

Now accessing firewall through pc using http First open internet explorer then type http://10.0.0.10


16

Verifying Commands In Operational mode type following cmds show system users show configuration show system


17

Lab # 4

1.Mapped ip (Static NAT)

Configuration First map ip on untrust interface In configuration mode type following cmds set security nat static rule-set r1 from zone untrust set security nat static rule-set r1 rule 1 match destination-address 20.0.0.51/32 set security nat static rule-set r1 rule 1 then static-nat prefix 10.0.0.1/32 set security nat static rule-set r1 rule 2 match destination-address 20.0.0.52/32

IP Address 20.0.0.1

Host A IP Address 10.0.0.1



Server IP Address 10.0.0.2


18

set security nat static rule-set r1 rule 2 then static-nat prefix 10.0.0.2/32 set security nat proxy-arp interface fe-0/0/0.0 address 20.0.0.51/32 to 20.0.0.52/32 commit

Allow the traffic using the following policy In configuration mode type following cmds set security policies from-zone untrust to-zone trust policy allow match source-address any set security policies from-zone untrust to-zone trust policy allow match destination-address any set security policies from-zone untrust to-zone trust policy allow match application any set security policies from-zone untrust to-zone trust policy allow then permit commit Verifying commands In Operational mode type following cmds show security nat source summary show security flow session clear security flow session all show security policies detail


19

2. DIP a.DIP with ip pool

(Dynamic NAT) Configuration In configuration mode type following cmds

set security nat source pool ippool address 20.0.0.50/32 to 20.0.0.60/32 set security nat source pool ippool port no-translation set security nat source rule-set outgoingnat from zone trust set security nat source rule-set outgoingnat to zone untrust set security nat source rule-set outgoingnat rule outgoingnatrule match source-address 10.0.0.0/8 set security nat source rule-set outgoingnat rule outgoingnatrule then source-nat pool ippool set security nat proxy-arp interface fe-0/0/0 address 20.0.0.50 to 20.0.0.60

Host B IP Address 10.0.0.2

IP Address 20.0.0.1





20

commit allow the traffic using the following policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy allow match source-address any set security policies from-zone trust to-zone untrust policy allow match destination-address any set security policies from-zone trust to-zone untrust policy allow match application any set security policies from-zone trust to-zone untrust policy allow then permit commit Verifying commands In Operational mode type following cmds show security nat source summary show security flow session clear security flow session all


21

b.DIP with ip shift (Dynamic NAT)

Configuration Make a pool of shifting ips on untrust interface In configuration mode type following cmds set security nat source pool A address 20.0.0.50/32 to 20.0.0.60/32 set security nat source pool A host-address-base 10.0.0.1/32 set security nat source rule-set 1A from zone trust set security nat source rule-set 1A to zone untrust set security nat source rule-set 1A rule 1 match source-address 10.0.0.0/8 set security nat source rule-set 1A rule 1 then source-nat pool A set security nat proxy-arp interface fe-0/0/0.0 address 20.0.0.50/32 to 20.0.0.60/32 commit


IP Address 20.0.0.1





22

allow the traffic using the following policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy allow match source-address any set security policies from-zone trust to-zone untrust policy allow match destination-address any set security policies from-zone trust to-zone untrust policy allow match application any set security policies from-zone trust to-zone untrust policy allow then permit commit Verifying commands In Operational mode type following cmds show security nat source summary show security flow session clear security flow session all


23

c.DIP with different ip (PAT)

Configuration Set public ip on untrust interface In configuration mode type following cmds set security nat source pool ippool address 20.0.0.75 set security nat source rule-set outgoingnat from zone trust set security nat source rule-set outgoingnat to zone untrust set security nat source rule-set outgoingnat rule outgoingnatrule match source-address 10.0.0.0/8 set security nat source rule-set outgoingnat rule outgoingnatrule then source-nat pool ippool


IP Address 20.0.0.1





24

set security nat proxy-arp interface fe-0/0/0 address 20.0.0.75 allow the traffic using the following policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy allow match source-address any set security policies from-zone trust to-zone untrust policy allow match destination-address any set security policies from-zone trust to-zone untrust policy allow match application any set security policies from-zone trust to-zone untrust policy allow then permit commit Verifying commands In Operational mode type following cmds show security nat source summary show security nat source pool all show security nat source rule all show security flow session clear security flow session all


25

d.DIP with egress interface (PAT with outside interface)

Configuration In configuration mode type following cmds

set security nat source rule-set outgoingnat from zone trust set security nat source rule-set outgoingnat to zone untrust set security nat source rule-set outgoingnat rule outgoingnatrule match source-address 10.0.0.0/8 set security nat source rule-set outgoingnat rule outgoingnatrule then source-nat interface Apply nat source on the following policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy allow match source-address any


IP Address 20.0.0.1





26

set security policies from-zone trust to-zone untrust policy allow match destination-address any set security policies from-zone trust to-zone untrust policy allow match application any set security policies from-zone trust to-zone untrust policy allow then permit commit Verifying commands In Operational mode type following cmds show security nat source summary show security nat source rule all show security flow session clear security flow session all


27

3.VIP

Configuration Set virtual ip on untrust interface In configuration mode type following cmds set security nat destination pool http address 10.0.0.1/32 set security nat destination pool http address port 80 set security nat destination pool ftp address 10.0.0.2/32 set security nat destination pool ftp address port 21 set security nat destination rule-set vip from zone untrust set security nat destination rule-set vip rule http match destination-address 20.0.0.51/32 set security nat destination rule-set vip rule http match destination-port 80 set security nat destination rule-set vip rule http then destination-nat pool http

IP Address 10.0.0.1

WEB SERVER



IP Address 10.0.0.2

FTP SERVER

IP Address 20.0.0.1


28

set security nat destination rule-set vip rule ftp match destination-address 20.0.0.51/32 set security nat destination rule-set vip rule ftp match destination-port 21 set security nat destination rule-set vip rule ftp then destination-nat pool ftp set security nat proxy-arp interface fe-0/0/0 address 20.0.0.51 commit Apply vip on the following policy In configuration mode type following cmds set security policies from-zone untrust to-zone trust policy allow match source-address any set security policies from-zone untrust to-zone trust policy allow match destination-address any set security policies from-zone untrust to-zone trust policy allow match application any set security policies from-zone untrust to-zone trust policy allow then permit commit Verifying commands In Operational mode type following cmds show security nat source summary show security flow session clear security flow session all


29

4.Destination Nat Configuration In configuration mode type following cmds set security nat destination pool serverpool address 10.0.0.1/32 set security nat destination rule-set internet from zone untrust set security nat destination rule-set internet rule servernat match destination-address 20.0.0.51/32 set security nat destination rule-set internet rule servernat then destination-nat pool serverpool set security nat proxy-arp interface fe-0/0/0 address 20.0.0.51 commit Verifying commands In Operational mode type following cmds show security nat source summary show security flow session clear security flow session all

IP Address 10.0.0.1

WEB SERVER



IP Address 10.0.0.2

IP Address 20.0.0.1


30

Lab # 5 Creating object and policy

Configuration Create object for trust host pc In configuration mode type following cmds set security zones security-zone trust address-book address insidepc 10.0.0.1/32 Create object for untrust host pc In configuration mode type following cmds set security zones security-zone untrust address-book address outsidepc 20.0.0.1/32

IP Address 10.0.0.1



IP Address 10.0.0.2

IP Address 20.0.0.1


31

Calling object to create a policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy allow match source-address insidepc set security policies from-zone trust to-zone untrust policy allow match destination-address outsidepc set security policies from-zone trust to-zone untrust policy allow match application any set security policies from-zone trust to-zone untrust policy allow then permit commit Verifying commands In Operational mode type following cmds show security policies detail In configuration mode type following cmds show


32

Lab # 6 1.Multi cell Policy

Configuration Creating object for trust host In configuration mode type following cmds set security zones security-zone trust address-book address insidepc1 10.0.0.1/32 set security zones security-zone trust address-book address insidepc2 10.0.0.2/32

IP Address 10.0.0.1



IP Address 10.0.0.2

IP Address 20.0.0.2

IP Address 20.0.0.1


33

Creating object for untrust host In configuration mode type following cmds set security zones security-zone untrust address-book address outsidepc1 20.0.0.1/32 set security zones security-zone untrust address-book address outsidepc2 20.0.0.2/32 Calling object to create a multi cell policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy allow match source-address insidepc1 set security policies from-zone trust to-zone untrust policy allow match source-address insidepc2 set security policies from-zone trust to-zone untrust policy allow match destination-address outsidepc1 set security policies from-zone trust to-zone untrust policy allow match application any set security policies from-zone trust to-zone untrust policy allow then permit commit Verifying commands In configuration mode type following cmds show show security policies | display set show security zones security-zone trust address-book In Operational mode type following cmds show security policies show security policies detail


34

2.Group Policy

Configuration Creating object for trust host In configuration mode type following cmds set security zones security-zone trust address-book address insidepc1 10.0.0.1/32 set security zones security-zone trust address-book address insidepc2 10.0.0.2/32 Creating object for untrust host In configuration mode type following cmds set security zones security-zone untrust address-book address outsidepc1 20.0.0.1/32

IP Address 10.0.0.1



IP Address 10.0.0.2

IP Address 20.0.0.2

IP Address 20.0.0.1


35

set security zones security-zone untrust address-book address outsidepc2 20.0.0.2/32 Making a group for trust interface In configuration mode type following cmds set security zones security-zone trust address-book address-set trustedpcs address insidepc1 set security zones security-zone trust address-book address-set trustedpcs address insidepc2 commit Making a group for untrust interface In configuration mode type following cmds set security zones security-zone untrust address-book address-set untrustedpcs address outsidepc1 set security zones security-zone untrust address-book address-set untrustedpcs address outsidepc2 commit Calling group to create a group policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy allow match source-address trustedpcs set security policies from-zone trust to-zone untrust policy allow match destination-address untrustedpcs set security policies from-zone trust to-zone untrust policy allow match application any set security policies from-zone trust to-zone untrust policy allow then permit Verifying commands In configuration mode type following cmds show security policies | display set show security zones security-zone trust address-book In Operational mode type following cmds Root>show security policies Root>show security policies detail


36

Lab # 7

Advance Policy Configuration Configuration

a.Logging

*Logging of Flow Session Creating log file through this command In configuration mode type following cmds set system syslog file log-file any any set system syslog file log-file match RT_FLOW_SESSION

IP Address 10.0.0.1



IP Address 10.0.0.2

IP Address 20.0.0.2

IP Address 20.0.0.1


37

Calling log into policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match application any set security policies from-zone trust to-zone untrust policy outgoingtraffic then permit set security policies from-zone trust to-zone untrust policy outgoingtraffic then log session-init set security policies from-zone trust to-zone untrust policy outgoingtraffic then log session-close Output of logging Feb 18 20:11:16 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.0.0.1/2690->20.0.0.1/80 junos-http 20.0.0.10/28723->20.0.0.1/80 source-nat-rule None 6 trust-to-untrust trust untrust 6894 Verifying commands In configuration mode type following cmds show security flow session clear security flow session all Verifying commands In operational mode type following cmds show log log-file clear log log-file *Logging at console

Enable log through this command In configuration mode type following cmds set system syslog console any any


38

Calling log into policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match application any set security policies from-zone trust to-zone untrust policy outgoingtraffic then permit set security policies from-zone trust to-zone untrust policy outgoingtraffic then log session-init set security policies from-zone trust to-zone untrust policy outgoingtraffic then log session-close *Logging with syslog server (kiwi syslog server) Enable log through this command In configuration mode type following cmds set system syslog host 10.0.0.2 any any Calling log into policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match application any set security policies from-zone trust to-zone untrust policy outgoingtraffic then permit set security policies from-zone trust to-zone untrust policy outgoingtraffic then log session-init set security policies from-zone trust to-zone untrust policy outgoingtraffic then log session-close


39

b.Counting Calling Count into policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match application any set security policies from-zone trust to-zone untrust policy outgoingtraffic then permit set security policies from-zone trust to-zone untrust policy outgoingtraffic then count commit Verifying commands In configuration mode type following cmds show security policies detail


40

c.Scheduling To check the system date & time In operational mode type following cmds show system uptime To set the system date & time In operational mode type following cmds set date 201103262210 Create a scheduler In configuration mode type following cmds set schedulers scheduler testscheduler daily start-time 22:24 stop-time 22:25 Creating policy and adding scheduler in policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy outgoingtraffic scheduler-name testscheduler set security policies from-zone trust to-zone untrust policy outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match application any set security policies from-zone trust to-zone untrust policy outgoingtraffic then permit


41

Verifying commands In configuration mode type following cmds show security policies detail show schedulers scheduler-name testscheduler

d.SNMP Configure Snmp Commands In configuration mode type following cmds set snmp community public set snmp trap-group testgroup targets 10.0.0.3 Verifying commands In Operational mode type following cmds show snmp statistics


42

e.Authentication *Device management Authentication Telnet SRX and verifying user with local database In configuration mode type following cmds set system root-authentication encrypted-password abc123 set system login user admin class super-user set system login user admin authentication plain-text-password New password: Retype new password: set system services telnet set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8 set security zones security-zone trust interfaces fe-0/0/1.0 host-inbound-traffic system-services all Telnet SRX and verifing user with AAA In configuration mode type following cmds set system authentication-order radius set system root-authentication encrypted-password abc123 set system radius-server 10.0.0.1 secret juniper123 set system login user remote class super-user set system services telnet set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8 set security zones security-zone trust interfaces fe-0/0/1.0 host-inbound-traffic system-services all Verifying commands In operational mode type following cmds show system users


43

*Pass through Authentication Create user name and password In configuration mode type following cmds

set access profile testprofile client admin firewall-user password admin123 set access firewall-authentication pass-through default-profile testprofile set access firewall-authentication pass-through http banner success "welcome to ESP" Calling authentication in the following policy In configuration mode type following cmds set security policies from-zone untrust to-zone trust policy incomingtraffic match source-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match destination-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match application any set security policies from-zone untrust to-zone trust policy incomingtraffic then permit firewall-authentication pass-through client-match admin Verifying commands In Operational mode type following cmds show security firewall-authentication users

clear security firewall-authentication users


44

*Webauth with Local Database Create user name and password In configuration mode type following cmds set access profile testprofile client user1 firewall-user password user1 set access firewall-authentication web-authentication default-profile testprofile set access firewall-authentication web-authentication banner success " welcome to esp" Set webauth ip on untrust interface set interfaces fe-0/0/0 unit 0 family inet address 20.0.0.20/8 web-authentication http set system services web-management http interface fe-0/0/1.0 set system services web-management http interface fe-0/0/0.0 set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all Calling authentication in the following policy In configuration mode type following cmds set security policies from-zone untrust to-zone trust policy incomingtraffic match source-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match destination-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match application any set security policies from-zone untrust to-zone trust policy incomingtraffic then permit firewall-authentication web-authentication client-match user1 Verifying commands In configuration mode type following cmds show security firewall-authentication users clear security firewall-authentication users


45


46

*Webauth with AAA server Configuration on ACS server


47

User database on ACS


48

AAA Client Configuration In configuration mode type following cmds set access profile testprofile authentication-order radius set access profile testprofile radius-server 10.0.0.2 secret juniper123 set access firewall-authentication web-authentication default-profile testprofile set access firewall-authentication web-authentication banner success " welcome to esp" set interfaces fe-0/0/0 unit 0 family inet address 20.0.0.20/8 web-authentication http set system services web-management http interface [fe-0/0/1 fe-0/0/0] set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all Calling authentication in the following policy In configuration mode type following cmds set security policies from-zone untrust to-zone trust policy incomingtraffic match source-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match destination-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match application any set security policies from-zone untrust to-zone trust policy incomingtraffic then permit firewall-authentication web-authentication Verifying commands In Operational mode type following cmds show security firewall-authentication users clear security firewall-authentication users


49

Lab # 8

Routing

Configuration a.Static Routing b.Dynamic Routing 1.RIP 2.OSPF Define ip address on interfaces In configuration mode type following cmds set interfaces fe-0/0/0 unit 0 family inet address 15.0.0.1/8 set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8

IP Address 20.0.0.1

IP Address 10.0.0.1



IP Address 10.0.0.2

IP Address 20.0.0.2

RA

IP Address 15.0.0.2 Fa0/0

IP Address 20.0.0.10

Fa0/1


50

Configure Static Routing In configuration mode type following cmds set routing-options static route 20.0.0.0/8 next-hop 15.0.0.2 commit

Configure Dynamic Routing (RIP) In configuration mode type following cmds set interfaces fe-0/0/0 unit 0 family inet address 15.0.0.1/8 set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8 set protocols rip group abc export policy1 set protocols rip group abc neighbor fe-0/0/0.0 set policy-options policy-statement policy1 from protocol direct set policy-options policy-statement policy1 then accept set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all Configure Dynamic Routing (OSPF) In configuration mode type following cmds set protocols ospf area 0 interface all set security zones security-zone untrust host-inbound-traffic protocols all Allow the traffic using the following policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy allow match source-address any set security policies from-zone trust to-zone untrust policy allow match destination-address any set security policies from-zone trust to-zone untrust policy allow match application any set security policies from-zone trust to-zone untrust policy allow then permit commit


51

Verifying Command In Operatioal mode type following cmds show route show route protocol static show configuration show interfaces terse show route protocol rip show ospf interface show ospf neighbor show route protocol ospf


52

Lab # 9 Site-to-site Vpn

Configuration Define ip address on interfaces In configuration mode type following cmds set interfaces fe-0/0/0 unit 0 family inet address 15.0.0.1/8 set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8 Define Routing In configuration mode type following cmds set routing-options static route 20.0.0.0/8 next-hop 15.0.0.2

IP Address 20.0.0.1

IP Address 10.0.0.1



IP Address 10.0.0.2

IP Address 20.0.0.2

RA



Fa0/1


53

Configure Router A as show below. first enable isakmp policy

RouterA(config)# crypto isakmp enable ( optional ) RouterA(config)# crypto isakmp policy 10 RouterA(config-isakmp)# authentication pre-share RouterA(config-isakmp)# encryption des RouterA(config-isakmp)# hash md5 RouterA(config-isakmp)# group 2

RouterA(config)# crypto isakmp key cisco123 address 15.0.0.1 Configure IPSec transform-set RouterA(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac

Configure cryto ACL to define which traffic to protect RouterA(config)# access-list 111 permit ip 20.0.0.0 0.255.255.255

10.0.0.0 0.255.255.255

Configure Crypto-map RouterA(config)# crypto map mymap 10 ipsec-isakmp RouterA(config-crypto-map)# match address 111 RouterA(config-crypto-map)# set peer 15.0.0.1 RouterA(config-crypto-map)# set transform-set aset

Apply the crypto map to the WAN interface RouterA(config)# int fa0/0 RouterA(config-if)# crypto map mymap


54

Configure Firewall as show below.

Configure ike policy In configuration mode type following cmds set security ike proposal ikeproposal authentication-method pre-shared-keys set security ike proposal ikeproposal dh-group group2 set security ike proposal ikeproposal authentication-algorithm md5 set security ike proposal ikeproposal encryption-algorithm des-cbc set security ike policy ikepolicy mode main set security ike policy ikepolicy proposals ikeproposal set security ike policy ikepolicy pre-shared-key ascii-text juniper123 set security ike gateway ikegateway ike-policy ikepolicy set security ike gateway ikegateway address 15.0.0.2 set security ike gateway ikegateway external-interface fe-0/0/0 Configure ipsec In configuration mode type following cmds set security ipsec proposal ipsecproposal protocol esp set security ipsec proposal ipsecproposal authentication-algorithm hmac-md5-96 set security ipsec proposal ipsecproposal encryption-algorithm des-cbc set security ipsec policy ipsecpolicy proposals ipsecproposal set security ipsec vpn s2svpn ike gateway ikegateway set security ipsec vpn s2svpn ike ipsec-policy ipsecpolicy set security ipsec vpn s2svpn establish-tunnels on-traffic Configure Acl Trust to Untrust In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any


55

set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit tunnel ipsec-vpn s2svpn UnTrust to Trust In configuration mode type following cmds set security policies from-zone untrust to-zone trust policy untrusttotrust match source-address any set security policies from-zone untrust to-zone trust policy untrusttotrust match destination-address any set security policies from-zone untrust to-zone trust policy untrusttotrust match application any set security policies from-zone untrust to-zone trust policy untrusttotrust then permit Verifying commands In Operational mode type following cmds show security ike security-associations show security ipsec security-associations show security ipsec statistics clear security ipsec statistics clear security ike security-associations clear security ipsec security-associations


56

Lab # 10

Dynamic Vpn

Configuration Allow http on Outside Interface In configuration mode type following cmds set security zone security-zone untrust interface fe-0/0/0 host-inbound-traffic system-services all set system services web-management https interface fe-0/0/0.0 set system services web-management https system-generated-certificate

IP Address 10.0.0.1



IP Address 10.0.0.2

IP Address 20.0.0.2

IP Address 20.0.0.1


57

Configure Dynamic VPN. In configuration mode type following cmds IKE phase 1 proposal set security ike proposal p1-dynamic-aes authentication-method pre-shared-keys set security ike proposal p1-dynamic-aes dh-group group2 set security ike proposal p1-dynamic-aes authentication-algorithm sha1 set security ike proposal p1-dynamic-aes encryption-algorith aes-128-cbc IKE phase 2 proposal (IPSEC) set security ipsec proposal p2-dynamic-aes protocol esp set security ipsec proposal p2-dynamic-aes authentication-algorithm hmac-sha1-96 set security ipsec proposal p2-dynamic-aes encryption-algorithm aes-128-cbc Phase 1 - gateway definition set security ike policy dynvpn mode aggressive set security ike policy dynvpn proposals p1-dynamic-aes set security ike policy dynvpn pre-shared-key ascii-text juniper set security ike gateway gw-dyn dynamic hostname dynvpn.juniper.net set security ike gateway gw-dyn external-interface fe-0/0/0 set security ike gateway gw-dyn ike-policy dynvpn set security ike gateway gw-dyn xauth access-profile radius_profile Phase 2 - vpn definition set security ipsec policy dynvpn proposals p2-dynamic-aes set security ipsec policy dynvpn perfect-forward-secrecy keys group2 set security ipsec vpn ipsec-dyn ike gateway gw-dyn set security ipsec vpn ipsec-dyn ike ipsec-policy dynvpn Add a access profile and users definition for ipsec client authentication (used with xauth)


58

set access profile radius_profile authentication-order radius set access profile radius_profile radius-server 10.0.0.2 secret juniper123 set access firewall-authentication pass-through default-profile radius_profile Creating security policy to permit vpn client set security policies from-zone untrust to-zone trust policy policy-dynvpn match source-address any destination-address any application any set security policies from-zone untrust to-zone trust policy policy-dynvpn then permit tunnel ipsec-vpn ipsec-dyn Security policy delivered to client set security dynamic-vpn force-upgrade set security dynamic-vpn access-profile radius_profile set security dynamic-vpn clients irfan remote-protected-resources 10.0.0.0/8 set security dynamic-vpn clients irfan ipsec-vpn ipsec-dyn set security dynamic-vpn clients irfan user irfan set security dynamic-vpn clients irfan ipsec-vpn ipsec-dyn user irfan run request security pki generate-key-pair certificate-id https Client run on XP


59


60


61


62

Verifying commands In Operational mode type following cmds show security dynamic-vpn users show security dynamic-vpn client version show security ike security-associations show security ipsec security-associations show security ipsec statistics


63

Lab # 11

Screen Options Configuration Define ip address on interfaces In configuration mode type following cmds delete set system services web-management http set interfaces fe-0/0/0 unit 0 family inet address 20.0.0.10/8 set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8

IP Address 20.0.0.1

IP Address 10.0.0.1



IP Address 10.0.0.2

IP Address 20.0.0.2

RA



Fa0/1


64

set security zones security-zone trust interfaces fe-0/0/1.0 host-inbound-traffic system-services all Define Routing In configuration mode type following cmds set routing-options static route 20.0.0.0/8 next-hop 15.0.0.2 Define Policy from Untrust In configuration mode type following cmds set security policies from-zone untrust to-zone trust policy untrusttotrust match source-address any set security policies from-zone untrust to-zone trust policy untrusttotrust match destination-address any set security policies from-zone untrust to-zone trust policy untrusttotrust match application any set security policies from-zone untrust to-zone trust policy untrusttotrust then permit To Block Large ICMP (greater than 1024bytes) In configuration mode type following cmds set security screen ids-option test icmp large set security zones security-zone untrust screen test To Block IP FRAGMENT In configuration mode type following cmds set security screen ids-option test icmp fragment set security zones security-zone untrust screen test Verifying commands In Operational mode type following cmds show security screen ids-option test show security screen statistics zone untrust | match icmp


65

Lab # 12

DHCP

Configuration In configuration mode type following cmds

set system services dhcp router 10.0.0.10 set system services dhcp pool 10.0.0.0/8 address-range low 10.0.0.2 set system services dhcp pool 10.0.0.0/8 address-range high 10.0.0.254 On pc C :\> ipconfig /release C :\> ipconfig /renew (Noth that the PC will get an ip address from the pool)

IP Address Acquired

from dhcp



IP Address 20.0.0.2

IP Address 20.0.0.1

IP Address Acquired

from dhcp

DHCP SERVER


66

Not apply DHCP on this interface In configuration mode type following cmds set system services dhcp propagate-settings fe-0/0/0.0 Verifying Commands. In Operational mode type following cmds show system services dhcp bindings show system services dhcp pool show system services dhcp statistics


67

Lab # 13 INTER-VLAN ROUTING WITH BVI

Configuration Configure intervlan Routing In configuration mode type following cmds set interfaces fe-0/0/0 unit 0 family ethernet-switching set interfaces fe-0/0/1 unit 0 family ethernet-switching set interfaces vlan unit 10 family inet address 10.0.0.10/8 set interfaces vlan unit 20 family inet address 20.0.0.10/8 Assign interface to Vlan set vlans vlan-10 vlan-id 10 set vlans vlan-10 interface fe-0/0/1.0 set vlans vlan-10 l3-interface vlan.10

Vlan 10 Vlan 20

Host A 10.0.0.1/8 10.0.0.10

Host B 20.0.0.1/8 20.0.0.10

Fa 0/1 10.0.0.10

Fa 0/0 20.0.0.10

SRX


68

set vlans vlan-20 vlan-id 20 set vlans vlan-20 interface fe-0/0/0.0 set vlans vlan-20 l3-interface vlan.20 Assign Vlan interface to Zone set security zones security-zone trust interfaces vlan.10 set security zones security-zone untrust interfaces vlan.20 Create Policy from trust to untrust set security policies from-zone trust to-zone untrust policy outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match application any set security policies from-zone trust to-zone untrust policy outgoingtraffic then permit Verifying Commands. In Operational mode type following cmds show vlans show route show ethernet-switching interfaces show interface terse


69

INTER-VLAN ROUTING WITH ROUTED PORT

Configuration

Vlan 10 Vlan 20

FTP Server 20.0.0.1/8 20.0.0.10

WEB Server 10.0.0.1/8 10.0.0.10

EX2200 Fa 0/13 Fa 0/1

10.0.0.10 / 8

Untrust 20.0.0.10 / 8

Fa 0/23

Trust


70

SRX Configuration Configure intervlan Routing set interfaces fe-0/0/0 vlan-tagging set interfaces fe-0/0/0 unit 10 vlan-id 10 set interfaces fe-0/0/0 unit 10 family inet address 10.0.0.10/8 set interfaces fe-0/0/0 unit 20 vlan-id 20 set interfaces fe-0/0/0 unit 20 family inet address 20.0.0.10/8 Assign interface to Zone set security zones security-zone trust interfaces fe-0/0/0.10 set security zones security-zone untrust interfaces fe-0/0/0.20 Allow trust inbound Services set security zones security-zone trust host-inbound-traffic system-services all Create Policy from trust to untrust set security policies from-zone trust to-zone untrust policy outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust policy outgoingtraffic match application any set security policies from-zone trust to-zone untrust policy outgoingtraffic then permit Switch Configuration Configure Vlan set vlans vlan10 vlan-id 10 set vlans vlan20 vlan-id 20 Assign interface to the Vlan set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan10 set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode access


71

set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members vlan20 Configure Trunk Port set interfaces ge-0/0/23 description "trunk to SRX" set interfaces ge-0/0/23 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/23 unit 0 family ethernet-switching vlan members vlan10 set interfaces ge-0/0/23 unit 0 family ethernet-switching vlan members vlan20 Verifying Commands. In Operational mode type following cmds show vlans show route show interface terse show vlans brief

Junos BasicAccessing SRX through Telnet/SSH/HTTPRouterA(config)# crypto isakmp key cisco123 address 15.0.0.1

Documents

Jncis Sec(Srx)