JNCIA-FWV Lab Manual: Juniper Networks Certified Internet

Juniper Networks Certified Internet
Associate-JNCIA

JNCIA-FWV Lab Manual

Developed by

M. Irfan Ghauri
M. Tanzeel Nasir
Sikander Shah Rashdi

C-32/1 Block-5 Gulshan-e-Iqbal, Karachi ESP Press
Ph #0213-6034003 Copyrights 2011


1

LAB. LABS DESCRIPTION PAGE
NO.

1

ScreenOs Basic and WebUI Basics

3

2

Accessing Firewall using Console/Telnet/SSH/HTTP

7

3

NAT
1.MIP
2.DIP
a. DIP with ip pool
b. DIP with ip shift
c. DIP with different ip (PAT)
d. DIP with egress interface

3.VIP
4.Destination Nat

10

4

Creating Object and Policy

24

5

POLICY
1. Multi cell Policy
2. Group Policy

26

6

ADVANCE POLICY CONFIG.
1. Logging
2. Counting
3. Scheduling
4. Authentication with (Local,webauth and AAA)

30

7

Site to Site VPN

36

8

Transparent Firewall

40


2

9

Debug Commands

41

10

DEVICE MANAGEMENT
a. Syslog
b. Snmp

44


3
Lab # 1
ScreenOS Basic

Configuration

After connecting your PC to the Console Port.

LOGIN: netscreen
PASSWORD:netscreen

ns5gt->

To change the Host Name
Ns5gt-> Set hostname <Hostname>

Set the System Date & Time
Ns5gt-> set clock 7/02/2010 04:20:00

Changing root administrator user name and password
Ns5gt-> Set admin name netscreen
Ns5gt-> Set admin password netscreen
Ns5gt-> get admin user

WEB UI configuration >admin >administrators

Verify the System Date & Time
Ns5gt> get clock

Configure netscreen with the ip addresses
Ns5gt-> set interfaces trust ip 10.0.0.10/8

Ns5gt-> set interfaces untrust ip 20.0.0.10/8

Ns5gt-> get interface

Ns5gt-> get interface trust


4
WEB UI Network >Interfaces >Edit

Enable telnet and ping your untrust interface
Ns5gt-> set interfaces untrust manage telnet

Ns5gt-> set interfaces untrust manage ping


Ensure that a policy exists to allow your (trust) network to access
(untrust ) network
Ns5gt-> get policy

WEB UI Policies

Verify ip connectivity by issuing a ping from your (trust) network to
(untrust) network
Ns5gt-> ping 20.0.0.1

If you are using the CLI, save your configuration to flash memory. If
you are using the WEBUI, your changes are saved automatically.
Ns5gt-> save

Also save it to your local pc using TFTP

Ns5gt-> save config to tftp 10.0.0.1 groupname.cfg

Restore the configuration from TFTP

Ns5gt-> save config from tftp 10.0.0.1 groupname.cfg merge

WEB UI Configuration >Update >Config File

Create two administrator user accounts: one read-only and the other
having all privilages
Ns5gt-> Set admin user AdminReadOnly password abc123 privelage
read-only

Ns5gt-> Set admin user AdminReadWrite password abc123 privelage
all


5
Set the console Time out
Ns5gt-> Set console timeout 8 (8 in minutes default 10)

WEB UI configuration >admin >management

Set administration station ip in the firewall (Only that machine will
be able to logon to the firewall).
Ns5gt-> set admin manager-ip 10.0.0.20 255.255.255.255

WEB UI Configuration >Admin >Permitted IPs

Set administration station ip in the firewall (Only from this ip
machine will be able to logon to the firewall).
Ns5gt-> set interfaces trust manage-ip 20.0.0.20


Reset to factory default
Ns5gt-> unset all
-------------------------------? Yes
Ns5gt->reset
Modified save ? no
--------------------------------? yes

Create a separate rollback configuration file in flash memory.
Ns5gt-> save config to last-known-good

Ns5gt-> exec config rollback

Enable management services
Ns5gt-> set interfaces trust manage

Or

Ns5gt-> set interfaces trust manage ping
Ns5gt-> set interfaces trust manage web
Ns5gt-> set interfaces trust manage SSH
Ns5gt-> set ssh enable



6
Disable management services
Ns5gt-> unset interfaces trust manage


Configure a Policy to allow traffic flow from trust side to untrust.
Ns5gt->Set policy id 1 from trust to untrust any any any permit (src dst
service name )

WEB UI Policies >New

Configure a Policy to allow traffic flow from untrust side to trust
Ns5gt->Set policy id 2 from untrust to trust any any any permit (src dst
servuice name )

WEB UI Policies >New

To show the log of traffic flow from trust side to untrust.
Ns5gt->Set policy id 1 from trust to untrust any any any permit log

WEB UI Policies >New >Edit
Delete policy
Ns5gt-> unset policy id 2

View the session on the firewall
Ns5gt-> get session

Clear the session on the firewall
Ns5gt-> clear session

View system information
Ns5gt-> get system

View zones
Ns5gt-> get zone

View routing table
Ns5gt-> get route

View admin information
Ns5gt-> get admin


7
Lab # 2

Accessing Firewall using
Console/Telnet/SSH/HTTP

Configuration

After connecting your PC to the Console Port.

LOGIN:netscreen
PASSWORD:netscreen
Ns5gt->

Configuring telnet/ssh on firewall.
Ns5gt-> set interface trust manage telnet
Ns5gt-> set interface trust manage ssh
Ns5gt-> set ssh enable
Ns5gt-> set ssh version 2


Now accessing firewall through pc using telnet
Start >Run>Cmd
C:\> ping 10.0.0.10
C:\> telnet 10.0.0.10

LOGIN:netscreen
PASSWORD:netscreen

Now accessing firewall through pc using ssh
First open the putty software


8

Then press open


9
Now accessing firewall through pc using http
First open internet explorer then type
http://10.0.0.10


10
Lab # 3
NAT
1.Mapped ip

Configuration

First map ip on untrust interface
Ns5gt-> Set interface untrust mip 20.0.0.30 host 10.0.0.2 netmask
255.255.255.255 vrouter trust-vr

WEB UI Network > Interfaces > Edit > MIP > Configuration
Network > Interfaces > Edit > MIP > Configuration
Bind the traffic policy to allow the traffic using the following policy
Ns5gt-> Set policy from untrust to trust any mip(20.0.0.30) any permit

WEBUI Policy > Policies >New

IP Address 20.0.0.1
Host A
IP Address 10.0.0.1
IP Address 10.0.0.10
trust

untrust
Server
IP Address 10.0.0.2


11
Creating log file through this command
Ns5gt-> Set policy from untrust to trust any mip(20.0.0.30) any nat dst
ip 20.0.0.30 permit log

WEBUI Policy > Policies (From UnTrust To Trust) > Edit

Verifying commands
Ns5gt->get config
Ns5gt->get policy

WEBUI Policy > Policies


12
2. DIP
a.DIP with ip pool

Configuration

Make a pool of ips on untrust interface
Ns5gt-> Set interface untrust dip 4 20.0.0.30 20.0.0.40 fix-port

WEBUI Network > Interfaces > Edit > DIP > Configuration

Ns5gt-> Set policy from trust to untrust any any any nat src dip-id 4
permit


Host B
IP Address 10.0.0.2

IP Address 20.0.0.1
Host A
IP Address 10.0.0.1
trust

untrust


13
permit log


Verifying commands
Ns5gt->get config
Ns5gt->get policy



14
b.DIP with ip shift

Configuration

Make a pool of shifting ips on untrust interface
Ns5gt->set interface untrust dip 4 shift-from 10.0.0.1 to 20.0.0.11
20.0.0.20


permit


Host B
IP Address 10.0.0.2

IP Address 20.0.0.1
Host A
IP Address 10.0.0.1
trust

untrust


15

permit log

WEBUI Policy > Policies (From Trust To UnTrust) > Edit

Verifying commands
Ns5gt->get config
Ns5gt->get policy



16
c.DIP with different ip (PAT)

Configuration

Set public ip on untrust interface
Ns5gt-> Set interface untrust dip 4 20.0.0.30 20.0.0.30


permit


Host B
IP Address 10.0.0.2

IP Address 20.0.0.1
Host A
IP Address 10.0.0.1
trust

untrust


17
permit log


Verifying commands
Ns5gt->get config
Ns5gt->get policy



18
d.DIP with egress interface

Configuration

Apply nat source on the following policy
Ns5gt-> Set policy from trust to untrust any any any nat src permit


Ns5gt-> Set policy from trust to untrust any any any nat src permit log


Host B
IP Address 10.0.0.2

IP Address 20.0.0.1
Host A
IP Address 10.0.0.1
trust

untrust


19
Verifying commands
Ns5gt->get config
Ns5gt->get policy



20
3.VIP

Configuration

Set virtual ip on untrust interface
Ns5gt-> Set interface untrust vip 20.0.0.50 21 ftp 10.0.0.2
Ns5gt-> Set interface untrust vip 20.0.0.50 + 80 http 10.0.0.1

WEBUI Network > Interfaces > Edit > VIP/VIP Service

Apply vip on the following policy
Ns5gt-> Set policy from untrust to trust any vip::1 any permit


IP Address 10.0.0.1
WEB SERVER
trust

untrust

IP Address 10.0.0.2
FTP SERVER

IP Address 20.0.0.1


21
Ns5gt-> Set policy from untrust to trust any vip::1 any permit log


Verifying commands
Ns5gt->get config
Ns5gt->get policy



22
4.Destination Nat

Configuration

Creating object for trust virtual ip
Ns5gt-> set address Trust "1.1.1.1" 1.1.1.1 255.255.255.255

Creating policy
Ns5gt-> set policy id 1 from Untrust to Trust Any "1.1.1.1" ANY nat src
dst ip 10.0.0.1 permit log


Define route
Ns5gt-> set route 1.1.1.1 255.255.255.255 interface trust

IP Address 10.0.0.1
WEB SERVER
trust

untrust

IP Address 10.0.0.2

IP Address 20.0.0.1


23
Verifying commands
Ns5gt->get config
Ns5gt->get policy



24
Lab # 4
Creating object and policy

Configuration

Create object for trust host pc
Ns5gt-> Set address trust insidepc 10.0.0.1/32

WEBUI Policy > Policy Elements > Addresses > Configuration

Create object for untrust host pc
Ns5gt-> Set address untrust outsidepc 20.0.0.1/32


IP Address 10.0.0.1

trust

untrust

IP Address 10.0.0.2

IP Address 20.0.0.1


25
Calling object to create a policy
Ns5gt-> Set policy from trust to untrust insidepc outsidepc any permit
Ns5gt-> Set policy from untrust to trust outsidepc insidepc any permit


Verifying commands
Ns5gt->get config
Ns5gt->get policy



26
Lab # 5
1.Multi cell Policy

Configuration

Creating object for trust host
Ns5gt-> Set address trust insidepc1 10.0.0.1/32


Creating object for untrust host
Ns5gt-> Set address untrust outsidepc1 20.0.0.1/32


IP Address 10.0.0.1

trust

untrust

IP Address 10.0.0.2

IP Address 20.0.0.2

IP Address 20.0.0.1


27

Calling object to create a multi cell policy
Ns5gt-> Set policy id 1 from trust to untrust insidepc1 outsidepc1 ftp
permit
Ns5gt->set policy id 1
Ns5gt (policy:1) -> set src-address insidepc2
Ns5gt (policy:1) -> set dst-address outsidepc2
Ns5gt (policy:1) -> set service http
Ns5gt (policy:1) -> set service icmp-any


Verifying commands
Ns5gt->get config
Ns5gt->get policy



28
2.Group Policy

Configuration

Creating object for trust host


Creating object for untrust host


IP Address 10.0.0.1

trust

untrust

IP Address 10.0.0.2

IP Address 20.0.0.2

IP Address 20.0.0.1


29
Making a group for trust interface
Ns5gt-> Set group address trust groupnamein
Ns5gt-> Set group address trust groupnamein add insidepc1
Ns5gt-> Set group address trust groupnamein add insidepc2

WEBUI Policy > Policy Elements > Addresses > Groups >
Configuration

Making a group for untrust interface
Ns5gt-> Set group address untrust groupnameout
Ns5gt-> Set group address untrust groupnameout add outsidepc1
Ns5gt-> Set group address untrust groupnameout add outsidepc2

WEBUI Policy > Policy Elements > Addresses > Groups >
Configuration

Calling group to create a group policy
Set policy id 1 from trust to untrust groupnamein groupnameout ftp
permit
Ns5gt->set policy id 1
Ns5gt (policy:1) -> set service http
Ns5gt (policy:1) -> set service icmp-any


Verifying commands
Ns5gt->get config
Ns5gt->get policy



30
Lab # 6

Advance Policy Configuration

Configuration

1.Logging

Ns5gt->Set policy id 1 from trust to untrust any any any permit log

WEBUI Policy > Policies (From Trust To Untrust)

IP Address 10.0.0.1

trust

untrust

IP Address 10.0.0.2

IP Address 20.0.0.2

IP Address 20.0.0.1


31
2.Counting

Creating counting graph through this command
Ns5gt->Set policy id 1 from trust to untrust any any any permit count

WEBUI Policy > Policies (From Trust To Untrust)

3.Scheduling

Set the schedule through this command
Ns5gt->Set scheduler tempwork once start 2/16/2010 23:1 stop
2/16/2010 23:5

Calling schedule to create a policy
Ns5gt->Set policy from trust to untrust any any any permit schedule
tempwork


4.Authentication

With Local database
Create user name and password
Ns5gt->Set user esp uid 1
Ns5gt->Set user esp type auth
Ns5gt->Set user esp hash-password netscreen
Ns5gt->Set user esp enable

Calling authentication in the following policy
Ns5gt-> Set policy from untrust to trust any any any permit auth


With webauth
Set webauth ip on untrust interface
Ns5gt-> Set interface untrust webauth
Ns5gt-> Set interface untrust webauth-ip 20.0.0.51


32
Ns5gt-> Set policy from untrust to trust any any any permit webauth

With AAA server
Browse http://127.0.0.1:1812
Username and Password of Local windows Database
Username : administrator
Password : abc123

AAA Server Configuration with Steel-belted Radius


33

User database on ACS


34

AAA Client Configuration
Ns5gt-> set auth-server aaaserver id 1
Ns5gt-> set auth-server aaaserver server-name 20.0.0.2
Ns5gt-> set auth-server aaaserver account-type auth
Ns5gt-> set auth-server aaaserver radius secret juniper123

WEBUI Configuration > Auth > Auth Servers > Edit


35
set policy id 1 from Untrust to Trust Any Any ANY permit auth server
aaaserver

Verifying commands
Ns5gt->get config
Ns5gt->get policy
Ns5gt->get interface
Ns5gt->get auth table
Ns5gt->clear auth table



36
Lab # 7
Site-to-site vpn

Configuration

Configure Router A as show below.

first enable isakmp policy

RouterA(config)# crypto isakmp enable ( optional )
RouterA(config)# crypto isakmp policy 10
RouterA(config-isakmp)# authentication pre-share
RouterA(config-isakmp)# encryption des
RouterA(config-isakmp)# hash md5
RouterA(config-isakmp)# group 2

IP Address 20.0.0.1

IP Address 10.0.0.1
trust

IP Address 15.0.0.1
untrust

IP Address 10.0.0.2
IP Address 20.0.0.2
RA
IP Address 15.0.0.2
Fa0/0
IP Address
20.0.0.10
Fa0/1


37
RouterA(config)# crypto isakmp key cisco123 address 15.0.0.2

Configure IPSec transform-set

RouterA(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac

Configure cryto ACL to define which traffic to protect

RouterA(config)# access-list 111 permit ip 10.0.0.0 0.255.255.255
20.0.0.0 0.255.255.255

Configure Crypto-map

RouterA(config)# crypto map mymap 10 ipsec-isakmp
RouterA(config-crypto-map)# match address 111
RouterA(config-crypto-map)# set peer 15.0.0.2
RouterA(config-crypto-map)# set transform-set aset

Apply the crypto map to the WAN interface

RouterA(config)# int s 0
RouterA(config-if)# crypto map mymap

Configure Firewall as show below.

WEB UI Network >Routing >Destination >New

Configure ike policy

Ns5gt> set ike gateway ikepolicy address 15.0.0.1 Main outgoing-
interface untrust preshare Cisco123 pre-g2-des-md5

Ns5gt> set ike respond-bad-spi 1 VPNs > AutoKey Advanced > Gateway >
Edit


38

WEBUI VPNs > AutoKey Advanced > Gateway > Edit (click on
advance)


39
Configure ipsec

Ns5gt> set vpn ipsec gateway ikepolicy no-replay tunnel idletime 0
proposal nopfs-esp-des-md5

WEBUI VPNs > AutoKey IKE > Edit

Configure Acl

ns5gt>set policy id 1 from Trust to Untrust 20.0.0.0/8 10.0.0.0/8 ANY
tunnel vpn ipsec id 1 pair-policy 2

ns5gt>set policy id 2 from Untrust to Trust 10.0.0.0/8 20.0.0.0/8 ANY
tunnel vpn ipsec id 1 pair-policy 1


Verifying commands
ns5gt> get ike cookie
ns5gt> get sa active


40
Lab 8 #
Transparent Firewall

Configuration

Ns5gt>set interface vlan1 ip 50.0.0.50/8
Ns5gt>set interface trust zone V1-Trust
Ns5gt>set interface untrust zone V1-Untrust
Ns5gt>set policy id 1 from V1-Trust to V1-Untrust Any Any ANY permit
Ns5gt>set policy id 2 from V1-Untrust to V1-Trust Any Any ANY permit

Verifying commands
Ns5gt>get interface
Ns5gt>get policy

IP Address 10.0.0.1

trust

untrust

IP Address 10.0.0.2

IP Address 20.0.0.2

IP Address 20.0.0.1


41
Lab 9 #

Debug Commands

Configuration

Ns5gt->set ffilter src-ip 10.0.0.1 dst-ip 20.0.0.1
ns5gt-> debug flow basic
ns5gt-> get dbuf stream

Flow Basic Output
****** 02599.0: <Trust/trust> packet received [60]******
ipid = 6937(1b19), @05a27cd0
packet passed sanity check.
flow_decap_vector IPv4 process
trust:10.0.0.1/44289->20.0.0.1/512,1(8/0)<Root>
no session found
flow_first_sanity_check: in <trust>, out <N/A>
chose interface trust as incoming nat if.

IP Address 10.0.0.1

trust

untrust

IP Address 10.0.0.2

IP Address 20.0.0.2

IP Address 20.0.0.1


42
flow_first_routing: in <trust>, out <N/A>
search route to (trust, 10.0.0.1->20.0.0.1) in vr trust-vr for vsd-
0/flag-0/if p-null
[ Dest] 3.route 20.0.0.1->20.0.0.1, to untrust
routed (x_dst_ip 20.0.0.1) from trust (trust in 0) to untrust
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root,
ip 20.0.0.1, port 40538, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 1/0/0x9
Permitted by policy 1
dip id = 2, 10.0.0.1/44289->20.0.0.10/1710
choose interface untrust as outgoing phy if
no loop on ifp untrust.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <trust>, out <untrust>
existing vector list 1-61a3d14.
Session (id:2054) created for first pak 1
flow_first_install_session======>
route to 20.0.0.1
arp entry found for 20.0.0.1
ifp2 untrust, out_ifp untrust, flag 10800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (untrust, 20.0.0.1->10.0.0.1) in vr trust-vr for vsd-
0/flag-30
00/ifp-trust
[ Dest] 1.route 10.0.0.1->10.0.0.1, to trust
route to 10.0.0.1
arp entry found for 10.0.0.1
ifp2 trust, out_ifp trust, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 2054
flow_main_body_vector in ifp trust out ifp untrust
flow vector index 0x1, vector addr 0x1c16050, orig vector 0x1c16050
post addr xlation: 20.0.0.10->20.0.0.1.


43
No Route to Destination
Ns5gt->set ffilter src-ip 10.0.0.1 dst-ip 30.0.0.1
ns5gt-> debug flow basic
ns5gt-> get dbuf stream

Output
****** 05026.0: <Trust/trust> packet received [60]******
ipid = 9268(2434), @05a16cd0
packet passed sanity check.
flow_decap_vector IPv4 process
trust:10.0.0.1/46081->30.0.0.1/512,1(8/0)<Root>
no session found
flow_first_sanity_check: in <trust>, out <N/A>
chose interface trust as incoming nat if.
flow_first_routing: in <trust>, out <N/A>
search route to (trust, 10.0.0.1->30.0.0.1) in vr trust-vr for vsd-0/flag-
0/if
p-null
no route to (10.0.0.1->30.0.0.1) in vr trust-vr/0
packet dropped, no route

Verifying commands
ns5gt-> clear dbuf
ns5gt-> get ffilter
ns5gt-> unset ffilter 0


44
Lab 10 #

a.SYSLOG

Configuration

ns5gt-> set syslog config 10.0.0.1 log all
ns5gt-> set syslog src-interface trust
ns5gt-> set syslog enable

WEB UI Configuration >ReportSetting > Syslog

IP Address 10.0.0.1

trust

untrust

IP Address 10.0.0.2

IP Address 20.0.0.2

IP Address 20.0.0.1


45
Verifying
PING 20.0.0.1


46
b.SNMP

Configuration

Ns5gt-> set snmp community public read-write version v1
Ns5gt-> set snmp host public 10.0.0.1/32

JNCIA-FWV Lab Manual: Juniper Networks Certified Internet

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

JNCIA-FWV Lab Manual: Juniper Networks Certified Internet

Hochgeladen von

Copyright:

Verfügbare Formate

Juniper Networks Certified Internet

Das könnte Ihnen auch gefallen