RX3123F

Junos OS for SRX Overview
Lab Guide
Worldwide Education Services

1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Course Number: SSSRX03
This document is produced by Juniper Networks, Inc.

This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission of Juniper Networks
Education Services.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered
trademarks, or registered service marks are the property of their respective owners.
Junos OS for SRX Overview Revision A
Copyright 2012, Juniper Networks, Inc.
October 2012
July 2012
All rights reserved. Printed in USA.
The information in this document is current as of the date listed above.
The information in this document has been carefully verified and is believed to be accurate for software Release 11.4R1.6. Juniper Networks assumes no
responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary, incidental
or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has
no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper
Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
Contents
Lab 0:
Introduction to the Juniper Networks Virtual Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .0-1

Part 1: Accessing the Virtual Lab Homepage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Part 2: Accepting the EULA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Part 3: Logging in to the TrueLab Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Part 4: Selecting Your Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Part 5: Creating an On-Demand Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Part 6: Creating a Dynamic Session (If the On-Demand Session Is Unavailable) . . . . . . . . . . . . . . . . . . . . . .
Part 7: Starting the Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Part 8: Additional Information and Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Lab 1:
0-2
0-2
0-2
0-3
0-4
0-5
0-6
0-9
Configuring Interfaces on Junos OS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1

Part 1: Configuring Interfaces and Verifying Operational State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Lab 2:
Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1

Part 1: Configuring Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Part 2: Configuring Address Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Part 3: Configuring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Part 4: Monitoring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
Lab 3:
Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1

Part 1: Interface-Based Source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Part 2: Pool-Based Destination NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
Appendix A: Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1
www.juniper.net
Contents iii
iv Contents
www.juniper.net
Document Conventions
CLI and GUI Text
Frequently throughout this course, we refer to text that appears in a command-line interface (CLI)
or a graphical user interface (GUI). To make the language of these documents easier to read, we
distinguish GUI and CLI text from chapter text according to the following table.
Style
Description
Usage Example
Franklin
Gothic
Normal text.
Most of what you read in the Lab Guide

and Student Guide.
Courier
New
Console text:
Screen captures
commit complete
Noncommand-related syntax
Exiting configuration mode

Select File > Open, and then click
Configuration.conf in the
Filename text box.
GUI text elements:
Menu names
Text field entry
Input Text Versus Output Text

You will also frequently see cases where you must enter input text yourself. Often this will be shown
in the context of where you must enter it. We use bold style to distinguish text that is input versus
text that is simply displayed.
Style
Description
Usage Example
Normal CLI
No distinguishing variant.
Physical interface:fxp0,
Enabled
Normal GUI
View configuration history by clicking

Configuration > History.
CLI Input
Text that you must enter.
lab@San_Jose> show route

Select File > Save, and enter
config.ini in the Filename field.
GUI Input
Defined and Undefined Syntax Variables

Finally, this course distinguishes between regular text and syntax variables, and it also
distinguishes between syntax variables where the value is already assigned (defined variables) and
syntax variables where you must assign the value (undefined variables). Note that these styles can
be combined with the input style as well.
Style
Description
Usage Example
CLI Variable
Text where variable value is

already assigned.
policy my-peers
Text where the variables value

is the users discretion and text
where the variables value as
shown in the lab guide might
differ from the value the user
must input.
Type set policy

policy-name.
GUI variable
CLI Undefined
GUI Undefined
www.juniper.net
Click my-peers in the dialog.
ping 10.0.x.y
Select File > Save, and enter
filename in the Filename field.
Document Conventions v
vi Document Conventions
www.juniper.net
Lab 0
Introduction to the Juniper Networks Virtual Lab
Overview
This lab shows the basic procedures for how to access the Juniper Networks Virtual Lab (vLab)
using a standard Web browser.
The Purpose of the Virtual Labs
The vLabs help partners receive hands-on training through a virtual portal which is available
24 hours a day, 7 days a week. This is not a simulator, but live equipment to promote learning
and development for interested partners to the Juniper Networks Partner Learning Academy.
The vLab exercises assist a student to become proficient at installing, configuring, and
troubleshooting Juniper products. Each JNSS track takes approximately 8 hours to complete.
Once connected to the vLab site, you will need to register (with a valid e-mail address) and then
log in.
Access is granted on a first come, first serve basis through the training section of the Partner
Center. The vLabs are also available for dedicated instructor-led courses on an as needed
basis. The system will check to see if one of the selected labs is available. If a vLab is available,
access is granted. If no lab is available, you will be asked to try again later.
Each of the vLabs is duplicated multiple times. In the case of the Router/Firewall lab there are
extra cross connects between the labs so that in a classroom environment they can be
connected in interesting network topologies.
Note
We recommend that you download and read the
course lab guide prior to starting your lab. The guide
provides important information to access the lab
environment and the labs themselves.
Introduction to the Juniper Networks Virtual Lab Lab 01
Part 1: Accessing the Virtual Lab Homepage

The first step in accessing the Virtual Lab is to login to the vLab homepage. To access the
Virtual Lab home page, copy and paste the below URL into a browser window:
https://virtuallabs.juniper.net
Part 2: Accepting the EULA

You will need to accept the End User License Agreement to log in and begin your work in the
Virtual Lab.
Part 3: Logging in to the TrueLab Manager

If you are already logged in to the Partner Learning Academy on the Juniper Partner Center, you
will not need to log in to TrueLab Manager. However, if you are not logged in to the Partner
Center, you can log in on this screen.
Lab 02 Introduction to the Juniper Networks Virtual Lab
Part 4: Selecting Your Time Zone

Next, you must specify a time zone. Once your correct time zone has been specified, click
Update in the bottom left corner of the screen.
Step 4.1
You can modify your user name, password, and time zone if necessary by clicking on the
Profile tab. Once you have made the updates, you must click Update to save these
changes.
Part 5: Creating an On-Demand Session

You will then create a session under the Sessions tab and select the lab that you want to
use.
First, identify the correct row for your course under the Event heading. Next, select the course
title from the Purpose drop down menu under the Session Information column and
click Open.
Note
Click the View Event Details link under each
Event description to access the course lab guide
and credentials.
Part 6: Creating a Dynamic Session (If the On-Demand Session Is Unavailable)

To reserve a dynamic session, first identify the correct row for your course under the Event
heading. Next, select the course title from the Purpose drop down menu under the Session
Information column and the lab you want to schedule under the Lab Option drop down
menu. Click Reserve to schedule a session.
Step 6.1
Click Start Session Now.
Step 6.2
Click Finish to return to the Sessions tab.
Note
The system will send you a reminder e-mail prior to
your session start time.
Part 7: Starting the Session

Once the Start Session Now link has been clicked (under the session link), you will be
prompted to click OK to continue and log in.
Note
Each session can be a maximum of 3 hours.
Step 7.1
Click OK to see the following screen.
Note
Do not close the browser window. Closing your
browser window will disconnect your Virtual Lab
session connected.
Step 7.2
Once you have an active session, you will see the following virtual desktop screen. On this
virtual desktop, you must double-click on the Secure CRT icon to begin your lab.
Note
The Help tab also has links to the related course
lab guide and vLab environment help guides.
Step 7.3
Choose the device you will be working with in the Secure CRT session and click Connect.
Note
Make sure that you consult your lab guide before
opening any of the VT100 terminal sessions.
Part 8: Additional Information and Feedback

Connection Test
You can test your ability to connect by navigating to
https://truelab.hatsize.com/syscheck/sunnyvale/.
Virtual Lab Support
For support, please call 1-866-933-5487 (207-319-1142 if outside North America)
Go to: https://support.hatsize.com/
Or send an e-mail to support@hatsize.com
Feedback
If you would like to provide feedback on ways we can improve your vLab experience, please an
e-mail to salestraining@juniper.net.
STOP
Lab 1
Configuring Interfaces on Junos OS Devices
Overview
In this lab, you will use the command-line interface (CLI) to perform basic interface
configuration.
By completing this lab, you will perform the following tasks:
www.juniper.net
Perform basic interface configuration.
Configuring Interfaces on Junos OS Devices Lab 11

11.4R1.6
Part 1: Configuring Interfaces and Verifying Operational State

In this part, you will perform interface configuration and verify the operational state
of interfaces using the Junos OS CLI.
Step 1.1
Access the CLI using SecureCRT. Double click on the SecureCRT 5.0 icon located
on the desktop to open the connection manager. Highlight SRX1 and click
Connect.
Step 1.2
Log in as user lab with the password lab123.
login: lab
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
lab@srxB-1>
Step 1.3
Issue the show interfaces terse CLI command to check the state of your
devices interfaces.
lab@srxB-1> show interfaces terse
Interface
Admin Link
ge-0/0/0
up
up
ge-0/0/0.0
up
up
gr-0/0/0
up
up
ip-0/0/0
up
up
lsq-0/0/0
up
up
lt-0/0/0
up
up
mt-0/0/0
up
up
sp-0/0/0
up
up
sp-0/0/0.0
up
up
sp-0/0/0.16383
up
up
Proto
Local
inet
10.210.14.133/27
inet
inet
Lab 12 Configuring Interfaces on Junos OS Devices
10.0.0.1
10.0.0.6
128.0.0.1
Remote
--> 10.0.0.16
--> 0/0
--> 128.0.1.16
www.juniper.net
128.0.0.6
ge-0/0/1
ge-0/0/2
ge-0/0/3
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/11
ge-0/0/12
ge-0/0/13
ge-0/0/14
ge-0/0/15
fxp2
fxp2.0
gre
ipip
irb
lo0
lo0.16384
lo0.16385
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
down
up
up
up
up
up
up
down
down
down
down
up
up
tnp
up
up
up
up
up
inet
up
inet
lo0.32768
lsi
mtun
pimd
pime
pp0
ppd0
ppe0
st0
tap
vlan
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
--> 0/0
0x1
127.0.0.1
10.0.0.1
10.0.0.16
128.0.0.1
128.0.0.4
128.0.1.16
-->
-->
-->
-->
-->
-->
0/0
0/0
0/0
0/0
0/0
0/0
Note
Notice that several interfaces are up, but

only the ge-0/0/0 interface has been
configured.
Step 1.4
Issue the configure command to enter configuration mode.
lab@srxB-1> configure
Entering configuration mode
Step 1.5
Refer to the network diagram for this lab and configure the ge-0/0/3 and loopback
interfaces. Use logical unit 0 on both interfaces.
www.juniper.net
[edit]
[edit]
lab@srxB-1# edit interfaces
[edit interfaces]
lab@srxB-1# set ge-0/0/3 unit 0 family inet address 172.18.1.2/30
[edit interfaces]
lab@srxB-1# set lo0 unit 0 family inet address 192.168.1.1/32
Step 1.6
Configure the ge-0/0/4 interface as shown on the network topology diagram. Use
the VLAN Assignments table on the topology diagram to determine the correct value
for the variables associated with your assigned device. This variable is used for the
vlan-id, unit number, and IP address.
VLAN Assignments
hostname
VLAN-ID
srxA-1
101, 201
srxB-1
103, 203
srxC-1
105, 205
srxD-1
107, 207
[edit interfaces]
lab@srxB-1# set ge-0/0/4 vlan-tagging
[edit interfaces]
lab@srxB-1# set ge-0/0/4 unit 10v vlan-id 10v
[edit interfaces]
lab@srxB-1# set ge-0/0/4 unit 10v family inet address 172.20.10v.1/24
[edit interfaces]
lab@srxB-1# set ge-0/0/4 unit 20v vlan-id 20v
[edit interfaces]
lab@srxB-1# set ge-0/0/4 unit 20v family inet address 172.20.20v.1/24
[edit interfaces]
lab@srxB-1# show ge-0/0/4
vlan-tagging;
unit 103 {
vlan-id 103;
family inet {
address 172.20.103.1/24;
}
}
unit 203 {
www.juniper.net
vlan-id 203;
family inet {
address 172.20.203.1/24;
}
}
Step 1.7
Configure a static default route that points to the IP address associated with the
remote end of the ge-0/0/3 interface for your device. Commit the configuration and
return to operational mode.
[edit interfaces]
lab@srxB-1# up
[edit]
lab@srxB-1# edit routing-options
[edit routing-options]
lab@srxB-1# set static route 0/0 next-hop 172.18.1.1
[edit routing-options]
lab@srxB-1# commit and-quit
commit complete
Step 1.8
Issue the show interfaces terse command to verify the state of the
configured interfaces.
Interface
Admin Link
ge-0/0/0
up
up
ge-0/0/0.0
up
up
gr-0/0/0
up
up
ip-0/0/0
up
up
lsq-0/0/0
up
up
lt-0/0/0
up
up
mt-0/0/0
up
up
sp-0/0/0
up
up
sp-0/0/0.0
up
up
sp-0/0/0.16383
up
up
ge-0/0/1
ge-0/0/2
ge-0/0/3
ge-0/0/3.0
ge-0/0/4
ge-0/0/4.103
ge-0/0/4.203
ge-0/0/4.32767
ge-0/0/5
ge-0/0/6
ge-0/0/7
www.juniper.net
up
up
up
up
up
up
up
up
up
up
up
Proto
Local
inet
10.210.14.133/27
inet
inet
up
up
up
up
inet
up
up
inet
up
inet
up
down
up
up
10.0.0.1
10.0.0.6
128.0.0.1
128.0.0.6
Remote
-->
-->
-->
-->
10.0.0.16
0/0
128.0.1.16
0/0
172.18.1.2/30
172.20.103.1/24
172.20.203.1/24
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/11
ge-0/0/12
ge-0/0/13
ge-0/0/14
ge-0/0/15
fxp2
fxp2.0
gre
ipip
irb
lo0
lo0.0
lo0.16384
lo0.16385
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
down
down
down
down
up
up
up
up
up
up
up
up
up
lo0.32768
lsi
mtun
pimd
pime
pp0
ppd0
ppe0
st0
tap
vlan
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
tnp
0x1
inet
inet
inet
192.168.1.1
127.0.0.1
10.0.0.1
10.0.0.16
128.0.0.1
128.0.0.4
128.0.1.16
-->
-->
-->
-->
-->
-->
-->
0/0
0/0
0/0
0/0
0/0
0/0
0/0
Question: What is the Admin and Link state of the

recently configured interfaces?
Answer: All configured interfaces should show an

Admin and Link state of up, as shown in the
sample capture.
Step 1.9
Enter configuration mode again and navigate to the [edit interfaces ge-0/
0/3] hierarchy level.
[edit]
lab@srxB-1# edit interfaces ge-0/0/3
www.juniper.net
Step 1.10
Add a second IP address, 5.5.5.5/30, to the ge-0/0/3 interface.
[edit interfaces ge-0/0/3]
lab@srxB-1# set unit 0 family inet address 5.5.5.5/30
Step 1.11
Now make the original IP address the primary address.
lab@srxB-1# set unit 0 family inet address 172.18.1.2/30 primary
Step 1.12
Activate the configuration and return to operational mode.
commit complete
Step 1.13
Issue the show interfaces terse command to verify the changes you made to
the
ge-0/0/3 interface.
Interface
Admin Link
ge-0/0/0
up
up
ge-0/0/0.0
up
up
gr-0/0/0
up
up
ip-0/0/0
up
up
lsq-0/0/0
up
up
lt-0/0/0
up
up
mt-0/0/0
up
up
sp-0/0/0
up
up
sp-0/0/0.0
up
up
sp-0/0/0.16383
up
up
Proto
Local
inet
10.210.14.133/27
inet
inet
ge-0/0/1
ge-0/0/2
ge-0/0/3
ge-0/0/3.0
up
up
up
up
up
up
up
up
ge-0/0/4
ge-0/0/4.103
ge-0/0/4.203
ge-0/0/4.32767
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
up
up
up
up
up
up
up
up
up
up
up
up
inet
up
inet
up
down
up
up
up
up
up
www.juniper.net
inet
10.0.0.1
10.0.0.6
128.0.0.1
128.0.0.6
Remote
-->
-->
-->
-->
10.0.0.16
0/0
128.0.1.16
0/0
5.5.5.5/30
172.18.1.2/30
172.20.103.1/24
172.20.203.1/24
ge-0/0/11
ge-0/0/12
ge-0/0/13
ge-0/0/14
ge-0/0/15
fxp2
fxp2.0
gre
ipip
irb
lo0
lo0.0
lo0.16384
lo0.16385
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
down
down
down
down
up
up
up
up
up
up
up
up
up
lo0.32768
lsi
mtun
pimd
pime
pp0
ppd0
ppe0
st0
tap
vlan
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
tnp
0x1
inet
inet
inet
192.168.1.1
127.0.0.1
10.0.0.1
10.0.0.16
128.0.0.1
128.0.0.4
128.0.1.16
-->
-->
-->
-->
-->
-->
-->
0/0
0/0
0/0
0/0
0/0
0/0
0/0
Question: Do you see the additional IP address?

Can you tell which IP address is the primary?
Answer: The 5.5.5.5/30 address should appear, but

it is not clear which IP address is the primary
address for the interface.
Step 1.14
Issue the show interfaces ge-0/0/3 command to determine which IP
address is the primary address.
lab@srxB-1> show interfaces ge-0/0/3
Physical interface: ge-0/0/3, Enabled, Physical link is Up
Interface index: 137, SNMP ifIndex: 517
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Current address: 00:26:88:ff:7d:03, Hardware address: 00:26:88:ff:7d:03
www.juniper.net
Last flapped
: 2012-06-18 07:25:51 UTC (2d 17:20 ago)
Input rate
: 0 bps (0 pps)
Output rate
: 0 bps (0 pps)
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled
Logical interface ge-0/0/3.0 (Index 68) (SNMP ifIndex 543)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 3
Output packets: 5
Security: Zone: Null
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred
Destination: 5.5.5.4/30, Local: 5.5.5.5, Broadcast: 5.5.5.7
Addresses, Flags: Primary Is-Preferred Is-Primary
Destination: 172.18.1.0/30, Local: 172.18.1.2, Broadcast: 172.18.1.3
Question: Can you determine which IP address is

the primary?
Answer: Yes, at the bottom of the CLI output you can

see the Is-Primary flag assigned to the
172.18.1.2 IP address.
Step 1.15
Re-enter configuration mode.
Step 1.16
Delete the 5.5.5.5 IP address as well as the primary flag on the 172.18.1.2 IP
address.
[edit]
lab@srxB-1# edit interfaces ge-0/0/3
lab@srxB-1# delete unit 0 family inet address 5.5.5.5/30
lab@srxB-1# edit unit 0 family inet address 172.18.1.2/30
[edit interfaces ge-0/0/3 unit 0 family inet address 172.18.1.2/30]
lab@srxB-1# delete primary
[edit interfaces ge-0/0/3 unit 0 family inet address 172.18.1.2/30]
lab@srxB-1# top
www.juniper.net
[edit]
lab@srxB-1# show interfaces ge-0/0/3
unit 0 {
family inet {
address 172.18.1.2/30;
}
}
Step 1.17
Activate the configuration and return to operational mode.
[edit]
commit complete
STOP
You have completed Lab 1. Please return to the course and complete
the next section.
www.juniper.net
Lab 2
Security Policy
Overview
In this lab, you will implement security policies designed to allow only necessary traffic
between zones within your pod.
www.juniper.net
Define security zones and assign interfaces to security zones.
Define zone address books necessary for security policy.
Implement security policies between zones within your assigned pod.
Monitor the effects of your configuration.
Security Policy Lab 21

11.4R1.6
Part 1: Configuring Zones

In this lab part, you will remove the current zone configuration and reassign your
device interfaces to various security and functional zones.
Step 1.1
on the desktop to open the connection manager. Select SRX1 and click Connect.
Step 1.2
login: lab
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
lab@srxB-1>
Step 1.3
Issue the configure command to enter Configuration mode.
Step 1.4
Using the load override command, load the file lab2p1s4.config from the
/var/home/lab/sssrx03/ directory. This command loads the basic
configuration needed to complete the lab. Issue the commit command to apply the
changes.
Lab 22 Security Policy
www.juniper.net
[edit]
lab@srxB-1# load override /var/home/lab/sssrx03/lab2p1s4.config
[edit]
lab@srxB-1# commit
commit complete
Step 1.5
Open a new SecureCRT tab and connect to the SRX2 device. Enter configuration
mode and load the lab2p1s9.config file from the
/var/home/lab/sssrx03/ directory. Commit the changes and exit when
complete.
Click File > Connect in Tab from the SecureCRT window.
Step 1.6
Select SRX2 from the available devices and click Connect.
www.juniper.net
Step 1.7
login: lab
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
lab@srxB-2>
Step 1.8
Step 1.9
Load the configuration file and then exit. Exit the device and close the tab and return
to the SRX1 device.
[edit]
[edit]
commit complete
lab@srxB-2> exit
srxB-2 (ttyu0)
login:
Step 1.10
On the SRX1 device, navigate to the [edit security] configuration hierarchy.
[edit]
lab@srxB-1# edit security
Step 1.11
Issue the show command to view the [edit security] configuration stanza.
[edit security]
lab@srxB-1# show
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
www.juniper.net
Question: What do you notice about the security

configuration that is set up on your device?
Answer: As indicated by the output from srxB-1,

currently the device is in packet-based mode that
disables the flow-based security features of Junos
OS.
Step 1.12
Delete the current security configuration.
[edit security]
lab@srxB-1# delete
Delete everything under this level? [yes,no] (no) yes
[edit security]
lab@srxB-1# show
[edit security]
lab@srxB-1#
Step 1.13
Refer to the lab diagram and configure the untrust, hr (human resources), and
eng (engineering) zones. Configure these zones as security zones. Add the
appropriate network interfaces under each security zone.
[edit security]
lab@srxB-1# set zones security-zone hr interfaces ge-0/0/4.10v
[edit security]
lab@srxB-1# set zones security-zone eng interfaces ge-0/0/4.20v
[edit security]
lab@srxB-1# set zones security-zone untrust interfaces ge-0/0/3.0
Step 1.14
Configure a functional zone and associate it with your devices management
interface.
[edit security]
lab@srxB-1# set zones functional-zone ?
Possible completions:
> management
host for out of band management interfaces
[edit security]
lab@srxB-1# set zones functional-zone management interfaces ge-0/0/0.0
www.juniper.net
Question: What name did you assign to the

functional zone of your device? Why?
Answer: Each student should assign a

functional zone name of management. As
shown in the output, the Junos OS predefines
this name. management is the only name the
Junos OS allows for a functional zone.
Step 1.15
Configure the functional zone so that it allows SSH, Telnet, ping, traceroute,
HTTP, and SNMP local inbound traffic.
[edit security]
lab@srxB-1# edit zones functional-zone management
[edit security zones functional-zone management]
lab@srxB-1# set host-inbound-traffic system-services ssh
lab@srxB-1# set host-inbound-traffic system-services telnet
lab@srxB-1# set host-inbound-traffic system-services ping
lab@srxB-1# set host-inbound-traffic system-services traceroute
lab@srxB-1# set host-inbound-traffic system-services http
lab@srxB-1# set host-inbound-traffic system-services snmp
lab@srxB-1# show
interfaces {
ge-0/0/0.0;
}
host-inbound-traffic {
system-services {
ssh;
telnet;
ping;
traceroute;
http;
www.juniper.net
snmp;
}
}
Question: If you needed to allow all services but

Telnet using the host-inbound-traffic statement,
what would be the quickest method?
Answer: You could use the system-services

all and the system-services Telnet
except configuration statements to achieve this
task with the most efficiency.
Step 1.16
Commit your configuration.
lab@srxB-1# commit
commit complete
Part 2: Configuring Address Books

In this part, you will configure the address book entries necessary for implementing
security policies within your pod.
Step 2.1
Referring to the lab diagram, configure the networks associated with the virtual
routers under the untrust zone as address book addresses. Ensure you include the
entire /24 network associated with each remote virtual router and name the
address book entries after their associated virtual router names.
lab@srxB-1# top
[edit]
lab@srxB-1# edit security zones security-zone untrust
[edit security zones security-zone untrust]
lab@srxB-1# set address-book address vr10v 172.20.10v.0/24
lab@srxB-1# set address-book address vr20v 172.20.20v.0/24
lab@srxB-1# show address-book
address vr104 172.20.104.0/24;
address vr204 172.20.204.0/24;
www.juniper.net
Step 2.2
Add the remote /30 network between the Internet and the remote student device in
your pod to the untrust zone address book. Configure this address entry to use the
same name as the remote student device in your pod.
lab@srxB-1# set address-book address srxB-2 172.18.2.0/30
lab@srxB-1# show address-book
address vr104 172.20.104.0/24;
address vr204 172.20.204.0/24;
address srxB-2 172.18.2.0/30;
Step 2.3
For the virtual routers attached to your assigned device, configure the /24 network
addresses as address book entries within their respective zones. Name these
address book entries with the same name as their associated virtual routers.
lab@srxB-1# up
[edit security zones]
lab@srxB-1# set security-zone hr address-book address vr10v 172.20.10v.0/24
lab@srxB-1# set security-zone eng address-book address vr20v 172.20.20v.0/24
Part 3: Configuring Security Policies

In this part of the lab you will establish and configure security policies that enable
the necessary traffic flow between the security zones.
Step 3.1
Create security policies named intrazone-zone that allows all intra-zone traffic
associated with your attached virtual routers to pass through your assigned device,
where zone represents the source or destination zone. Use the any keyword to
save keystrokes.
lab@srxB-1# up
[edit security]
lab@srxB-1# edit policies from-zone hr to-zone hr policy intrazone-hr
[edit security policies from-zone hr to-zone hr policy intrazone-hr]
lab@srxB-1# set match source-address any
lab@srxB-1# set match destination-address any
www.juniper.net
lab@srxB-1# set match application any

lab@srxB-1# set then permit
lab@srxB-1# show
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
lab@srxB-1# up 2
[edit security policies]
lab@srxB-1# edit from-zone eng to-zone eng policy intrazone-eng
[edit security policies from-zone eng to-zone eng policy intrazone-eng]
lab@srxB-1# show
match {
source-address any;
application any;
}
then {
permit;
}
Step 3.2
Configure security policies allowing all traffic from the virtual router zones to the
untrust zone. Name these policies internet-zone, where zone represents the
source zone. For this step, match on the appropriate source address using the
associated virtual router address book entries.
lab@srxB-1# up 2
www.juniper.net

lab@srxB-1# edit from-zone hr to-zone untrust policy internet-hr
[edit security policies from-zone hr to-zone untrust policy internet-hr]
lab@srxB-1# set match source-address vr10v
lab@srxB-1# show
match {
source-address vr103;
application any;
}
then {
permit;
}
lab@srxB-1# up 2
lab@srxB-1# edit from-zone eng to-zone untrust policy internet-eng
[edit security policies from-zone eng to-zone untrust policy internet-eng]
lab@srxB-1# set match source-address vr20v
lab@srxB-1# show
match {
application any;
}
then {
permit;
}
www.juniper.net
Step 3.3
Next define a security policy the rejects FTP connections sourced from the hr and dc
zones that are destined to the untrust zone. Name this policy deny-ftp-hr.
lab@srxB-1# up 2
lab@srxB-1# edit from-zone hr to-zone untrust policy deny-ftp-hr
[edit security policies from-zone hr to-zone untrust policy deny-ftp-hr]
lab@srxB-1# set match application junos-ftp
lab@srxB-1# set then reject
lab@srxB-1# show
match {
source-address any;
application junos-ftp;
}
then {
reject;
}
Step 3.4
Commit the configuration.
lab@srxB-1# commit
commit complete
Note
The next lab steps require you to log in to

the virtual router attached to your device.
The virtual routers are logical devices
created on a J Series Services Router.
www.juniper.net
Step 3.5
Open a new SecureCRT tab and connect to the vr-device device.
Click File > Connect in Tab from the SecureCRT window. Select
vr-device and click Connect.
Step 3.6
Log in to the virtual router using the login information shown in the following table.
Virtual Router Login Details
Student Device
User Name
Password
srxA-1
a1
lab123
srxB-1
b1
lab123
srxC-1
c1
lab123
srxD-1
d1
lab123
login: b1
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
You must use 'configure private' to configure this router.
Step 3.7
Ensure that you can open an FTP session to the remote Internet host located at
172.31.15.1. Remember to source the FTP from the routing-instance associated
with the hr zone or the dc zone depending upon your assigned device. Use the
Ctrl+C key sequence to close the FTP connection.
www.juniper.net
b1@vr-device> ftp 172.31.15.1 routing-instance vr10v

Connected to 172.31.15.1.
220 vr-device FTP server (Version 6.00LS) ready.
Name (172.31.15.1:b1): ^C
1a@vr-device>
Question: Were you able to initiate an FTP session

to the Internet host? Why or why not?
Answer: As demonstrated in the output, the FTP

session should succeed. Although you configured a
security policy explicitly rejecting this connection,
policy ordering has effectively caused the device to
ignore this policy.
Step 3.8
Return to the session opened to your assigned host device. Reorder the policies so
that the deny-ftp-hr policy appears in the list before the internet-hr policy.
lab@srxB-1# up
[edit security policies from-zone hr to-zone untrust]
lab@srxB-1# show
policy internet-hr {
match {
application any;
}
then {
permit;
}
}
policy deny-ftp-hr {
match {
source-address any;
}
then {
reject;
}
}
lab@srxB-1# insert policy deny-ftp-hr before policy internet-hr
lab@srxB-1# show
policy deny-ftp-hr {
match {
source-address any;
www.juniper.net
}
then {
reject;
}
}
policy internet-hr {
match {
application any;
}
then {
permit;
}
}
lab@srxB-1# commit
commit complete
Step 3.9
Return to the session opened to the vr-device and try the FTP connection
again. Exit the FTP application by issuing the bye command.
Note
Keep in mind that when working with

virtual routers and routing-instances,
command syntax can differ.
b1@vr-device> ftp 172.31.15.1 routing-instance vr10v
ftp: connect: Connection refused
ftp> bye
1b@vr-device>
Question: Were you able to initiate an FTP

session to the Internet host this time?
Answer: As demonstrated in the output, the

FTP session does not succeed. The reordering
of policies produces the expected behavior.
Step 3.10
Ping the host device.
www.juniper.net
b1@vr-device> ping 172.31.15.1 routing-instance vr10v rapid count 5

PING 172.31.15.1 (172.31.15.1): 56 data bytes
!!!!!
--- 172.31.15.1 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.080/12.962/47.159/17.112 ms
Question: Were you able able to ping the Internet

host?
Answer: As demonstrated in the following output, a

ping to the Internet host should succeed.
Step 3.11
Return to the session opened to your assigned SRX1 device. Create a custom
application named hr-gizmo that uses UDP, a source port of 50000 and a
destination port of 50001.
lab@srxB-1# top
[edit]
lab@srxB-1# edit applications application hr-gizmo
[edit applications application hr-gizmo]
lab@srxB-1# set source-port 50000
lab@srxB-1# set destination-port 50001
lab@srxB-1# set protocol udp
lab@srxB-1# show
protocol udp;
source-port 50000;
destination-port 50001;
Step 3.12
Create an application set named internal-apps that includes the hr-gizmo,
junos-telnet, and junos-ping applications.
lab@srxB-1# up
[edit applications]
lab@srxB-1# edit application-set internal-apps
[edit applications application-set internal-apps]
lab@srxB-1# set application hr-gizmo
www.juniper.net
lab@srxB-1# set application junos-telnet

lab@srxB-1# set application junos-ping
lab@srxB-1# show
application hr-gizmo;
application junos-telnet;
application junos-ping;
Step 3.13
Configure security policies that permit the internal-apps applications between
the hr and dc security zones. Because the hr and dc zones are separated by the
Internet, you must reference the untrust zone when configuring the security policies.
Name the policy dc-to-hr.
lab@srxB-1# top
[edit]
lab@srxB-1# edit security policies from-zone untrust to-zone hr
[edit security policies from-zone untrust to-zone hr]
lab@srxB-1# set policy dc-to-hr match source-address vr10v
lab@srxB-1# set policy dc-to-hr match destination-address vr10v
lab@srxB-1# set policy dc-to-hr match application internal-apps
lab@srxB-1# set policy dc-to-hr then permit
lab@srxB-1# show
policy dc-to-hr {
match {
destination-address vr103;
application internal-apps;
}
then {
permit;
}
}
www.juniper.net
Question: How many new policies must you define

to allow internal-apps traffic bi-directionally?
Answer: Both devices within your assigned pod

already have policies defined allowing all internal
traffic destined to the untrust zone (with the
exception of FTP traffic). For each device you must
configure one policy allowing the internal-apps
to the appropriate zone from the untrust zone.
Step 3.14
Add a logging action to the dc-to-hr policy. Log both session initiations and
session closes.
lab@srxB-1# set policy dc-to-hr then log session-init
lab@srxB-1# set policy dc-to-hr then log session-close
lab@srxB-1# show
policy dc-to-hr {
match {
application internal-apps;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
Step 3.15
Commit the configuration and return to operational mode.
commit complete
lab@srxB-1>
Question: Does the commit operation succeed?
Answer: As demonstrated in the output, the commit

should succeed.
www.juniper.net
Part 4: Monitoring Security Policies

In this part of the lab, you will monitor the results of your configuration with
command outputs and logging.
Step 4.1
View the security policies in effect on your assigned device by issuing the show
security policies command and answer the following questions.
lab@srxB-1> show security policies
Default policy: deny-all
From zone: hr, To zone: hr
Policy: intrazone-hr, State: enabled, Index: 4, Scope Policy: 0, Sequence
number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: hr, To zone: untrust
Policy: deny-ftp-hr, State: enabled, Index: 7, Scope Policy: 0, Sequence
number: 1
Applications: junos-ftp
Action: reject
Policy: internet-hr, State: enabled, Index: 6, Scope Policy: 0, Sequence
number: 2
Source addresses: vr103
Applications: any
Action: permit
From zone: eng, To zone: eng
Policy: intrazone-eng, State: enabled, Index: 5, Scope Policy: 0, Sequence
number: 1
Applications: any
Action: permit
From zone: eng, To zone: untrust
Policy: internet-eng, State: enabled, Index: 8, Scope Policy: 0, Sequence
number: 1
Applications: any
Action: permit
From zone: untrust, To zone: hr
Policy: dc-to-hr, State: enabled, Index: 9, Scope Policy: 0, Sequence number:
1
Destination addresses: vr103
Applications: internal-apps
Action: permit, log
www.juniper.net
Question: What is the total number of active

security policies on your assigned device?
Answer: You should see a total of six enabled

security policies. If you do not see six enabled
security policies, review your configuration steps.
Question: What command can you use to view more
detailed information about security policies such as
the address book prefixes and application port
information?
Answer: Use the same command with the detail

option to view a more verbose output:
lab@srxB-1> show security policies ?
Possible completions:
<[Enter]>
Execute this command
application-firewall Show the information of application-firewall
count
Number of policies to show (1..65535)
detail
Show the detailed information
from-zone
Show the policy information matching the given source zone
global
Show the policy information of global policies
policy-name
Show the policy information matching the given policy name
start
Show the policies from a given position (1..65535)
to-zone
Show the policy information matching the given destination
zone
zone-context
Show the count of policies in each context (from-zone and
to-zone)
|
Pipe through a command
lab@srxB-1> show security policies detail
Default policy: deny-all
Policy: intrazone-hr, action-type: permit, State: enabled, Index: 4, Scope
Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: hr, To zone: hr
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Policy: deny-ftp-hr, action-type: reject, State: enabled, Index: 7, Scope
Policy: 0
www.juniper.net
Sequence number: 1
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: junos-ftp
IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800
Policy: internet-hr, action-type: permit, State: enabled, Index: 6, Scope
Policy: 0
Sequence number: 2
Source addresses:
vr103: 172.20.103.0/24
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: any
Policy: intrazone-eng, action-type: permit, State: enabled, Index: 5, Scope
Policy: 0
Sequence number: 1
From zone: eng, To zone: eng
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: any
Policy: internet-eng, action-type: permit, State: enabled, Index: 8, Scope
Policy: 0
Sequence number: 1
From zone: eng, To zone: untrust
Source addresses:
vr203: 172.20.203.0/24
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: any
www.juniper.net

Policy: dc-to-hr, action-type: permit, State: enabled, Index: 9, Scope Policy: 0
Sequence number: 1
From zone: untrust, To zone: hr
Source addresses:
vr104: 172.20.104.0/24
vr103: 172.20.103.0/24
Application: internal-apps
IP protocol: udp, ALG: 0, Inactivity timeout: 60
ICMP Information: type=255, code=0
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Session log: at-create, at-close
Step 4.2
Return to the session opened on the vr-device and open a Telnet session between
the virtual router associated with the hr zone and the virtual router associated with
the dc zone. You will initiate a Telnet session with the virtual router interface
associated with the dc zone. Log in with the same username and password as your
current session.
b1@vr-device> telnet 172.20.10v.10 routing-instance vr10v
Trying 172.20.104.10...
Escape character is '^]'.
vr-device(ttyp0)
login: b1
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
b1@vr-device>
Step 4.3
Return to the session opened on your assigned SRX1 device and issue the show
security flow session command.
www.juniper.net
lab@srxB-1> show security flow session

Session ID: 7151, Policy name: internet-hr/6, Timeout: 1604, Valid
In: 172.20.103.10/63749 --> 172.20.104.10/23;tcp, If: ge-0/0/4.103, Pkts: 42,
Bytes: 2359
Out: 172.20.104.10/23 --> 172.20.103.10/63749;tcp, If: ge-0/0/3.0, Pkts: 34,
Bytes: 2257
Total sessions: 1
Question: What is the session ID for the Telnet

session you opened?
Answer: The answer varies, but in the output from

srxB-1, the session ID is 7151.
Step 4.4
Using the session ID, view a more detailed output of the open Telnet session and
answer the following question.
lab@srxB-1> show security flow session session-identifier 7151
Session ID: 7151, Status: Normal
Flag: 0x40
Policy name: internet-hr/6
Source NAT pool: Null, Application: junos-telnet/10
Dynamic application: junos:UNKNOWN,
Maximum timeout: 1800, Current timeout: 1536
Session State: Valid
Start time: 621484, Duration: 279
In: 172.20.103.10/63749 --> 172.20.104.10/23;tcp,
Interface: ge-0/0/4.103,
Session token: 0x6, Flag: 0x21
Route: 0x60010, Gateway: 172.20.103.10, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 42, Bytes: 2359
Out: 172.20.104.10/23 --> 172.20.103.10/63749;tcp,
Interface: ge-0/0/3.0,
Session token: 0x8, Flag: 0x20
Route: 0x50010, Gateway: 172.18.1.1, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 34, Bytes: 2257
Total sessions: 1
Question: How many seconds remain before the

Telnet session times out (without further activity)?
Answer: The answer varies, but in the output from

srxB-1, 1536 seconds remain. If there is no further
activity during this period, the session closes.
www.juniper.net
Step 4.5
Return to the vr-device and end the open Telnet session by entering the exit
command.
b1@vr-device> exit
Connection closed by foreign host.
b1@vr-device>
Step 4.6
Return to your assigned SRX1 device and view the configuration hierarchy
associated with the syslog settings.
lab@srxB-1> show configuration system syslog
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
Question: Is your devices syslog configuration

sufficient to record security policy log actions?
Answer: Yes. On branch security platforms

running the Junos operating system, local data
plane logging is enabled by configuring a local
syslog with a facility of user and a severity of
info. Because the file messages
configuration logs any facility at any severity,
security policies that are configured with a log
action should automatically record entries in
the messages log file.
Step 4.7
Issue the show interfaces extensive command for the ge-0/0/3
interface.
lab@srxB-1> show interfaces extensive ge-0/0/3
Physical interface: ge-0/0/3, Enabled, Physical link is Up
Interface index: 137, SNMP ifIndex: 516, Generation: 140
www.juniper.net
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,

BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: b0:c6:9a:7a:88:03, Hardware address: b0:c6:9a:7a:88:03
Last flapped
: 2012-07-04 15:30:07 UTC (1w0d 05:26 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes :
896676
0 bps
Output bytes :
4731
0 bps
Input packets:
4742
0 pps
Output packets:
91
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Egress queues: 8 supported, 4 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 best-effort
93
93
0
1 expedited-fo
0
0
0
2 assured-forw
0
0
0
3 network-cont
0
0
0
Queue number:
Mapped forwarding classes
0
best-effort
1
expedited-forwarding
2
assured-forwarding
3
network-control
Active alarms : None
Active defects : None
MAC statistics:
Receive
Transmit
Total octets
3530334
6635
Total packets
44563
93
Unicast packets
4737
75
Broadcast packets
39816
18
Multicast packets
10
0
CRC/Align errors
0
0
FIFO errors
0
0
MAC control frames
0
0
MAC pause frames
0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Filter statistics:
Input packet count
0
Input packet rejects
0
www.juniper.net
Input DA rejects
0
Input SA rejects
0
Output packet count
0
Output packet pad count
0
Output packet error count
0
CAM destination filters: 2, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: None, Remote fault: OK,
Link partner Speed: 1000 Mbps
Local resolution:
Flow control: None, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 0
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority
Limit
%
bps
%
usec
0 best-effort
95
950000000
95
0
low
none
3 network-control
5
50000000
5
0
low
none
Interface transmit statistics: Disabled
Logical interface ge-0/0/3.0 (Index 66) (SNMP ifIndex 524) (Generation 159)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Traffic statistics:
Input bytes :
863472
Output bytes :
4353
Input packets:
4120
Output packets:
82
Local statistics:
Input bytes :
1200
Output bytes :
924
Input packets:
20
Output packets:
22
Transit statistics:
Input bytes :
862272
0 bps
Output bytes :
3429
0 bps
Input packets:
4100
0 pps
Output packets:
60
0 pps
Security: Zone: untrust
Flow Statistics :
Flow Input statistics :
Self packets :
0
ICMP packets :
5
VPN packets :
0
Multicast packets :
0
Bytes permitted by policy :
3304
Connections established :
0
Flow Output statistics:
Multicast packets :
0
3381
Flow error statistics (Packets dropped due to):
Address spoofing:
0
www.juniper.net
Authentication failed:
0
Incoming NAT errors:
0
Invalid zone received packet:
0
Multiple user authentications:
0
Multiple incoming NAT:
0
No parent for a gate:
0
No one interested in self packets: 0
No minor session:
0
No more sessions:
0
No NAT gate:
0
No route present:
0
No SA for incoming SPI:
0
No tunnel found:
0
No session for a gate:
0
No zone or NULL zone binding
1152
Policy denied:
1683
Security association not active:
0
TCP sequence number out of window: 0
Syn-attack protection:
0
User authentication errors:
0
Protocol inet, MTU: 1500, Generation: 187, Route table: 0
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.18.1.0/30, Local: 172.18.1.2, Broadcast: 172.18.1.3,
Generation: 188
Question: What is the value of the Policy

denied counter within the interface flow
statistics?
Answer: The answer might vary, but in the output

taken from srxB-1, the value is 0. The purpose of
this question is to establish a baseline value.
Step 4.8
Return to the session opened on the vr-device. Once again, issue a Telnet session to
the remote virtual router associated with remote hr or dc zone. But this time, source
the Telnet session from the eng or it virtual router, depending on your assigned
device.
b1@vr-device> telnet 172.20.10v.10 routing-instance vr20v
Trying 172.20.104.10...
^C
b1@vr-device>
Question: Was the Telnet session successful?
Answer: The Telnet session should not be

successful. The active security policies applied to
traffic from the untrust zone on the remote device
do not allow this traffic.
www.juniper.net
Step 4.9
Return to your assigned device and issue the show interfaces extensive
command for the ge-0/0/3 interface again.
lab@srxB-1> show interfaces extensive ge-0/0/3 | find "Flow Statistics"
Flow Statistics :
Flow Input statistics :
Self packets :
0
ICMP packets :
5
VPN packets :
0
Multicast packets :
0
3304
Connections established :
0
Flow Output statistics:
Multicast packets :
0
3669
Flow error statistics (Packets dropped due to):
Address spoofing:
0
Authentication failed:
0
Incoming NAT errors:
0
Invalid zone received packet:
0
Multiple user authentications:
0
Multiple incoming NAT:
0
No parent for a gate:
0
No one interested in self packets: 0
No minor session:
0
No more sessions:
0
No NAT gate:
0
No route present:
0
No SA for incoming SPI:
0
No tunnel found:
0
No session for a gate:
0
No zone or NULL zone binding
1152
Policy denied:
1728
Security association not active:
0
TCP sequence number out of window: 0
Syn-attack protection:
0
User authentication errors:
0
Protocol inet, MTU: 1500, Generation: 187, Route table: 0
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.18.1.0/30, Local: 172.18.1.2, Broadcast: 172.18.1.3,
Generation: 188
Question: Did the value of the Policy denied

counter increment?
Answer: The answer should be yes.
STOP
www.juniper.net
You have completed Lab 2. Please return to the course and complete
the next section.
www.juniper.net
Lab 3
Network Address Translation
Overview
In this lab, you will implement Network Address Translation (NAT).
www.juniper.net
Configure and monitor interface-based source NAT.
Configure and monitor pool-based destination NAT.
Network Address Translation Lab 31

11.4R1.6
Part 1: Interface-Based Source NAT

In this lab part, you will enable interface-based source NAT. Traffic originating from
the virtual routers attached to your assigned device and destined for the Internet
host will be subject to NAT.
Step 1.1
on the desktop to open the connection manager. Select SRX1 and click Connect.
Step 1.2
srxB-1 (ttyp0)
login: lab
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
lab@srxB-1>
Step 1.3
Enter Configuration mode using the configure command.
[edit]
lab@srxB-1#
Step 1.4
Using the load override command, load the file lab3p1s4.config from the
/var/home/lab/sssrx03/ directory. This command loads the basic
configuration needed to complete the lab. Issue the commit and-quit
command to apply the changes.
Lab 32 Network Address Translation
www.juniper.net
[edit]
[edit]
commit complete
Step 1.5
Issue the show security flow status command to view whether you must
reboot the SRX to change the Inet and MPLS forwarding modes.
lab@srxB-1> show security flow status
Flow forwarding mode:
Inet forwarding mode: packet based (reboot needed to change to flow based)
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based (reboot needed to change to drop)
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Note
The lab will not function properly if your

device is in packet-based mode. Please
reboot the SRX if need be. If the device is
already in flow-based mode, please
continue without rebooting your SRX.
Step 1.6
Issue the request system reboot command and enter yes at the prompt to
reboot the SRX device to apply the Inet and MPLS forwarding changes.
lab@srxB-1> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 9483]
lab@srxB-1>
*** FINAL System shutdown message from lab@srxB-1 ***
System going down IMMEDIATELY
...TRIMMED...
srxB-1 (ttyu0)
Step 1.7
Log back in as user lab with the password lab123.
srxB-1 (ttyp0)
login: lab
Password:
www.juniper.net
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC

lab@srxB-1>
Step 1.8
Open a new SecureCRT tab and connect to the SRX2 device. Enter configuration
mode and load the lab3p1s12.config file from the
/var/home/lab/sssrx03/ directory. Commit the changes and exit when
complete.
Click File > Connect in Tab from the SecureCRT window.
Step 1.9
Select SRX2 from the available devices and click Connect.
Step 1.10
www.juniper.net
login: lab
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
lab@srxB-2>
Step 1.11
Step 1.12
Load the configuration file and then exit. Exit the device and close the tab and return
to the SRX1 device.
[edit]
[edit]
commit complete
Step 1.13
Issue the show security flow status command to view whether you must
reboot the SRX to change to change the Inet and MPLS forwarding modes.
lab@srxB-2> show security flow status
Flow forwarding mode:
Inet forwarding mode: packet based (reboot needed to change to flow based)
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based (reboot needed to change to drop)
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Note
As with srxX-1, the lab will not function

properly if this device is in packet-based
mode. Please reboot the SRX if need be. If
the device is already in flow-based mode,
please continue without rebooting your
SRX.
Step 1.14
Issue the request system reboot command and enter yes at the prompt to
reboot the SRX device to apply the Inet and MPLS forwarding changes.
lab@srxB-2> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 9483]
www.juniper.net
lab@srxB-2>
*** FINAL System shutdown message from lab@srxB-2 ***
System going down IMMEDIATELY
...TRIMMED...
srxB-2 (ttyu0)
Step 1.15
Return to the SRX1 device, enter configuration mode, and navigate to the [edit
security nat source] hierarchy.
Enter Configuration mode using the configure command.
[edit]
lab@srxB-1# edit security nat source
[edit security nat source]
lab@srxB-1#
Step 1.16
Create a rule-set named internet-bound. Associate the rule-set with a context
matching traffic coming from both interfaces connected to the virtual routers and
destined to the untrust zone.
lab@srxB-1# set rule-set internet-bound from interface ge-0/0/4.10v
lab@srxB-1# set rule-set internet-bound from interface ge-0/0/4.20v
lab@srxB-1# set rule-set internet-bound to zone untrust
Question: What other contexts could you use for the

from statement?
Answer: You could use a from context referencing

the source security zones, but in this case, two
rule-sets would be necessary. Because no
configured routing-instances are on your assigned
device, the from routing-instance context is
not applicable to this step.
Step 1.17
Navigate to the [edit security nat source rule-set
internet-bound] configuration hierarchy. Create a NAT rule named 1. The rule
should apply interface-based NAT to all traffic with a destination address of the
Internet host as depicted on your lab diagram.
www.juniper.net

lab@srxB-1# edit rule-set internet-bound
[edit security nat source rule-set internet-bound]
lab@srxB-1# set rule 1 match destination-address 172.31.15.1/32
lab@srxB-1# set rule 1 then source-nat interface
lab@srxB-1# show
from interface [ ge-0/0/4.103 ge-0/0/4.203 ];
to zone untrust;
rule 1 {
match {
destination-address 172.31.15.1/32;
}
then {
source-nat {
interface;
}
}
}
Step 1.18
Commit your configuration and return to operational mode.
commit complete
lab@srxB-1>
Note
The next lab steps require you to log in to

the virtual router attached to your device.
The virtual routers are logical devices
created on a J Series Services Router.
Step 1.19
Open a new SecureCRT tab and connect to the vr-device device.
www.juniper.net
Click File > Connect in Tab from the SecureCRT window. Select
vr-device and click Connect.
Step 1.20
Log in to the virtual router using the login information shown in the following table.
Student Device
User Name
Password
srxA-1
a1
lab123
srxB-1
b1
lab123
srxC-1
c1
lab123
srxD-1
d1
lab123
login: b1
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
Step 1.21
Initiate a Telnet session to the Internet host device from one of the virtual routers
attached to your assigned device. Use the same login credentials as used for your
current vr-device Telnet session.
b1@vr-device> telnet 172.31.15.1 routing-instance vr10v
Trying 172.31.15.1...
www.juniper.net
vr-device (ttyp1)
login: b1
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
b1@vr-device>
Step 1.22
Return to the terminal session opened to your assigned device and view the session
table.
lab@srxB-1> show security flow session
Session ID: 335, Policy name: internet-hr/7, Timeout: 1774, Valid
In: 172.20.103.10/58487 --> 172.31.15.1/23;tcp, If: ge-0/0/4.103, Pkts: 27,
Bytes: 1567
Out: 172.31.15.1/23 --> 172.18.1.2/19813;tcp, If: ge-0/0/3.0, Pkts: 22, Bytes:
1594
Total sessions: 1
Question: Do the session table results indicate

expected behavior?
Answer: Yes. As indicated by the output taken from

srxB-1, the Telnet session sources from the internal
IP address 172.20.103.10, but the return traffic
has a destination of the WAN interface address.
Step 1.23
Issue the show security nat source rule all command and answer the
question that follows.
lab@srxB-1> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/0
source NAT rule: 1
Rule-Id
Rule position
From interface
Rule-set: internet-bound
1
1
ge-0/0/4.103
ge-0/0/4.203
To zone
untrust
Destination addresses
172.31.15.1
- 172.31.15.1
Destination port
0
- 0
Action
: interface
Persistent NAT type
: N/A
Persistent NAT mapping type : address-port-mapping
www.juniper.net
:
:
:
:
:
:
:
Inactivity timeout
Max session number
Translation hits
: 0
: 0
: 1
Question: How many hits has this NAT rule

received?
Answer: The answer might vary, but the

Translation hits counter should show one hit
at a minimum.
Step 1.24
Return to the session opened with the vr-device and exit the extra Telnet session
using the exit command.
b1@vr-device> exit
b1@vr-device>
Part 2: Pool-Based Destination NAT

In this part of the lab, you will configure pool-based destination NAT for traffic
originating from the remote device in your assigned pod. You will use the loopback IP
address of your assigned device as a public address that will be translated to an
internal address belonging to a virtual router attached to your device.
Step 2.1
Enter configuration mode and navigate to the [edit security nat
destination] hierarchy.
[edit]
lab@srxB-1# edit security nat destination
[edit security nat destination]
lab@srxB-1#
Step 2.2
Configure a destination NAT pool named webserver that contains a single host
address. The host address should match the IP address of the virtual router
associated with the eng zone if you are assigned to srxX-1. The host address
should match the IP address of the virtual router associated with it zone if you are
assigned to srxX-2.
lab@srxB-1# set pool webserver address 172.20.20v.10/32
www.juniper.net
Step 2.3
Configure a destination NAT rule-set named from-internet. The associated
context should be from the untrust zone.
lab@srxB-1# set rule-set from-internet from zone untrust
Step 2.4
Under the from-internet rule-set, configure a destination NAT rule named 1.
The rule should apply destination NAT to traffic that originates from the network
associated with your remote ge-0/0/3 interface and that has your loopback address
as its destination. This translation should utilize the webserver pool you
configured.
lab@srxB-1# edit rule-set from-internet rule 1
[edit security nat destination rule-set from-internet rule 1]
lab@srxB-1# set match source-address 172.18.2/30
lab@srxB-1# set match destination-address 192.168.1.1
lab@srxB-1# set then destination-nat pool webserver
lab@srxB-1# up 2
lab@srxB-1# show
pool webserver {
address 172.20.203.10/32;
}
rule-set from-internet {
from zone untrust;
rule 1 {
match {
source-address 172.18.2.0/30;
destination-address 192.168.1.1/32;
}
then {
destination-nat pool webserver;
}
}
}
www.juniper.net
Question: Are any changes required to your security

policy configuration to allow this traffic?
Answer: Yes. Currently, no security policy exists in

the configuration that allows traffic from the untrust
zone to the eng or it zone (depending on your
assigned device).
Step 2.5
Navigate to the [edit security policy from-zone untrust to-zone
eng].
lab@srxB-1# top edit security policies from-zone untrust to-zone eng
[edit security policies from-zone untrust to-zone eng]
lab@srxB-1#
Step 2.6
Configure a security policy that allows HTTP and Telnet traffic sourced from the
remote device in your pod to reach the virtual router associated with the eng zone
or the it zone depending on your assigned device. The necessary address book
entries should already exist in your zone configuration hierarchies. Name the new
security policy webserver.
lab@srxB-1# top show security zones security-zone untrust address-book
address vr104 172.20.104.0/24;
address vr204 172.20.204.0/24;
address srxB-2 172.18.2.0/30;
lab@srxB-1# top show security zones security-zone eng address-book
address vr203 172.20.203.0/24;
lab@srxB-1# set policy webserver match source-address srxX-2
lab@srxB-1# set policy webserver match destination-address vr20v
lab@srxB-1# set policy webserver match application junos-telnet
lab@srxB-1# set policy webserver match application junos-http
lab@srxB-1# set policy webserver then permit
www.juniper.net

lab@srxB-1# show
policy webserver {
match {
source-address srxB-2;
application [ junos-telnet junos-http ];
}
then {
permit;
}
}
Step 2.7
Commit your configuration and return to operational mode.
commit complete
Step 2.8
Note
In this step, you are initiating a Telnet

session directly from your assigned device.
Attempt a Telnet session to the loopback IP address of your remote device. Initiate
this Telnet session from your assigned SRX Series device. When prompted for a
login, use the login information shown in the following table.
Student Device
User Name
Password
srxA-1
a1
lab123
srxB-1
b1
lab123
srxC-1
c1
lab123
srxD-1
d1
lab123
lab@srxB-1> telnet 192.168.2.1

Trying 192.168.2.1...
vr-device (ttyp1)
login: b1
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
www.juniper.net

b1@vr-device>
Question: From your observations, is destination

NAT operating correctly on your remote device?
Answer: Provided the Telnet session successfully

established with the vr-device, the output indicates
traffic destined to the remote loopback interface IP
address is translating to the appropriate IP address.
Question: Why did the remote virtual router respond
to the Telnet request instead of the remote device?
Answer: Recall that destination NAT occurs before

routing and policy checks in the packet flow.
Step 2.9
Return to the initial session opened to your device and exit the Telnet session
opened with the remote virtual router.
b1@vr-device> exit
lab@srxB-1>
STOP
You have completed Lab 3. This concludes the lab portion of this
course.
www.juniper.net

Appendix A: Lab Diagrams
A2 Lab Diagrams
www.juniper.net

RX3123F

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

RX3123F

Hochgeladen von

Copyright:

Verfügbare Formate

Junos OS for SRX Overview

Worldwide Education Services

This document is produced by Juniper Networks, Inc.

Introduction to the Juniper Networks Virtual Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .0-1

Configuring Interfaces on Junos OS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1

Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1

Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1

Appendix A: Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1

Most of what you read in the Lab Guide

Exiting configuration mode

GUI text elements:

Text field entry

Input Text Versus Output Text

View configuration history by clicking

Text that you must enter.

lab@San_Jose> show route

Defined and Undefined Syntax Variables

Text where variable value is

Text where the variables value

Type set policy

Click my-peers in the dialog.

The Purpose of the Virtual Labs

Introduction to the Juniper Networks Virtual Lab Lab 01

Part 1: Accessing the Virtual Lab Homepage

Part 2: Accepting the EULA

Part 3: Logging in to the TrueLab Manager

Lab 02 Introduction to the Juniper Networks Virtual Lab

Part 4: Selecting Your Time Zone

Introduction to the Juniper Networks Virtual Lab Lab 03

Part 5: Creating an On-Demand Session

Lab 04 Introduction to the Juniper Networks Virtual Lab

Part 6: Creating a Dynamic Session (If the On-Demand Session Is Unavailable)

Introduction to the Juniper Networks Virtual Lab Lab 05

Part 7: Starting the Session

Lab 06 Introduction to the Juniper Networks Virtual Lab

Introduction to the Juniper Networks Virtual Lab Lab 07

Lab 08 Introduction to the Juniper Networks Virtual Lab

Part 8: Additional Information and Feedback

Introduction to the Juniper Networks Virtual Lab Lab 09

Lab 010 Introduction to the Juniper Networks Virtual Lab

Perform basic interface configuration.

Configuring Interfaces on Junos OS Devices Lab 11

Junos OS for SRX Overview

Part 1: Configuring Interfaces and Verifying Operational State

Lab 12 Configuring Interfaces on Junos OS Devices

Junos OS for SRX Overview

Notice that several interfaces are up, but

Configuring Interfaces on Junos OS Devices Lab 13

Junos OS for SRX Overview

Junos OS for SRX Overview

Configuring Interfaces on Junos OS Devices Lab 15

Junos OS for SRX Overview

Question: What is the Admin and Link state of the

Answer: All configured interfaces should show an

Lab 16 Configuring Interfaces on Junos OS Devices

Junos OS for SRX Overview

Configuring Interfaces on Junos OS Devices Lab 17

Junos OS for SRX Overview

Question: Do you see the additional IP address?

Answer: The 5.5.5.5/30 address should appear, but

Junos OS for SRX Overview

Question: Can you determine which IP address is

Answer: Yes, at the bottom of the CLI output you can

Configuring Interfaces on Junos OS Devices Lab 19