Beruflich Dokumente
Kultur Dokumente
Lab Guide
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has
no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper
Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
Contents
Lab 0:
Lab 1:
0-2
0-2
0-2
0-3
0-4
0-5
0-6
0-9
Lab 2:
Lab 3:
www.juniper.net
Contents iii
iv Contents
www.juniper.net
Document Conventions
CLI and GUI Text
Frequently throughout this course, we refer to text that appears in a command-line interface (CLI)
or a graphical user interface (GUI). To make the language of these documents easier to read, we
distinguish GUI and CLI text from chapter text according to the following table.
Style
Description
Usage Example
Franklin
Gothic
Normal text.
Courier
New
Console text:
Screen captures
commit complete
Noncommand-related syntax
Menu names
Description
Usage Example
Normal CLI
No distinguishing variant.
Physical interface:fxp0,
Enabled
Normal GUI
GUI Input
Description
Usage Example
CLI Variable
policy my-peers
GUI variable
CLI Undefined
GUI Undefined
www.juniper.net
ping 10.0.x.y
Select File > Save, and enter
filename in the Filename field.
Document Conventions v
vi Document Conventions
www.juniper.net
Lab 0
Introduction to the Juniper Networks Virtual Lab
Overview
This lab shows the basic procedures for how to access the Juniper Networks Virtual Lab (vLab)
using a standard Web browser.
The vLabs help partners receive hands-on training through a virtual portal which is available
24 hours a day, 7 days a week. This is not a simulator, but live equipment to promote learning
and development for interested partners to the Juniper Networks Partner Learning Academy.
The vLab exercises assist a student to become proficient at installing, configuring, and
troubleshooting Juniper products. Each JNSS track takes approximately 8 hours to complete.
Once connected to the vLab site, you will need to register (with a valid e-mail address) and then
log in.
Access is granted on a first come, first serve basis through the training section of the Partner
Center. The vLabs are also available for dedicated instructor-led courses on an as needed
basis. The system will check to see if one of the selected labs is available. If a vLab is available,
access is granted. If no lab is available, you will be asked to try again later.
Each of the vLabs is duplicated multiple times. In the case of the Router/Firewall lab there are
extra cross connects between the labs so that in a classroom environment they can be
connected in interesting network topologies.
Note
We recommend that you download and read the
course lab guide prior to starting your lab. The guide
provides important information to access the lab
environment and the labs themselves.
Step 4.1
You can modify your user name, password, and time zone if necessary by clicking on the
Profile tab. Once you have made the updates, you must click Update to save these
changes.
Note
Click the View Event Details link under each
Event description to access the course lab guide
and credentials.
Step 6.1
Click Start Session Now.
Step 6.2
Click Finish to return to the Sessions tab.
Note
The system will send you a reminder e-mail prior to
your session start time.
Note
Each session can be a maximum of 3 hours.
Step 7.1
Click OK to see the following screen.
Note
Do not close the browser window. Closing your
browser window will disconnect your Virtual Lab
session connected.
Step 7.2
Once you have an active session, you will see the following virtual desktop screen. On this
virtual desktop, you must double-click on the Secure CRT icon to begin your lab.
Note
The Help tab also has links to the related course
lab guide and vLab environment help guides.
Step 7.3
Choose the device you will be working with in the Secure CRT session and click Connect.
Note
Make sure that you consult your lab guide before
opening any of the VT100 terminal sessions.
STOP
Lab 1
Configuring Interfaces on Junos OS Devices
Overview
In this lab, you will use the command-line interface (CLI) to perform basic interface
configuration.
By completing this lab, you will perform the following tasks:
www.juniper.net
Step 1.2
Log in as user lab with the password lab123.
login: lab
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
lab@srxB-1>
Step 1.3
Issue the show interfaces terse CLI command to check the state of your
devices interfaces.
lab@srxB-1> show interfaces terse
Interface
Admin Link
ge-0/0/0
up
up
ge-0/0/0.0
up
up
gr-0/0/0
up
up
ip-0/0/0
up
up
lsq-0/0/0
up
up
lt-0/0/0
up
up
mt-0/0/0
up
up
sp-0/0/0
up
up
sp-0/0/0.0
up
up
sp-0/0/0.16383
up
up
Proto
Local
inet
10.210.14.133/27
inet
inet
10.0.0.1
10.0.0.6
128.0.0.1
Remote
--> 10.0.0.16
--> 0/0
--> 128.0.1.16
www.juniper.net
128.0.0.6
ge-0/0/1
ge-0/0/2
ge-0/0/3
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/11
ge-0/0/12
ge-0/0/13
ge-0/0/14
ge-0/0/15
fxp2
fxp2.0
gre
ipip
irb
lo0
lo0.16384
lo0.16385
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
down
up
up
up
up
up
up
down
down
down
down
up
up
tnp
up
up
up
up
up
inet
up
inet
lo0.32768
lsi
mtun
pimd
pime
pp0
ppd0
ppe0
st0
tap
vlan
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
--> 0/0
0x1
127.0.0.1
10.0.0.1
10.0.0.16
128.0.0.1
128.0.0.4
128.0.1.16
-->
-->
-->
-->
-->
-->
0/0
0/0
0/0
0/0
0/0
0/0
Note
Step 1.5
Refer to the network diagram for this lab and configure the ge-0/0/3 and loopback
interfaces. Use logical unit 0 on both interfaces.
www.juniper.net
[edit]
lab@srxB-1> configure
Entering configuration mode
[edit]
lab@srxB-1# edit interfaces
[edit interfaces]
lab@srxB-1# set ge-0/0/3 unit 0 family inet address 172.18.1.2/30
[edit interfaces]
lab@srxB-1# set lo0 unit 0 family inet address 192.168.1.1/32
Step 1.6
Configure the ge-0/0/4 interface as shown on the network topology diagram. Use
the VLAN Assignments table on the topology diagram to determine the correct value
for the variables associated with your assigned device. This variable is used for the
vlan-id, unit number, and IP address.
VLAN Assignments
hostname
VLAN-ID
srxA-1
101, 201
srxB-1
103, 203
srxC-1
105, 205
srxD-1
107, 207
[edit interfaces]
lab@srxB-1# set ge-0/0/4 vlan-tagging
[edit interfaces]
lab@srxB-1# set ge-0/0/4 unit 10v vlan-id 10v
[edit interfaces]
lab@srxB-1# set ge-0/0/4 unit 10v family inet address 172.20.10v.1/24
[edit interfaces]
lab@srxB-1# set ge-0/0/4 unit 20v vlan-id 20v
[edit interfaces]
lab@srxB-1# set ge-0/0/4 unit 20v family inet address 172.20.20v.1/24
[edit interfaces]
lab@srxB-1# show ge-0/0/4
vlan-tagging;
unit 103 {
vlan-id 103;
family inet {
address 172.20.103.1/24;
}
}
unit 203 {
Lab 14 Configuring Interfaces on Junos OS Devices
www.juniper.net
vlan-id 203;
family inet {
address 172.20.203.1/24;
}
}
Step 1.7
Configure a static default route that points to the IP address associated with the
remote end of the ge-0/0/3 interface for your device. Commit the configuration and
return to operational mode.
[edit interfaces]
lab@srxB-1# up
[edit]
lab@srxB-1# edit routing-options
[edit routing-options]
lab@srxB-1# set static route 0/0 next-hop 172.18.1.1
[edit routing-options]
lab@srxB-1# commit and-quit
commit complete
Exiting configuration mode
Step 1.8
Issue the show interfaces terse command to verify the state of the
configured interfaces.
lab@srxB-1> show interfaces terse
Interface
Admin Link
ge-0/0/0
up
up
ge-0/0/0.0
up
up
gr-0/0/0
up
up
ip-0/0/0
up
up
lsq-0/0/0
up
up
lt-0/0/0
up
up
mt-0/0/0
up
up
sp-0/0/0
up
up
sp-0/0/0.0
up
up
sp-0/0/0.16383
up
up
ge-0/0/1
ge-0/0/2
ge-0/0/3
ge-0/0/3.0
ge-0/0/4
ge-0/0/4.103
ge-0/0/4.203
ge-0/0/4.32767
ge-0/0/5
ge-0/0/6
ge-0/0/7
www.juniper.net
up
up
up
up
up
up
up
up
up
up
up
Proto
Local
inet
10.210.14.133/27
inet
inet
up
up
up
up
inet
up
up
inet
up
inet
up
down
up
up
10.0.0.1
10.0.0.6
128.0.0.1
128.0.0.6
Remote
-->
-->
-->
-->
10.0.0.16
0/0
128.0.1.16
0/0
172.18.1.2/30
172.20.103.1/24
172.20.203.1/24
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/11
ge-0/0/12
ge-0/0/13
ge-0/0/14
ge-0/0/15
fxp2
fxp2.0
gre
ipip
irb
lo0
lo0.0
lo0.16384
lo0.16385
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
down
down
down
down
up
up
up
up
up
up
up
up
up
lo0.32768
lsi
mtun
pimd
pime
pp0
ppd0
ppe0
st0
tap
vlan
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
tnp
0x1
inet
inet
inet
192.168.1.1
127.0.0.1
10.0.0.1
10.0.0.16
128.0.0.1
128.0.0.4
128.0.1.16
-->
-->
-->
-->
-->
-->
-->
0/0
0/0
0/0
0/0
0/0
0/0
0/0
www.juniper.net
Step 1.10
Add a second IP address, 5.5.5.5/30, to the ge-0/0/3 interface.
[edit interfaces ge-0/0/3]
lab@srxB-1# set unit 0 family inet address 5.5.5.5/30
Step 1.11
Now make the original IP address the primary address.
[edit interfaces ge-0/0/3]
lab@srxB-1# set unit 0 family inet address 172.18.1.2/30 primary
Step 1.12
Activate the configuration and return to operational mode.
[edit interfaces ge-0/0/3]
lab@srxB-1# commit and-quit
commit complete
Exiting configuration mode
Step 1.13
Issue the show interfaces terse command to verify the changes you made to
the
ge-0/0/3 interface.
lab@srxB-1> show interfaces terse
Interface
Admin Link
ge-0/0/0
up
up
ge-0/0/0.0
up
up
gr-0/0/0
up
up
ip-0/0/0
up
up
lsq-0/0/0
up
up
lt-0/0/0
up
up
mt-0/0/0
up
up
sp-0/0/0
up
up
sp-0/0/0.0
up
up
sp-0/0/0.16383
up
up
Proto
Local
inet
10.210.14.133/27
inet
inet
ge-0/0/1
ge-0/0/2
ge-0/0/3
ge-0/0/3.0
up
up
up
up
up
up
up
up
ge-0/0/4
ge-0/0/4.103
ge-0/0/4.203
ge-0/0/4.32767
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
up
up
up
up
up
up
up
up
up
up
up
up
inet
up
inet
up
down
up
up
up
up
up
www.juniper.net
inet
10.0.0.1
10.0.0.6
128.0.0.1
128.0.0.6
Remote
-->
-->
-->
-->
10.0.0.16
0/0
128.0.1.16
0/0
5.5.5.5/30
172.18.1.2/30
172.20.103.1/24
172.20.203.1/24
ge-0/0/11
ge-0/0/12
ge-0/0/13
ge-0/0/14
ge-0/0/15
fxp2
fxp2.0
gre
ipip
irb
lo0
lo0.0
lo0.16384
lo0.16385
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
down
down
down
down
up
up
up
up
up
up
up
up
up
lo0.32768
lsi
mtun
pimd
pime
pp0
ppd0
ppe0
st0
tap
vlan
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
tnp
0x1
inet
inet
inet
192.168.1.1
127.0.0.1
10.0.0.1
10.0.0.16
128.0.0.1
128.0.0.4
128.0.1.16
-->
-->
-->
-->
-->
-->
-->
0/0
0/0
0/0
0/0
0/0
0/0
0/0
www.juniper.net
Last flapped
: 2012-06-18 07:25:51 UTC (2d 17:20 ago)
Input rate
: 0 bps (0 pps)
Output rate
: 0 bps (0 pps)
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled
Logical interface ge-0/0/3.0 (Index 68) (SNMP ifIndex 543)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 3
Output packets: 5
Security: Zone: Null
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred
Destination: 5.5.5.4/30, Local: 5.5.5.5, Broadcast: 5.5.5.7
Addresses, Flags: Primary Is-Preferred Is-Primary
Destination: 172.18.1.0/30, Local: 172.18.1.2, Broadcast: 172.18.1.3
Step 1.16
Delete the 5.5.5.5 IP address as well as the primary flag on the 172.18.1.2 IP
address.
[edit]
lab@srxB-1# edit interfaces ge-0/0/3
[edit interfaces ge-0/0/3]
lab@srxB-1# delete unit 0 family inet address 5.5.5.5/30
[edit interfaces ge-0/0/3]
lab@srxB-1# edit unit 0 family inet address 172.18.1.2/30
[edit interfaces ge-0/0/3 unit 0 family inet address 172.18.1.2/30]
lab@srxB-1# delete primary
[edit interfaces ge-0/0/3 unit 0 family inet address 172.18.1.2/30]
lab@srxB-1# top
www.juniper.net
[edit]
lab@srxB-1# show interfaces ge-0/0/3
unit 0 {
family inet {
address 172.18.1.2/30;
}
}
Step 1.17
Activate the configuration and return to operational mode.
[edit]
lab@srxB-1# commit and-quit
commit complete
Exiting configuration mode
STOP
You have completed Lab 1. Please return to the course and complete
the next section.
www.juniper.net
Lab 2
Security Policy
Overview
In this lab, you will implement security policies designed to allow only necessary traffic
between zones within your pod.
By completing this lab, you will perform the following tasks:
www.juniper.net
Step 1.2
Log in as user lab with the password lab123.
login: lab
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
lab@srxB-1>
Step 1.3
Issue the configure command to enter Configuration mode.
lab@srxB-1> configure
Entering configuration mode
Step 1.4
Using the load override command, load the file lab2p1s4.config from the
/var/home/lab/sssrx03/ directory. This command loads the basic
configuration needed to complete the lab. Issue the commit command to apply the
changes.
www.juniper.net
[edit]
lab@srxB-1# load override /var/home/lab/sssrx03/lab2p1s4.config
[edit]
lab@srxB-1# commit
commit complete
Step 1.5
Open a new SecureCRT tab and connect to the SRX2 device. Enter configuration
mode and load the lab2p1s9.config file from the
/var/home/lab/sssrx03/ directory. Commit the changes and exit when
complete.
Click File > Connect in Tab from the SecureCRT window.
Step 1.6
Select SRX2 from the available devices and click Connect.
www.juniper.net
Step 1.7
Log in as user lab with the password lab123.
login: lab
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
lab@srxB-2>
Step 1.8
Issue the configure command to enter Configuration mode.
lab@srxB-2> configure
Entering configuration mode
Step 1.9
Load the configuration file and then exit. Exit the device and close the tab and return
to the SRX1 device.
[edit]
lab@srxB-2# load override /var/home/lab/sssrx03/lab2p1s9.config
[edit]
lab@srxB-2# commit and-quit
commit complete
Exiting configuration mode
lab@srxB-2> exit
srxB-2 (ttyu0)
login:
Step 1.10
On the SRX1 device, navigate to the [edit security] configuration hierarchy.
[edit]
lab@srxB-1# edit security
Step 1.11
Issue the show command to view the [edit security] configuration stanza.
[edit security]
lab@srxB-1# show
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
www.juniper.net
[edit security]
lab@srxB-1# show
[edit security]
lab@srxB-1#
Step 1.13
Refer to the lab diagram and configure the untrust, hr (human resources), and
eng (engineering) zones. Configure these zones as security zones. Add the
appropriate network interfaces under each security zone.
[edit security]
lab@srxB-1# set zones security-zone hr interfaces ge-0/0/4.10v
[edit security]
lab@srxB-1# set zones security-zone eng interfaces ge-0/0/4.20v
[edit security]
lab@srxB-1# set zones security-zone untrust interfaces ge-0/0/3.0
Step 1.14
Configure a functional zone and associate it with your devices management
interface.
[edit security]
lab@srxB-1# set zones functional-zone ?
Possible completions:
> management
host for out of band management interfaces
[edit security]
lab@srxB-1# set zones functional-zone management interfaces ge-0/0/0.0
www.juniper.net
www.juniper.net
snmp;
}
}
www.juniper.net
Step 2.2
Add the remote /30 network between the Internet and the remote student device in
your pod to the untrust zone address book. Configure this address entry to use the
same name as the remote student device in your pod.
[edit security zones security-zone untrust]
lab@srxB-1# set address-book address srxB-2 172.18.2.0/30
[edit security zones security-zone untrust]
lab@srxB-1# show address-book
address vr104 172.20.104.0/24;
address vr204 172.20.204.0/24;
address srxB-2 172.18.2.0/30;
Step 2.3
For the virtual routers attached to your assigned device, configure the /24 network
addresses as address book entries within their respective zones. Name these
address book entries with the same name as their associated virtual routers.
[edit security zones security-zone untrust]
lab@srxB-1# up
[edit security zones]
lab@srxB-1# set security-zone hr address-book address vr10v 172.20.10v.0/24
[edit security zones]
lab@srxB-1# set security-zone eng address-book address vr20v 172.20.20v.0/24
www.juniper.net
Step 3.2
Configure security policies allowing all traffic from the virtual router zones to the
untrust zone. Name these policies internet-zone, where zone represents the
source zone. For this step, match on the appropriate source address using the
associated virtual router address book entries.
[edit security policies from-zone eng to-zone eng policy intrazone-eng]
lab@srxB-1# up 2
www.juniper.net
www.juniper.net
Step 3.3
Next define a security policy the rejects FTP connections sourced from the hr and dc
zones that are destined to the untrust zone. Name this policy deny-ftp-hr.
[edit security policies from-zone eng to-zone untrust policy internet-eng]
lab@srxB-1# up 2
[edit security policies]
lab@srxB-1# edit from-zone hr to-zone untrust policy deny-ftp-hr
[edit security policies from-zone hr to-zone untrust policy deny-ftp-hr]
lab@srxB-1# set match source-address any
[edit security policies from-zone hr to-zone untrust policy deny-ftp-hr]
lab@srxB-1# set match destination-address any
[edit security policies from-zone hr to-zone untrust policy deny-ftp-hr]
lab@srxB-1# set match application junos-ftp
[edit security policies from-zone hr to-zone untrust policy deny-ftp-hr]
lab@srxB-1# set then reject
[edit security policies from-zone hr to-zone untrust policy deny-ftp-hr]
lab@srxB-1# show
match {
source-address any;
destination-address any;
application junos-ftp;
}
then {
reject;
}
Step 3.4
Commit the configuration.
[edit security policies from-zone hr to-zone untrust policy deny-ftp-hr]
lab@srxB-1# commit
commit complete
Note
www.juniper.net
Step 3.5
Open a new SecureCRT tab and connect to the vr-device device.
Click File > Connect in Tab from the SecureCRT window. Select
vr-device and click Connect.
Step 3.6
Log in to the virtual router using the login information shown in the following table.
Virtual Router Login Details
Student Device
User Name
Password
srxA-1
a1
lab123
srxB-1
b1
lab123
srxC-1
c1
lab123
srxD-1
d1
lab123
login: b1
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
You must use 'configure private' to configure this router.
Step 3.7
Ensure that you can open an FTP session to the remote Internet host located at
172.31.15.1. Remember to source the FTP from the routing-instance associated
with the hr zone or the dc zone depending upon your assigned device. Use the
Ctrl+C key sequence to close the FTP connection.
www.juniper.net
destination-address any;
application junos-ftp;
}
then {
reject;
}
}
policy internet-hr {
match {
source-address vr103;
destination-address any;
application any;
}
then {
permit;
}
}
[edit security policies from-zone hr to-zone untrust]
lab@srxB-1# commit
commit complete
Step 3.9
Return to the session opened to the vr-device and try the FTP connection
again. Exit the FTP application by issuing the bye command.
Note
www.juniper.net
Step 3.12
Create an application set named internal-apps that includes the hr-gizmo,
junos-telnet, and junos-ping applications.
[edit applications application hr-gizmo]
lab@srxB-1# up
[edit applications]
lab@srxB-1# edit application-set internal-apps
[edit applications application-set internal-apps]
lab@srxB-1# set application hr-gizmo
[edit applications application-set internal-apps]
www.juniper.net
Step 3.13
Configure security policies that permit the internal-apps applications between
the hr and dc security zones. Because the hr and dc zones are separated by the
Internet, you must reference the untrust zone when configuring the security policies.
Name the policy dc-to-hr.
[edit applications application-set internal-apps]
lab@srxB-1# top
[edit]
lab@srxB-1# edit security policies from-zone untrust to-zone hr
[edit security policies from-zone untrust to-zone hr]
lab@srxB-1# set policy dc-to-hr match source-address vr10v
[edit security policies from-zone untrust to-zone hr]
lab@srxB-1# set policy dc-to-hr match destination-address vr10v
[edit security policies from-zone untrust to-zone hr]
lab@srxB-1# set policy dc-to-hr match application internal-apps
[edit security policies from-zone untrust to-zone hr]
lab@srxB-1# set policy dc-to-hr then permit
[edit security policies from-zone untrust to-zone hr]
lab@srxB-1# show
policy dc-to-hr {
match {
source-address vr104;
destination-address vr103;
application internal-apps;
}
then {
permit;
}
}
www.juniper.net
Step 3.15
Commit the configuration and return to operational mode.
[edit security policies from-zone untrust to-zone hr]
lab@srxB-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxB-1>
www.juniper.net
Sequence number: 1
From zone: hr, To zone: untrust
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: junos-ftp
IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [21-21]
Per policy TCP Options: SYN check: No, SEQ check: No
Policy: internet-hr, action-type: permit, State: enabled, Index: 6, Scope
Policy: 0
Policy Type: Configured
Sequence number: 2
From zone: hr, To zone: untrust
Source addresses:
vr103: 172.20.103.0/24
Destination addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Policy: intrazone-eng, action-type: permit, State: enabled, Index: 5, Scope
Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: eng, To zone: eng
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Policy: internet-eng, action-type: permit, State: enabled, Index: 8, Scope
Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: eng, To zone: untrust
Source addresses:
vr203: 172.20.203.0/24
Destination addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: any
Lab 220 Security Policy
www.juniper.net
Step 4.2
Return to the session opened on the vr-device and open a Telnet session between
the virtual router associated with the hr zone and the virtual router associated with
the dc zone. You will initiate a Telnet session with the virtual router interface
associated with the dc zone. Log in with the same username and password as your
current session.
b1@vr-device> telnet 172.20.10v.10 routing-instance vr10v
Trying 172.20.104.10...
Connected to 172.20.104.10.
Escape character is '^]'.
vr-device(ttyp0)
login: b1
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
You must use 'configure private' to configure this router.
b1@vr-device>
Step 4.3
Return to the session opened on your assigned SRX1 device and issue the show
security flow session command.
www.juniper.net
www.juniper.net
Step 4.5
Return to the vr-device and end the open Telnet session by entering the exit
command.
b1@vr-device> exit
Connection closed by foreign host.
b1@vr-device>
Step 4.6
Return to your assigned SRX1 device and view the configuration hierarchy
associated with the syslog settings.
lab@srxB-1> show configuration system syslog
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
www.juniper.net
www.juniper.net
Input DA rejects
0
Input SA rejects
0
Output packet count
0
Output packet pad count
0
Output packet error count
0
CAM destination filters: 2, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: None, Remote fault: OK,
Link partner Speed: 1000 Mbps
Local resolution:
Flow control: None, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 0
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Buffer Priority
Limit
%
bps
%
usec
0 best-effort
95
950000000
95
0
low
none
3 network-control
5
50000000
5
0
low
none
Interface transmit statistics: Disabled
Logical interface ge-0/0/3.0 (Index 66) (SNMP ifIndex 524) (Generation 159)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Traffic statistics:
Input bytes :
863472
Output bytes :
4353
Input packets:
4120
Output packets:
82
Local statistics:
Input bytes :
1200
Output bytes :
924
Input packets:
20
Output packets:
22
Transit statistics:
Input bytes :
862272
0 bps
Output bytes :
3429
0 bps
Input packets:
4100
0 pps
Output packets:
60
0 pps
Security: Zone: untrust
Flow Statistics :
Flow Input statistics :
Self packets :
0
ICMP packets :
5
VPN packets :
0
Multicast packets :
0
Bytes permitted by policy :
3304
Connections established :
0
Flow Output statistics:
Multicast packets :
0
Bytes permitted by policy :
3381
Flow error statistics (Packets dropped due to):
Address spoofing:
0
www.juniper.net
Authentication failed:
0
Incoming NAT errors:
0
Invalid zone received packet:
0
Multiple user authentications:
0
Multiple incoming NAT:
0
No parent for a gate:
0
No one interested in self packets: 0
No minor session:
0
No more sessions:
0
No NAT gate:
0
No route present:
0
No SA for incoming SPI:
0
No tunnel found:
0
No session for a gate:
0
No zone or NULL zone binding
1152
Policy denied:
1683
Security association not active:
0
TCP sequence number out of window: 0
Syn-attack protection:
0
User authentication errors:
0
Protocol inet, MTU: 1500, Generation: 187, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.18.1.0/30, Local: 172.18.1.2, Broadcast: 172.18.1.3,
Generation: 188
www.juniper.net
Step 4.9
Return to your assigned device and issue the show interfaces extensive
command for the ge-0/0/3 interface again.
lab@srxB-1> show interfaces extensive ge-0/0/3 | find "Flow Statistics"
Flow Statistics :
Flow Input statistics :
Self packets :
0
ICMP packets :
5
VPN packets :
0
Multicast packets :
0
Bytes permitted by policy :
3304
Connections established :
0
Flow Output statistics:
Multicast packets :
0
Bytes permitted by policy :
3669
Flow error statistics (Packets dropped due to):
Address spoofing:
0
Authentication failed:
0
Incoming NAT errors:
0
Invalid zone received packet:
0
Multiple user authentications:
0
Multiple incoming NAT:
0
No parent for a gate:
0
No one interested in self packets: 0
No minor session:
0
No more sessions:
0
No NAT gate:
0
No route present:
0
No SA for incoming SPI:
0
No tunnel found:
0
No session for a gate:
0
No zone or NULL zone binding
1152
Policy denied:
1728
Security association not active:
0
TCP sequence number out of window: 0
Syn-attack protection:
0
User authentication errors:
0
Protocol inet, MTU: 1500, Generation: 187, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.18.1.0/30, Local: 172.18.1.2, Broadcast: 172.18.1.3,
Generation: 188
STOP
www.juniper.net
You have completed Lab 2. Please return to the course and complete
the next section.
Security Policy Lab 227
www.juniper.net
Lab 3
Network Address Translation
Overview
In this lab, you will implement Network Address Translation (NAT).
By completing this lab, you will perform the following tasks:
www.juniper.net
Step 1.2
Log in as user lab with the password lab123.
srxB-1 (ttyp0)
login: lab
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
lab@srxB-1>
Step 1.3
Enter Configuration mode using the configure command.
lab@srxB-1> configure
Entering configuration mode
[edit]
lab@srxB-1#
Step 1.4
Using the load override command, load the file lab3p1s4.config from the
/var/home/lab/sssrx03/ directory. This command loads the basic
configuration needed to complete the lab. Issue the commit and-quit
command to apply the changes.
Lab 32 Network Address Translation
www.juniper.net
[edit]
lab@srxB-1# load override /var/home/lab/sssrx03/lab3p1s4.config
[edit]
lab@srxB-1# commit and-quit
commit complete
Exiting configuration mode
Step 1.5
Issue the show security flow status command to view whether you must
reboot the SRX to change the Inet and MPLS forwarding modes.
lab@srxB-1> show security flow status
Flow forwarding mode:
Inet forwarding mode: packet based (reboot needed to change to flow based)
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based (reboot needed to change to drop)
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Note
Step 1.7
Log back in as user lab with the password lab123.
srxB-1 (ttyp0)
login: lab
Password:
www.juniper.net
Step 1.8
Open a new SecureCRT tab and connect to the SRX2 device. Enter configuration
mode and load the lab3p1s12.config file from the
/var/home/lab/sssrx03/ directory. Commit the changes and exit when
complete.
Click File > Connect in Tab from the SecureCRT window.
Step 1.9
Select SRX2 from the available devices and click Connect.
Step 1.10
Log in as user lab with the password lab123.
Lab 34 Network Address Translation
www.juniper.net
login: lab
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
lab@srxB-2>
Step 1.11
Issue the configure command to enter Configuration mode.
lab@srxB-2> configure
Entering configuration mode
Step 1.12
Load the configuration file and then exit. Exit the device and close the tab and return
to the SRX1 device.
[edit]
lab@srxB-2# load override /var/home/lab/sssrx03/lab3p1s12.config
[edit]
lab@srxB-2# commit and-quit
commit complete
Exiting configuration mode
Step 1.13
Issue the show security flow status command to view whether you must
reboot the SRX to change to change the Inet and MPLS forwarding modes.
lab@srxB-2> show security flow status
Flow forwarding mode:
Inet forwarding mode: packet based (reboot needed to change to flow based)
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based (reboot needed to change to drop)
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Note
www.juniper.net
lab@srxB-2>
*** FINAL System shutdown message from lab@srxB-2 ***
System going down IMMEDIATELY
...TRIMMED...
srxB-2 (ttyu0)
Step 1.15
Return to the SRX1 device, enter configuration mode, and navigate to the [edit
security nat source] hierarchy.
Enter Configuration mode using the configure command.
lab@srxB-1> configure
Entering configuration mode
[edit]
lab@srxB-1# edit security nat source
[edit security nat source]
lab@srxB-1#
Step 1.16
Create a rule-set named internet-bound. Associate the rule-set with a context
matching traffic coming from both interfaces connected to the virtual routers and
destined to the untrust zone.
[edit security nat source]
lab@srxB-1# set rule-set internet-bound from interface ge-0/0/4.10v
[edit security nat source]
lab@srxB-1# set rule-set internet-bound from interface ge-0/0/4.20v
[edit security nat source]
lab@srxB-1# set rule-set internet-bound to zone untrust
www.juniper.net
Step 1.18
Commit your configuration and return to operational mode.
[edit security nat source rule-set internet-bound]
lab@srxB-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxB-1>
Note
www.juniper.net
Click File > Connect in Tab from the SecureCRT window. Select
vr-device and click Connect.
Step 1.20
Log in to the virtual router using the login information shown in the following table.
Virtual Router Login Details
Student Device
User Name
Password
srxA-1
a1
lab123
srxB-1
b1
lab123
srxC-1
c1
lab123
srxD-1
d1
lab123
login: b1
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
You must use 'configure private' to configure this router.
Step 1.21
Initiate a Telnet session to the Internet host device from one of the virtual routers
attached to your assigned device. Use the same login credentials as used for your
current vr-device Telnet session.
b1@vr-device> telnet 172.31.15.1 routing-instance vr10v
Trying 172.31.15.1...
Connected to 172.31.15.1.
Escape character is '^]'.
www.juniper.net
vr-device (ttyp1)
login: b1
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 12:44:14 UTC
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
You must use 'configure private' to configure this router.
b1@vr-device>
Step 1.22
Return to the terminal session opened to your assigned device and view the session
table.
lab@srxB-1> show security flow session
Session ID: 335, Policy name: internet-hr/7, Timeout: 1774, Valid
In: 172.20.103.10/58487 --> 172.31.15.1/23;tcp, If: ge-0/0/4.103, Pkts: 27,
Bytes: 1567
Out: 172.31.15.1/23 --> 172.18.1.2/19813;tcp, If: ge-0/0/3.0, Pkts: 22, Bytes:
1594
Total sessions: 1
Rule-set: internet-bound
1
1
ge-0/0/4.103
ge-0/0/4.203
To zone
untrust
Destination addresses
172.31.15.1
- 172.31.15.1
Destination port
0
- 0
Action
: interface
Persistent NAT type
: N/A
Persistent NAT mapping type : address-port-mapping
www.juniper.net
:
:
:
:
:
:
:
Inactivity timeout
Max session number
Translation hits
: 0
: 0
: 1
Step 2.2
Configure a destination NAT pool named webserver that contains a single host
address. The host address should match the IP address of the virtual router
associated with the eng zone if you are assigned to srxX-1. The host address
should match the IP address of the virtual router associated with it zone if you are
assigned to srxX-2.
[edit security nat destination]
lab@srxB-1# set pool webserver address 172.20.20v.10/32
www.juniper.net
Step 2.3
Configure a destination NAT rule-set named from-internet. The associated
context should be from the untrust zone.
[edit security nat destination]
lab@srxB-1# set rule-set from-internet from zone untrust
Step 2.4
Under the from-internet rule-set, configure a destination NAT rule named 1.
The rule should apply destination NAT to traffic that originates from the network
associated with your remote ge-0/0/3 interface and that has your loopback address
as its destination. This translation should utilize the webserver pool you
configured.
[edit security nat destination]
lab@srxB-1# edit rule-set from-internet rule 1
[edit security nat destination rule-set from-internet rule 1]
lab@srxB-1# set match source-address 172.18.2/30
[edit security nat destination rule-set from-internet rule 1]
lab@srxB-1# set match destination-address 192.168.1.1
[edit security nat destination rule-set from-internet rule 1]
lab@srxB-1# set then destination-nat pool webserver
[edit security nat destination rule-set from-internet rule 1]
lab@srxB-1# up 2
[edit security nat destination]
lab@srxB-1# show
pool webserver {
address 172.20.203.10/32;
}
rule-set from-internet {
from zone untrust;
rule 1 {
match {
source-address 172.18.2.0/30;
destination-address 192.168.1.1/32;
}
then {
destination-nat pool webserver;
}
}
}
www.juniper.net
Step 2.6
Configure a security policy that allows HTTP and Telnet traffic sourced from the
remote device in your pod to reach the virtual router associated with the eng zone
or the it zone depending on your assigned device. The necessary address book
entries should already exist in your zone configuration hierarchies. Name the new
security policy webserver.
[edit security policies from-zone untrust to-zone eng]
lab@srxB-1# top show security zones security-zone untrust address-book
address vr104 172.20.104.0/24;
address vr204 172.20.204.0/24;
address srxB-2 172.18.2.0/30;
[edit security policies from-zone untrust to-zone eng]
lab@srxB-1# top show security zones security-zone eng address-book
address vr203 172.20.203.0/24;
[edit security policies from-zone untrust to-zone eng]
lab@srxB-1# set policy webserver match source-address srxX-2
[edit security policies from-zone untrust to-zone eng]
lab@srxB-1# set policy webserver match destination-address vr20v
[edit security policies from-zone untrust to-zone eng]
lab@srxB-1# set policy webserver match application junos-telnet
[edit security policies from-zone untrust to-zone eng]
lab@srxB-1# set policy webserver match application junos-http
[edit security policies from-zone untrust to-zone eng]
lab@srxB-1# set policy webserver then permit
www.juniper.net
Step 2.7
Commit your configuration and return to operational mode.
[edit security policies from-zone untrust to-zone eng]
lab@srxB-1# commit and-quit
commit complete
Exiting configuration mode
Step 2.8
Note
User Name
Password
srxA-1
a1
lab123
srxB-1
b1
lab123
srxC-1
c1
lab123
srxD-1
d1
lab123
STOP
You have completed Lab 3. This concludes the lab portion of this
course.
www.juniper.net
A2 Lab Diagrams
www.juniper.net