Sunday, May 20, 2012

Juniper Networks SRX Sample Configuration

Below is a sample remote site configuration of a Juniper SRX100 firewall along with explanations. I used this template configuration to deploy multiple firewalls in a multi-site, retail-type deployment. You will see 4 separate subnets/VLANs for voip, data, corporate wireless, and guest wireless. In this particular example, the VoIP deployment was ShoreTel, and the wireless technology used was that of Aruba Networks. You will also see a route-based VPN configuration bound to the untrust interface, allowing for communication between the HQ and remote site.

Note: You can view the configuration in the format below any time by issuing the command, "show | display set". I changed a bit of how it is displayed in order to better show what each line means.


To set the host name:
set system host-name

To set the root password:
set system root-authentication plain-text-password

To set the name server:
set system name-server

To set additional user names and passwords:
set system login user example uid 2000
set system login user example class super-user
set system login user example authentication plain-text-password 

To allow different global services:
set system services ftp
set system services ssh
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.5 

(vlan.5 allows web management from that logical interface only. You will see below that vlan.5 is also known as the data vlan)

To set other system policies:
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval

(The settings above are actually there by default, but can be changed as needed.)

To configure interfaces:
set interfaces fe-0/0/0 description "WAN"
set interfaces fe-0/0/0 unit 0 family inet dhcp

(In this example, I am using interface fe-0/0/0 as the WAN interface.)

set interfaces fe-0/0/1 description "VOIP/DATA"
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/1 unit 0 family ethernet-switching native-vlan-id 5

(Interface fe-0/0/1 is a trunk port for both the VOIP and DATA VLANs.)

set interfaces fe-0/0/2 disable
set interfaces fe-0/0/3 disable

set interfaces fe-0/0/4 disable

set interfaces fe-0/0/5 disable

set interfaces fe-0/0/6 disable

(The interfaces above are disabled since they are not in use in this example.)

set interfaces fe-0/0/7 description "CORP WIRELESS/GUEST WIRELESS"
set interfaces fe-0/0/7 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/7 unit 0 family ethernet-switching native-vlan-id 6

(Interface fe-0/0/7 is a trunk port for both the CORP WIRELESS and GUEST WIRELESS VLANs.)

To configure an interface for route-based VPN:
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.254 ipsec-vpn routebasedvpn
set interfaces st0 unit 0 family inet address 10.10.10.5/24

(The 10.10.10.254 IP is the address of the HQ st0 interface. The 10.10.10.5 IP is the address of the local st0 interface)

To configure a gateway/subnet for each VLAN:
set interfaces vlan unit 1 family inet address 192.168.4.1/24
set interfaces vlan unit 2 family inet address 192.168.5.1/24
set interfaces vlan unit 3 family inet address 192.168.6.1/24
set interfaces vlan unit 4 family inet address 192.168.7.1/24

To configure DHCP options:
set forwarding-options helpers bootp relay-agent-option
set forwarding-options helpers bootp description "DHCP SERVER"
set forwarding-options helpers bootp server 10.10.100.10
set forwarding-options helpers bootp vpn
set forwarding-options helpers bootp interface vlan.4
set forwarding-options helpers bootp interface vlan.5
set forwarding-options helpers bootp interface vlan.6
set forwarding-options helpers bootp interface vlan.7

(In the example above, the SRX is doing a relay from a centralized DHCP server at HQ.)

To configure routing options:
set routing-options static route 192.168.4.0/24 next-hop st0.0

(In the example above, the subnet for the VoIP VLAN is being routed over the VPN tunnel interface.)

To set protocols:
set protocols igmp interface vlan.4
set protocols lldp interface all
set protocols lldp-med interface all

To configure IPSEC VPN:
set security ike proposal phase1-prop authentication-method pre-shared-keys
set security ike proposal phase1-prop dh-group group2
set security ike proposal phase1-prop authentication-algorithm sha1
set security ike proposal phase1-prop encryption-algorithm 3des-cbc
set security ike policy ike-policy1 mode main
set security ike policy ike-policy1 proposal-set standard
set security ike policy ike-policy1 pre-shared-key ascii-text test1234
set security ike gateway ike-gateway1 ike-policy ike-policy1
set security ike gateway ike-gateway1 address 1.1.1.1
set security ike gateway ike-gateway1 external-interface fe-0/0/0.0
set security ipsec proposal phase2-prop protocol esp
set security ipsec proposal phase2-prop authentication-algorithm hmac-sha1-96
set security ipsec proposal phase2-prop encryption-algorithm 3des-cbc
set security ipsec policy ipsec-policy1 perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy1 proposal-set standard
set security ipsec vpn routebasedvpn bind-interface st0.0
set security ipsec vpn routebasedvpn ike gateway ike-gateway1
set security ipsec vpn routebasedvpn ike ipsec-policy ipsec-policy1
set security ipsec vpn routebasedvpn establish-tunnels immediately

To configure NAT:
set security nat source rule-set voip-to-untrust from zone voip
set security nat source rule-set voip-to-untrust to zone untrust
set security nat source rule-set voip-to-untrust rule source-nat-rule1 match source-address 192.168.4.0/24
set security nat source rule-set voip-to-untrust rule source-nat-rule1 then source-nat interface
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule2 match source-address 192.168.5.0/24
set security nat source rule-set trust-to-untrust rule source-nat-rule2 then source-nat interface
set security nat source rule-set corp_wireless-to-untrust from zone corp_wireless
set security nat source rule-set corp_wireless-to-untrust to zone untrust
set security nat source rule-set corp_wireless-to-untrust rule source-nat-rule3 match source-address 192.168.6.0/24
set security nat source rule-set corp_wireless-to-untrust rule source-nat-rule3 then source-nat interface
set security nat source rule-set guest_wireless-to-untrust from zone guest_wireless
set security nat source rule-set guest_wireless-to-untrust to zone untrust
set security nat source rule-set guest_wireless-to-untrust rule source-nat-rule3 match source-address 181.168.7.0/24
set security nat source rule-set guest_wireless-to-untrust rule source-nat-rule3 then source-nat interface

To configure screen options:
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land

To configure zones:
set security zones security-zone voip host-inbound-traffic system-services all
set security zones security-zone voip host-inbound-traffic protocols all
set security zones security-zone voip interfaces vlan.4
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.5
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic protocols router-discovery
set security zones security-zone corp_wireless host-inbound-traffic system-services all
set security zones security-zone corp_wireless host-inbound-traffic protocols all
set security zones security-zone corp_wireless interfaces vlan.6
set security zones security-zone vpn address-book address hq_network 10.10.0.0/16
set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0 host-inbound-traffic protocols all
set security zones security-zone guest_wireless host-inbound-traffic system-services all
set security zones security-zone guest_wireless host-inbound-traffic protocols all
set security zones security-zone guest_wireless interfaces vlan.7

To configure policies from zone to zone:
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any
set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit
set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit
set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match source-address any
set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match destination-address any
set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match application any
set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust then permit
set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match source-address any
set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match destination-address any
set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match application any
set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn then permit
set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match source-address any
set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match destination-address any
set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match application any
set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless then permit
set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match source-address any
set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match destination-address any
set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match application any
set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust then permit
set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match source-address any
set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match destination-address any
set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match application any
set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless then permit
set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match source-address any
set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match destination-address any
set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match application any
set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless then permit
set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match source-address any
set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match destination-address any
set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match application any
set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless then permit
set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match source-address any
set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match destination-address any
set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match application any
set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust then permit
set security flow tcp-mss ipsec-vpn mss 1350

To configure VLANs:
set vlans VOIP description "VOIP"
set vlans VOIP vlan-id 4
set vlans VOIP interface fe-0/0/1.0
set vlans VOIP l3-interface vlan.4
set vlans DATA description "DATA"
set vlans DATA vlan-id 5
set vlans DATA l3-interface vlan.5     
set vlans CORP_WIRELESS description "CORP_WIRELESS"
set vlans CORP_WIRELESS vlan-id 6
set vlans CORP_WIRELESS l3-interface vlan.6
set vlans GUEST_WIRELESS description "GUEST_WIRELESS"
set vlans GUEST_WIRELESS vlan-id 7
set vlans GUEST_WIRELESS interface fe-0/0/7.0
set vlans GUEST_WIRELESS l3-interface vlan.7


(You will notice that interface fe-0/0/1.0 is bound to the VOIP VLAN. However, if you take a look at the "set interfaces" section again you will see that interface fe-0/0/1 has a native VLAN ID of 5. This means that both VLANs can exist on this interface, but that by default devices will receive an IP in VLAN 5 unless otherwise specified (i.e. In this example a custom DHCP option was created for the voip VLAN, assigning a VLAN ID of 4.).)

2 comments:

  1. Hi!

    Do you know of a way to route the voip traffic over the secondary vpn tunnel and the data traffic to the primary tunnel interface?

    ReplyDelete
  2. Hello,

    This is possible through policy-based routing (also known as filter-based forwarding). There is a good KB article on the Juniper site that you can use as a baseline.

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

    ReplyDelete