Juniper SRX Series Basic Setup
There are already a few articles about configuring Juniper SRX routers (for example, one , two , three , etc.). In this, I will try to consolidate useful information, complementing it with some pleasant trifles.
All interested in asking under the cat.
In my hands got a brand new Juniper SRX240B and all of the following will apply to it. And since JunOS is positioned as a single OS for the entire series (at least), then ... make your own conclusions. I also use JunOS version 12.1X46-D20.5 (the latest one, at the time of posting):
To begin with, we will set a small circle of tasks that we will solve:
')
Go…
To configure source NAT, simply run the following commands:
Or in the form of a config:
With this configuration, ALL networks that will be configured on the internal interfaces of the router will be NAT. If you only need NAT, then instead of:
you need to write (an example is given for the network 172.16.1.0/27):
Now we set up our SRX as a DHCP server. It is assumed that the interfaces are already configured and we need to configure the DHCP server only for the vlan.0 interface:
Or in the form of a config:
In this case, we set the lifetime of the lease at 6 hours (6 * 60 min * 60 s = 21600 s); default gateway do 172.16.1.1 ; We begin to distribute addresses with 172.16.1.2 and end with 172.16.1.30 (the range within which the DHCP server will work).
These options will be valid only for the vlan.0 interface. If necessary, it can be replaced with the real name of the interface, for example, ge-0/0/1 .
Statistics on the DHCP server can be viewed with the following command:
Now we will pass to the DNS server setup. Since Junos OS 12.1x44D10 , DNS proxy is supported , let's configure it:
Or in the form of a config:
Here we set up the DNS server on the vlan.0 interface; created an A-record for gw-jsrx240.HOME.local (by itself, there are several such records); and configured DNS forwarders for all other DNS queries.
If the DNS server needs to be enabled for all internal interfaces, then this can be done as follows (if there are several VLANs, then the settings must be made appropriate):
Or in the form of a config:
Statistics on DNS queries can be viewed as follows:
See the records in the DNS cahce like this (without outputting the device cache itself, since there are a lot of records there)
Clear DNS cache like this:
Now we will try to secure our SSH server (even if it is looking outside) (instead of SSH_RSA_PUBLIC_KEY, you need to insert your SSH RSA Public Key):
Or in the form of a config:
Explanations:
I prefer to leave root the opportunity to log in with a password, but only through the console; other users only by keys with the above limitations.
Or in the form of a config:
Do not forget to commit, otherwise no changes will take effect:
The final config can be viewed below. The router has all the necessary functions for quite appropriate money.
If an invite is issued, I will describe the settings of PPPoE, Dynamic VPN, Site-to-Site VPN, etc.
All interested in asking under the cat.
In my hands got a brand new Juniper SRX240B and all of the following will apply to it. And since JunOS is positioned as a single OS for the entire series (at least), then ... make your own conclusions. I also use JunOS version 12.1X46-D20.5 (the latest one, at the time of posting):
cartman@gw-jsrx240# run show version Hostname: gw-jsrx240 Model: srx240b JUNOS Software Release [12.1X46-D20.5] To begin with, we will set a small circle of tasks that we will solve:
- Source NAT
- DHCP server
- DNS Server
- Ssh hardening
- IDP, Security Features
')
Go…
Source NAT
To configure source NAT, simply run the following commands:
cartman@gw-jsrx240# show security nat | display set set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface Or in the form of a config:
cartman@gw-jsrx240# show security nat source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } With this configuration, ALL networks that will be configured on the internal interfaces of the router will be NAT. If you only need NAT, then instead of:
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 you need to write (an example is given for the network 172.16.1.0/27):
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 172.16.1.0/27 DHCP server
Now we set up our SRX as a DHCP server. It is assumed that the interfaces are already configured and we need to configure the DHCP server only for the vlan.0 interface:
cartman@gw-jsrx240# show system services dhcp | display set set system services dhcp maximum-lease-time 21600 set system services dhcp default-lease-time 21600 set system services dhcp pool 172.16.1.0/27 address-range low 172.16.1.2 set system services dhcp pool 172.16.1.0/27 address-range high 172.16.1.30 set system services dhcp pool 172.16.1.0/27 router 172.16.1.1 set system services dhcp propagate-settings vlan.0 Or in the form of a config:
cartman@gw-jsrx240# show system services dhcp maximum-lease-time 21600; default-lease-time 21600; pool 172.16.1.0/27 { address-range low 172.16.1.2 high 172.16.1.30; router { 172.16.1.1; } } propagate-settings vlan.0; In this case, we set the lifetime of the lease at 6 hours (6 * 60 min * 60 s = 21600 s); default gateway do 172.16.1.1 ; We begin to distribute addresses with 172.16.1.2 and end with 172.16.1.30 (the range within which the DHCP server will work).
These options will be valid only for the vlan.0 interface. If necessary, it can be replaced with the real name of the interface, for example, ge-0/0/1 .
Statistics on the DHCP server can be viewed with the following command:
cartman@gw-jsrx240# run show system services dhcp statistics Packets dropped: Total 0 Messages received: BOOTREQUEST 0 DHCPDECLINE 0 DHCPDISCOVER 0 DHCPINFORM 0 DHCPRELEASE 0 DHCPREQUEST 0 Messages sent: BOOTREPLY 0 DHCPOFFER 0 DHCPACK 0 DHCPNAK 0 DNS Server
Now we will pass to the DNS server setup. Since Junos OS 12.1x44D10 , DNS proxy is supported , let's configure it:
cartman@gw-jsrx240# show system services dns | display set set system services dns forwarders 8.8.8.8 set system services dns forwarders 8.8.4.4 set system services dns dns-proxy interface vlan.0 set system services dns dns-proxy cache gw-jsrx240.HOME.local inet 172.16.1.1 Or in the form of a config:
cartman@gw-jsrx240# show system services dns forwarders { 8.8.8.8; 8.8.4.4; } dns-proxy { interface { vlan.0; } cache { gw-jsrx240.HOME.local inet 172.16.1.1; } } Here we set up the DNS server on the vlan.0 interface; created an A-record for gw-jsrx240.HOME.local (by itself, there are several such records); and configured DNS forwarders for all other DNS queries.
If the DNS server needs to be enabled for all internal interfaces, then this can be done as follows (if there are several VLANs, then the settings must be made appropriate):
cartman@gw-jsrx240# show system name-server | display set set system name-server 172.16.1.1 Or in the form of a config:
cartman@gw-jsrx240# show system name-server 172.16.1.1; Statistics on DNS queries can be viewed as follows:
cartman@gw-jsrx240# run show system services dns-proxy statistics DNS proxy statistics : Status : enabled IPV4 Queries received : 0 IPV6 Queries received : 0 Responses sent : 0 Queries forwarded : 0 Negative responses : 0 Positive responses : 0 Retry requests : 0 Pending requests : 0 Server failures : 0 Interfaces : vlan.0 See the records in the DNS cahce like this (without outputting the device cache itself, since there are a lot of records there)
cartman@gw-jsrx240# run show system services dns-proxy cache Clear DNS cache like this:
cartman@gw-jsrx240# run clear system services dns-proxy cache Ssh hardening
Now we will try to secure our SSH server (even if it is looking outside) (instead of SSH_RSA_PUBLIC_KEY, you need to insert your SSH RSA Public Key):
cartman@gw-jsrx240# show system services ssh | display set set system services ssh root-login deny set system services ssh protocol-version v2 set system services ssh connection-limit 5 set system services ssh rate-limit 5 cartman@gw-jsrx240# show system login | display set set system login retry-options tries-before-disconnect 5 set system login retry-options backoff-threshold 1 set system login retry-options backoff-factor 10 set system login retry-options minimum-time 30 set system login user cartman full-name "FIRST_NAME LAST_NAME" set system login user cartman uid 2000 set system login user cartman class super-user set system login user cartman authentication ssh-rsa "SSH_RSA_PUBLIC_KEY" Or in the form of a config:
cartman@gw-jsrx240# show system services ssh root-login deny; protocol-version v2; connection-limit 5; rate-limit 5; cartman@gw-jsrx240# show system login retry-options { tries-before-disconnect 5; backoff-threshold 1; backoff-factor 10; minimum-time 30; } user cartman { full-name "FIRST_NAME LAST_NAME"; uid 2000; class super-user; authentication { ssh-rsa "SSH_RSA_PUBLIC_KEY"; ## SECRET-DATA } } Explanations:
- root-login deny - we prohibit root from connecting over SSH
- protocol-version v2 - we use only the version of the SSHv2 protocol
- connection-limit 5 - maximum number of simultaneous SSH connections
- rate-limit 5 - maximum number of SSH connections per minute
- tries-before-disconnect 5 - how many times will attempts to enter a password be allowed, after which the session will be terminated
- backoff-threshold 1 - through IT the number of incorrect password attempts will delay be enabled
- backoff-factor 10 - after reaching the backoff-threshold, the user will be blocked for 10 seconds.
- minimum-time 30 - the number of seconds allotted for entering the password, after which the session will be terminated
I prefer to leave root the opportunity to log in with a password, but only through the console; other users only by keys with the above limitations.
IDP, Security Features
cartman@gw-jsrx240# show security screen | display set set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land Or in the form of a config:
cartman@gw-jsrx240# show security screen ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } In the end...
Do not forget to commit, otherwise no changes will take effect:
cartman@gw-jsrx240# commit check configuration check succeeds cartman@gw-jsrx240# commit commit complete Total
The final config can be viewed below. The router has all the necessary functions for quite appropriate money.
cartman @ gw-jsrx240 # show
cartman @ gw-jsrx240 # show
## Last changed: 2014-07-12 20:15:48 MSK
version 12.1X46-D20.5;
system {
host-name gw-jsrx240;
domain-name HOME.local;
domain-search HOME.local;
time-zone Europe / Moscow;
authentication-order password;
root-authentication {
encrypted-password "$ 1 $ ENCRYPTED_PASSWORD"; ## SECRET-DATA
}
name-server {
172.16.1.1;
}
name-resolution {
no-resolve-on-input;
}
login {
retry-options {
tries-before-disconnect 5;
backoff-threshold 1;
backoff factor 10;
minimum-time 30;
}
user cartman {
full-name "FIRST_NAME LAST_NAME";
uid 2000;
class super-user;
authentication {
ssh-rsa "SSH_RSA_PUBLIC_KEY"; ## SECRET-DATA
}
}
}
services {
ssh {
root-login deny;
protocol-version v2;
connection-limit 5;
rate-limit 5;
}
dns {
forwarders {
8.8.8.8;
8.8.4.4;
}
dns-proxy {
interface {
vlan.0;
}
cache {
gw-jsrx240.HOME.local inet 172.16.1.1;
}
}
}
web-management {
https {
port 443;
system-generated-certificate;
interface vlan.0;
}
session {
idle-timeout 300;
session-limit 2;
}
}
dhcp {
maximum-lease-time 21600;
default-lease-time 21600;
pool 172.16.1.0/27 {
address-range low 172.16.1.2 high 172.16.1.30;
router {
172.16.1.1;
}
}
propagate-settings vlan.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 0.pool.ntp.org prefer;
server 1.pool.ntp.org;
server 2.pool.ntp.org;
server 3.pool.ntp.org;
}
}
interfaces {
interface-range interfaces-trust {
member-range ge-0/0/1 to ge-0/0/15;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 172.16.1.1/27;
}
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0 / 0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
dhcp;
}
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 10;
l3-interface vlan.0;
}
}
## Last changed: 2014-07-12 20:15:48 MSK
version 12.1X46-D20.5;
system {
host-name gw-jsrx240;
domain-name HOME.local;
domain-search HOME.local;
time-zone Europe / Moscow;
authentication-order password;
root-authentication {
encrypted-password "$ 1 $ ENCRYPTED_PASSWORD"; ## SECRET-DATA
}
name-server {
172.16.1.1;
}
name-resolution {
no-resolve-on-input;
}
login {
retry-options {
tries-before-disconnect 5;
backoff-threshold 1;
backoff factor 10;
minimum-time 30;
}
user cartman {
full-name "FIRST_NAME LAST_NAME";
uid 2000;
class super-user;
authentication {
ssh-rsa "SSH_RSA_PUBLIC_KEY"; ## SECRET-DATA
}
}
}
services {
ssh {
root-login deny;
protocol-version v2;
connection-limit 5;
rate-limit 5;
}
dns {
forwarders {
8.8.8.8;
8.8.4.4;
}
dns-proxy {
interface {
vlan.0;
}
cache {
gw-jsrx240.HOME.local inet 172.16.1.1;
}
}
}
web-management {
https {
port 443;
system-generated-certificate;
interface vlan.0;
}
session {
idle-timeout 300;
session-limit 2;
}
}
dhcp {
maximum-lease-time 21600;
default-lease-time 21600;
pool 172.16.1.0/27 {
address-range low 172.16.1.2 high 172.16.1.30;
router {
172.16.1.1;
}
}
propagate-settings vlan.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 0.pool.ntp.org prefer;
server 1.pool.ntp.org;
server 2.pool.ntp.org;
server 3.pool.ntp.org;
}
}
interfaces {
interface-range interfaces-trust {
member-range ge-0/0/1 to ge-0/0/15;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 172.16.1.1/27;
}
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0 / 0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
dhcp;
}
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 10;
l3-interface vlan.0;
}
}
If an invite is issued, I will describe the settings of PPPoE, Dynamic VPN, Site-to-Site VPN, etc.
Source: https://habr.com/ru/post/229765/
All Articles