Jncis Sec(Srx)

Juniper Networks Certified Internet Specialist-JNCIS

JNCIS-SEC Lab Manual Developed by

M. Irfan Ghauri M. Tanzeel Nasir

C-32/1 Block-5 Gulshan-e-Iqbal, Karachi Ph #0213-6034003

ESP Press Copyrights 2011

1 JNCIS-SEC Lab Manual

LAB.

LABS DESCRIPTION

PAGE NO.

1

Junos Basic

3

2

Customize zones

11

3

Accessing Firewall usin Console/Telnet/SSH/HTTP

17

4

NAT 1.MIP 2.DIP a. DIP with ip pool b. DIP with ip shift c. DIP with different ip (PAT) d. DIP with egress interface

24

3.VIP 4.Destination Nat

5

Creating Object and Policy

30

6

POLICY 1. Multi cell Policy 2. Group Policy

32

7

Advance Group Policy a. Logging b. Counting c. Scheduling d. Snmp e. Authentication with (Local,webauth and AAA)

36


8

Routing a.Static Routing b.Dynamic Routing a.RIP b.OSPF

49

Site to Site VPN

52

10

Dynamic Vpn

56

11

SreenOptions

63

12

DHCP

65

9

13

Inter-vlan Routing a.With BVI b.With Routed Port

67


Lab # 1

Junos Basic Configuration After connecting your PC to the Console Port. LOGIN:root PASSWORD:abc123 Root @% To Enter Into Operational Mode From Unix Shell & Vice- Versa. Root @% cli Root >

To Enter Into Configuration Mode. Root> configure Entering configuration mode Root #

Jweb equivalent : Configuration Use Commit command to activate your changes. Root# commit

To change the Host Name of Router. Root# set system host-name host Root# commit


Set the System Date & Time on the Router Root> set date 12:10:8 (hh:mm:ss) Root> set date 2009-10-6 (YY-MM-DD) Root# commit

Verify the System Date & Time on the Router Root> show system uptime Current time: 2009-08-17 11:55:58 UTC

Display the Version Information of the Router.

Root>show system software Or Root>show version Show interface summary Root> show interfaces terse Display the Interface Root>show interface Root>show interfaces extensive Root>show interface detail

Displays per-second real-time statistics for a physical interface Root> monitor interface se-0/0/2

Command prints packet headers to your terminal screen for information sent or received by the Routing Engine Root>monitor traffic interface se-0/0/2


Move connection to another port for testing purpose Root#rename interfaces fe-0/0/0 to fe-0/0/1 (in this example you will move the configuration for fe-0/0/0 to fe-0/0/1) Ruplicate an existing configuration and change a few components. Root#copy interfaces fe-0/0/0 to fe-0/0/1 (we are replicating an existing configuration so we can change a few components)

Show Active Configuration. Root>show configuration or Root>show system rollback 0 or Root#show Show Active Configuration in set display Root # Show | display set

Show Active Configuration in xml format Root # Show | display xml

show candidate

Configuration.

Root> show system rollback 2 (Temporary Configuration and becomes active when commit it)

Compare Rollback Configuration. Root> show system rollback 0 compare 2


Configure Rollback Configuration. Root#rollback 2 Root#commit

Deactivate or Activate configuration. Root#deactivate Anyconfiguration For example Root#deactivate interfaces fe-0/0/2 Root#show interfaces{ inactive fe-0/0/2{ }

Shut down an Interface Root# set interfaces se-0/0/2 disable Root# delete interface se-0/0/2 disable Set Rescue Configuration. Root> request System configuration rescue save (Save Active configuration as rescue configuration) Commit Rescue Configuration. Root> rollback rescue Or (Reset CONFIG button on the front of j-series router will load and commit the rescue configuration )


Show Rescue Configuration. Root> Show System configuration rescue To look how many users are logged in junos Root>show system user To look at files stored in Flash memory Root>show system storage

To look at used tcp and udp ports Root>show system connection

To look at system license Root>show system license

To look at system firmware Root>show system firmware

Show chassis component and temperature of cpu Root > show chassis environment Show chassis hardware Root > show chassis hardware detail Set the password of Root in clear text. Root# set system root-authentication plain-text-password New Password: abc123 Retype new password: abc123


Set the password of Root in encrypted text. Root# set system root-authentication encrypted-password abc123 To shutdown and restart the router Root> request system poweroff Root> request system reboot To make the router on factory default setting Root # load factory-default warning: activating factory configuration [edit] Root # set system root-authentication plain-text-password New password: abc123 Retype new password: abc123 [edit] Root # commit Policy from Untrust to Trust Root #set security policies from-zone untrust to-zone trust match source-address any Root #set security policies from-zone untrust to-zone trust match destination-address any Root #set security policies from-zone untrust to-zone trust match application any set security policies from-zone untrust to-zone trust policy permit

Flow Table root> show security flow session

policy allow policy allow policy allow allow then


Assigning member to zone Root #set security zones security-zone dmz Root #set interfaces interface-range dmz member-range fe-0/0/1 to fe0/0/5 Allowing all services on untrust interface Root #set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all Security zones detail Root>show security zones trust detail Root>show security zones untrust detail Delete All Configuration Root # delete Then yes Root #set system root-authentication encrypted-password New Password: abc123 Retype new password: abc123


Assign the IP Address on the Ethernet Interface of the SRX. Configuration Assign the IP Address on the VLAN Interface of the SRX. In configuration mode type following cmds set interfaces vlan unit 0 family inet address 10.0.0.10/8 Assign the IP Address on the Ethernet Interface of the SRX. In configuration mode type following cmds set interfaces fe-0/0/0 unit 0 family inet address 20.0.0.10/8 edit interface fe-0/0/0 Set description "This is the Ethernet management interface" top commit Delete the IP Address on the Ethernet Interface of the SRX. In configuration mode type following cmds delete interface fe-0/0/0 unit 0 family inet address 20.0.0.10/8 Rename the IP Address on the Ethernet Interface of the SRX. In configuration mode type following cmds rename interface fe-0/0/0 unit 0 family inet address 20.0.0.10/8 to address 15.0.0.10/8

Verifying Command In Operational mode type following cmds show show show show

interfaces interface terse interface description interfaces terse | match fe


Lab # 2

Zone customization IP Address 10.0.0.10 trust

IP Address 20.0.0.10 untrust

IP Address 10.0.0.1 IP Address 20.0.0.1

IP Address 10.0.0.2

IP Address 20.0.0.2

Configuration Delete All Configuration In configuration mode type following cmds delete Configure web management In configuration mode type following cmds set system services web-management http Assign the IP Address on the Ethernet Interface of the SRX.

set interfaces fe-0/0/0 unit 0 family inet address 20.0.0.10/8 set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8


Creating your own Zones and Assign interface to zones In configuration mode type following cmds set security zones security-zone trust interfaces fe-0/0/1.0 hostinbound-traffic system-services all set security zones security-zone untrust interfaces fe-0/0/0.0 hostinbound-traffic system-services all Creating Policies for Zones In configuration mode type following cmds set security policies from-zone trust to-zone untrust outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust outgoingtraffic match application any set security policies from-zone trust to-zone untrust outgoingtraffic then permit set security policies from-zone untrust to-zone trust incomingtraffic match source-address any set security policies from-zone untrust to-zone trust incomingtraffic match destination-address any set security policies from-zone untrust to-zone trust incomingtraffic match application any set security policies from-zone untrust to-zone trust incomingtraffic then permit Before Commit configure root password In configuration mode type following cmds set system root-authentication plain-text-password New Password: abc123 Retype new password: abc123

policy policy policy policy



Lab # 3 Accessing SRX through Telnet/SSH/HTTP Configuration Configuring telnet on R1. In configuration mode type following cmds set system services telnet set system services ssh set system login user R1 class super-user authentication plain-textpassword Enter password: abc123 Retype password: abc123

Now accessing firewall through pc using telnet Start >Run>Cmd C:\> ping 10.0.0.10 C:\> telnet 10.0.0.10 Login:R1 Password:abc123

Now accessing firewall through pc using ssh First open the putty software


Then press open


Now accessing firewall through pc using http First open internet explorer then type http://10.0.0.10


Verifying Commands In Operational mode type following cmds show system users show configuration show system


Lab # 4

1.Mapped ip (Static NAT)

IP Address 10.0.0.10 trust


Host A IP Address 10.0.0.1

IP Address 20.0.0.1

Server IP Address 10.0.0.2

Configuration First map ip on untrust interface In configuration mode type following cmds set security nat set security nat 20.0.0.51/32 set security nat 10.0.0.1/32 set security nat 20.0.0.52/32

static rule-set r1 from zone untrust static rule-set r1 rule 1 match destination-address static rule-set r1 rule 1 then static-nat prefix static rule-set r1 rule 2 match destination-address


set security nat static rule-set r1 rule 2 then static-nat prefix 10.0.0.2/32 set security nat proxy-arp interface fe-0/0/0.0 address 20.0.0.51/32 to 20.0.0.52/32 commit Allow the traffic using the following policy In configuration mode type following cmds set security policies from-zone source-address any set security policies from-zone destination-address any set security policies from-zone application any set security policies from-zone permit commit

untrust to-zone trust policy allow match untrust to-zone trust policy allow match untrust to-zone trust policy allow match untrust to-zone trust policy allow then

Verifying commands In Operational mode type following cmds show security nat source summary show security flow session clear security flow session all show security policies detail


2. DIP

a.DIP with ip pool (Dynamic NAT)




IP Address 20.0.0.1

Host B IP Address 10.0.0.2

Configuration In configuration mode type following cmds set security nat source pool ippool address 20.0.0.50/32 to 20.0.0.60/32 set security nat source pool ippool port no-translation set security nat source rule-set outgoingnat from zone trust set security nat source rule-set outgoingnat to zone untrust set security nat source rule-set outgoingnat rule outgoingnatrule match source-address 10.0.0.0/8 set security nat source rule-set outgoingnat rule outgoingnatrule then source-nat pool ippool set security nat proxy-arp interface fe-0/0/0 address 20.0.0.50 to 20.0.0.60


commit

allow the traffic using the following policy In configuration mode type following cmds set security policies from-zone source-address any set security policies from-zone destination-address any set security policies from-zone application any set security policies from-zone permit commit

trust to-zone untrust policy allow match trust to-zone untrust policy allow match trust to-zone untrust policy allow match trust to-zone untrust policy allow then

Verifying commands In Operational mode type following cmds show security nat source summary show security flow session clear security flow session all


b.DIP with ip shift (Dynamic NAT)




IP Address 20.0.0.1


Configuration Make a pool of shifting ip’s on untrust interface In configuration mode type following cmds set security nat set security nat set security nat set security nat set security nat 10.0.0.0/8 set security nat set security nat 20.0.0.60/32 commit

source source source source source

pool A address 20.0.0.50/32 to 20.0.0.60/32 pool A host-address-base 10.0.0.1/32 rule-set 1A from zone trust rule-set 1A to zone untrust rule-set 1A rule 1 match source-address

source rule-set 1A rule 1 then source-nat pool A proxy-arp interface fe-0/0/0.0 address 20.0.0.50/32 to






c.DIP with different ip (PAT)




IP Address 20.0.0.1


Configuration Set public ip on untrust interface In configuration mode type following cmds set security nat source pool ippool address 20.0.0.75 set security nat source rule-set outgoingnat from zone trust set security nat source rule-set outgoingnat to zone untrust set security nat source rule-set outgoingnat rule outgoingnatrule match source-address 10.0.0.0/8 set security nat source rule-set outgoingnat rule outgoingnatrule then source-nat pool ippool


set security nat proxy-arp interface fe-0/0/0 address 20.0.0.75



Verifying commands In Operational mode type following cmds show security nat source summary show security nat source pool all show security nat source rule all show security flow session clear security flow session all


d.DIP with egress interface (PAT with outside interface)




IP Address 20.0.0.1


Configuration In configuration mode type following cmds set security nat source rule-set set security nat source rule-set set security nat source rule-set source-address 10.0.0.0/8 set security nat source rule-set source-nat interface

outgoingnat from zone trust outgoingnat to zone untrust outgoingnat rule outgoingnatrule match outgoingnat rule outgoingnatrule then

Apply nat source on the following policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy allow match source-address any


set security policies from-zone trust to-zone untrust policy allow match destination-address any set security policies from-zone trust to-zone untrust policy allow match application any set security policies from-zone trust to-zone untrust policy allow then permit commit

Verifying commands In Operational mode type following cmds show security nat source summary show security nat source rule all show security flow session clear security flow session all


3.VIP IP Address 10.0.0.10 trust


IP Address 10.0.0.1 WEB SERVER

IP Address 20.0.0.1

IP Address 10.0.0.2 FTP SERVER

Configuration Set virtual ip on untrust interface In configuration mode type following cmds set security nat destination set security nat destination set security nat destination set security nat destination set security nat destination set security nat destination address 20.0.0.51/32 set security nat destination 80 set security nat destination pool http

pool http address 10.0.0.1/32 pool http address port 80 pool ftp address 10.0.0.2/32 pool ftp address port 21 rule-set vip from zone untrust rule-set vip rule http match destinationrule-set vip rule http match destination-port rule-set vip rule http then destination-nat


set security nat destination rule-set vip rule ftp match destinationaddress 20.0.0.51/32 set security nat destination rule-set vip rule ftp match destination-port 21 set security nat destination rule-set vip rule ftp then destination-nat pool ftp set security nat proxy-arp interface fe-0/0/0 address 20.0.0.51 commit Apply vip on the following policy In configuration mode type following cmds set security policies from-zone source-address any set security policies from-zone destination-address any set security policies from-zone application any set security policies from-zone permit commit

untrust to-zone trust policy allow match untrust to-zone trust policy allow match untrust to-zone trust policy allow match untrust to-zone trust policy allow then



4.Destination Nat



IP Address 10.0.0.1 WEB SERVER

IP Address 20.0.0.1

IP Address 10.0.0.2

Configuration In configuration mode type following cmds set security nat destination pool serverpool address 10.0.0.1/32 set security nat destination rule-set internet from zone untrust set security nat destination rule-set internet rule servernat match destination-address 20.0.0.51/32 set security nat destination rule-set internet rule servernat then destination-nat pool serverpool set security nat proxy-arp interface fe-0/0/0 address 20.0.0.51 commit Verifying commands In Operational mode type following cmds show security nat source summary show security flow session clear security flow session all


Lab # 5

Creating object and policy



IP Address 10.0.0.1

IP Address 20.0.0.1

IP Address 10.0.0.2

Configuration Create object for trust host pc In configuration mode type following cmds set security zones security-zone trust address-book address insidepc 10.0.0.1/32 Create object for untrust host pc In configuration mode type following cmds set security zones security-zone untrust address-book address outsidepc 20.0.0.1/32


Calling object to create a policy In configuration mode type following cmds set security policies from-zone source-address insidepc set security policies from-zone destination-address outsidepc set security policies from-zone application any set security policies from-zone permit commit


Verifying commands In Operational mode type following cmds show security policies detail In configuration mode type following cmds show


Lab # 6

1.Multi cell Policy




IP Address 10.0.0.2

IP Address 20.0.0.2

Configuration Creating object for trust host In configuration mode type following cmds set security zones security-zone trust address-book address insidepc1 10.0.0.1/32 set security zones security-zone trust address-book address insidepc2 10.0.0.2/32


Creating object for untrust host In configuration mode type following cmds set security zones security-zone untrust address-book address outsidepc1 20.0.0.1/32 set security zones security-zone untrust address-book address outsidepc2 20.0.0.2/32 Calling object to create a multi cell policy In configuration mode type following cmds set security policies from-zone trust source-address insidepc1 set security policies from-zone trust source-address insidepc2 set security policies from-zone trust destination-address outsidepc1 set security policies from-zone trust application any set security policies from-zone trust permit commit

to-zone untrust policy allow match to-zone untrust policy allow match to-zone untrust policy allow match to-zone untrust policy allow match to-zone untrust policy allow then

Verifying commands In configuration mode type following cmds show show security policies | display set show security zones security-zone trust address-book In Operational mode type following cmds show security policies show security policies detail


2.Group Policy




IP Address 10.0.0.2

IP Address 20.0.0.2

Configuration Creating object for trust host In configuration mode type following cmds set security zones security-zone trust address-book address insidepc1 10.0.0.1/32 set security zones security-zone trust address-book address insidepc2 10.0.0.2/32

Creating object for untrust host In configuration mode type following cmds set security zones security-zone untrust address-book address outsidepc1 20.0.0.1/32


set security zones security-zone untrust address-book address outsidepc2 20.0.0.2/32 Making a group for trust interface In configuration mode type following cmds set security zones security-zone trust address-book address-set trustedpcs address insidepc1 set security zones security-zone trust address-book address-set trustedpcs address insidepc2 commit Making a group for untrust interface In configuration mode type following cmds set security zones security-zone untrust address-book address-set untrustedpcs address outsidepc1 set security zones security-zone untrust address-book address-set untrustedpcs address outsidepc2 commit Calling group to create a group policy In configuration mode type following cmds set security policies from-zone trust source-address trustedpcs set security policies from-zone trust destination-address untrustedpcs set security policies from-zone trust application any set security policies from-zone trust permit

to-zone untrust policy allow match to-zone untrust policy allow match to-zone untrust policy allow match to-zone untrust policy allow then

Verifying commands In configuration mode type following cmds show security policies | display set show security zones security-zone trust address-book In Operational mode type following cmds Root>show security policies Root>show security policies detail


Lab # 7

Advance Policy Configuration




IP Address 10.0.0.2

IP Address 20.0.0.2

Configuration a.Logging *Logging of Flow Session Creating log file through this command In configuration mode type following cmds set system syslog file log-file any any set system syslog file log-file match RT_FLOW_SESSION


Calling log into policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust outgoingtraffic match application any set security policies from-zone trust to-zone untrust outgoingtraffic then permit set security policies from-zone trust to-zone untrust outgoingtraffic then log session-init set security policies from-zone trust to-zone untrust outgoingtraffic then log session-close

policy policy policy policy policy policy

Output of logging Feb 18 20:11:16 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.0.0.1/2690->20.0.0.1/80 junos-http 20.0.0.10/28723>20.0.0.1/80 source-nat-rule None 6 trust-to-untrust trust untrust 6894 Verifying commands In configuration mode type following cmds show security flow session clear security flow session all Verifying commands In operational mode type following cmds show log log-file clear log log-file

*Logging at console Enable log through this command In configuration mode type following cmds set system syslog console any any


Calling log into policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust outgoingtraffic match application any set security policies from-zone trust to-zone untrust outgoingtraffic then permit set security policies from-zone trust to-zone untrust outgoingtraffic then log session-init set security policies from-zone trust to-zone untrust outgoingtraffic then log session-close


*Logging with syslog server (kiwi syslog server) Enable log through this command In configuration mode type following cmds set system syslog host 10.0.0.2 any any Calling log into policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust outgoingtraffic match application any set security policies from-zone trust to-zone untrust outgoingtraffic then permit set security policies from-zone trust to-zone untrust outgoingtraffic then log session-init set security policies from-zone trust to-zone untrust outgoingtraffic then log session-close



b.Counting Calling Count into policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust outgoingtraffic match application any set security policies from-zone trust to-zone untrust outgoingtraffic then permit set security policies from-zone trust to-zone untrust outgoingtraffic then count commit Verifying commands In configuration mode type following cmds show security policies detail

policy policy policy policy policy


c.Scheduling To check the system date & time In operational mode type following cmds show system uptime To set the system date & time In operational mode type following cmds set date 201103262210 Create a scheduler In configuration mode type following cmds set schedulers scheduler testscheduler daily start-time 22:24 stop-time 22:25 Creating policy and adding scheduler in policy In configuration mode type following cmds set security policies from-zone trust to-zone untrust outgoingtraffic scheduler-name testscheduler set security policies from-zone trust to-zone untrust outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust outgoingtraffic match application any set security policies from-zone trust to-zone untrust outgoingtraffic then permit

policy policy policy policy policy


Verifying commands In configuration mode type following cmds show security policies detail show schedulers scheduler-name testscheduler

d.SNMP Configure Snmp Commands In configuration mode type following cmds set snmp community public set snmp trap-group testgroup targets 10.0.0.3 Verifying commands In Operational mode type following cmds show snmp statistics


e.Authentication *Device management Authentication Telnet SRX and verifying user with local database In configuration mode type following cmds set system root-authentication encrypted-password abc123 set system login user admin class super-user set system login user admin authentication plain-text-password New password: Retype new password: set system services telnet set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8 set security zones security-zone trust interfaces fe-0/0/1.0 hostinbound-traffic system-services all

Telnet SRX and verifing user with AAA In configuration mode type following cmds set set set set set

system system system system system

authentication-order radius root-authentication encrypted-password abc123 radius-server 10.0.0.1 secret juniper123 login user remote class super-user services telnet

set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8 set security zones security-zone trust interfaces fe-0/0/1.0 hostinbound-traffic system-services all

Verifying commands In operational mode type following cmds show system users


*Pass through Authentication Create user name and password In configuration mode type following cmds set access profile testprofile client admin firewall-user password admin123 set access firewall-authentication pass-through default-profile testprofile set access firewall-authentication pass-through http banner success "welcome to ESP" Calling authentication in the following policy In configuration mode type following cmds set security policies from-zone untrust to-zone trust policy incomingtraffic match source-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match destination-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match application any set security policies from-zone untrust to-zone trust policy incomingtraffic then permit firewall-authentication pass-through clientmatch admin Verifying commands In Operational mode type following cmds show security firewall-authentication users

clear security firewall-authentication users


*Webauth with Local Database Create user name and password In configuration mode type following cmds set access profile testprofile client user1 firewall-user password user1 set access firewall-authentication web-authentication default-profile testprofile set access firewall-authentication web-authentication banner success " welcome to esp" Set webauth ip on untrust interface set interfaces fe-0/0/0 unit 0 family inet address 20.0.0.20/8 webauthentication http set system services web-management http interface fe-0/0/1.0 set system services web-management http interface fe-0/0/0.0 set security zones security-zone untrust interfaces fe-0/0/0.0 hostinbound-traffic system-services all Calling authentication in the following policy In configuration mode type following cmds set security policies from-zone untrust to-zone trust policy incomingtraffic match source-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match destination-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match application any set security policies from-zone untrust to-zone trust policy incomingtraffic then permit firewall-authentication web-authentication client-match user1

Verifying commands In configuration mode type following cmds show security firewall-authentication users clear security firewall-authentication users



*Webauth with AAA server Configuration on ACS server


User database on ACS


AAA Client Configuration In configuration mode type following cmds set access profile testprofile authentication-order radius set access profile testprofile radius-server 10.0.0.2 secret juniper123 set access firewall-authentication web-authentication default-profile testprofile set access firewall-authentication web-authentication banner success " welcome to esp" set interfaces fe-0/0/0 unit 0 family inet address 20.0.0.20/8 webauthentication http set system services web-management http interface [fe-0/0/1 fe-0/0/0]

set security zones security-zone untrust interfaces fe-0/0/0.0 hostinbound-traffic system-services all Calling authentication in the following policy In configuration mode type following cmds set security policies from-zone untrust to-zone trust policy incomingtraffic match source-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match destination-address any set security policies from-zone untrust to-zone trust policy incomingtraffic match application any set security policies from-zone untrust to-zone trust policy incomingtraffic then permit firewall-authentication web-authentication

Verifying commands In Operational mode type following cmds show security firewall-authentication users clear security firewall-authentication users


Lab # 8

Routing



IP Address 15.0.0.2 Fa0/0

RA




Configuration a.Static Routing b.Dynamic Routing 1.RIP 2.OSPF

Define ip address on interfaces In configuration mode type following cmds set interfaces fe-0/0/0 unit 0 family inet address 15.0.0.1/8 set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8


Configure Static Routing In configuration mode type following cmds set routing-options static route 20.0.0.0/8 next-hop 15.0.0.2 commit Configure Dynamic Routing (RIP) In configuration mode type following cmds set interfaces fe-0/0/0 unit 0 family inet address 15.0.0.1/8 set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8 set protocols rip group abc export policy1 set protocols rip group abc neighbor fe-0/0/0.0 set policy-options policy-statement policy1 from protocol direct set policy-options policy-statement policy1 then accept set security zones security-zone trust host-inbound-traffic systemservices all set security zones security-zone trust host-inbound-traffic protocols all Configure Dynamic Routing (OSPF) In configuration mode type following cmds set protocols ospf area 0 interface all set security zones security-zone untrust host-inbound-traffic protocols all Allow the traffic using the following policy In configuration mode type following cmds set security policies from-zone source-address any set security policies from-zone destination-address any set security policies from-zone application any set security policies from-zone permit commit



Verifying Command In Operatioal mode type following cmds show show show show show show show show

route route protocol static configuration interfaces terse route protocol rip ospf interface ospf neighbor route protocol ospf


Lab # 9

Site-to-site Vpn IP Address 10.0.0.10 trust



RA




Configuration Define ip address on interfaces In configuration mode type following cmds set interfaces fe-0/0/0 unit 0 family inet address 15.0.0.1/8 set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8 Define Routing In configuration mode type following cmds set routing-options static route 20.0.0.0/8 next-hop 15.0.0.2


Configure Router A as show below. first enable isakmp policy RouterA(config)# crypto isakmp enable ( optional ) RouterA(config)# crypto isakmp policy 10 RouterA(config-isakmp)# authentication pre-share RouterA(config-isakmp)# encryption des RouterA(config-isakmp)# hash md5 RouterA(config-isakmp)# group 2 RouterA(config)# crypto isakmp key cisco123 address 15.0.0.1 Configure IPSec transform-set RouterA(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac Configure cryto ACL to define which traffic to protect RouterA(config)# access-list 111 permit ip 20.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 Configure Crypto-map RouterA(config)# crypto map RouterA(config-crypto-map)# RouterA(config-crypto-map)# RouterA(config-crypto-map)#

mymap 10 ipsec-isakmp match address 111 set peer 15.0.0.1 set transform-set aset

Apply the crypto map to the WAN interface RouterA(config)# int fa0/0 RouterA(config-if)# crypto map mymap


Configure Firewall as show below. Configure ike policy In configuration mode type following cmds set security keys set security set security set security set security set security set security set security set security set security

ike proposal ikeproposal authentication-method pre-sharedike ike ike ike ike ike ike ike ike

proposal ikeproposal dh-group group2 proposal ikeproposal authentication-algorithm md5 proposal ikeproposal encryption-algorithm des-cbc policy ikepolicy mode main policy ikepolicy proposals ikeproposal policy ikepolicy pre-shared-key ascii-text juniper123 gateway ikegateway ike-policy ikepolicy gateway ikegateway address 15.0.0.2 gateway ikegateway external-interface fe-0/0/0

Configure ipsec In configuration mode type following cmds set security set security md5-96 set security set security set security set security set security

ipsec proposal ipsecproposal protocol esp ipsec proposal ipsecproposal authentication-algorithm hmacipsec ipsec ipsec ipsec ipsec

proposal ipsecproposal encryption-algorithm des-cbc policy ipsecpolicy proposals ipsecproposal vpn s2svpn ike gateway ikegateway vpn s2svpn ike ipsec-policy ipsecpolicy vpn s2svpn establish-tunnels on-traffic

Configure Acl Trust to Untrust In configuration mode type following cmds set security policies from-zone trust to-zone untrust policy trust-tountrust match source-address any set security policies from-zone trust to-zone untrust policy trust-tountrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-tountrust match application any


set security policies from-zone trust to-zone untrust policy trust-tountrust then permit tunnel ipsec-vpn s2svpn UnTrust to Trust In configuration mode type following cmds set security policies from-zone untrust to-zone untrusttotrust match source-address any set security policies from-zone untrust to-zone untrusttotrust match destination-address any set security policies from-zone untrust to-zone untrusttotrust match application any set security policies from-zone untrust to-zone untrusttotrust then permit

Verifying commands In Operational mode type following cmds show security ike security-associations show security ipsec security-associations show security ipsec statistics clear security ipsec statistics clear security ike security-associations clear security ipsec security-associations

trust policy trust policy trust policy trust policy


Lab # 10

Dynamic Vpn IP Address 10.0.0.10 trust



IP Address 10.0.0.2

IP Address 20.0.0.2

Configuration Allow http on Outside Interface In configuration mode type following cmds set security zone security-zone untrust interface fe-0/0/0 host-inboundtraffic system-services all set system services web-management https interface fe-0/0/0.0 set system services web-management https system-generated-certificate


Configure Dynamic VPN. In configuration mode type following cmds IKE phase 1 proposal set security ike shared-keys set security ike set security ike set security ike

proposal p1-dynamic-aes authentication-method preproposal p1-dynamic-aes dh-group group2 proposal p1-dynamic-aes authentication-algorithm sha1 proposal p1-dynamic-aes encryption-algorith aes-128-cbc

IKE phase 2 proposal (IPSEC) set security ipsec proposal p2-dynamic-aes protocol esp set security ipsec proposal p2-dynamic-aes authentication-algorithm hmac-sha1-96 set security ipsec proposal p2-dynamic-aes encryption-algorithm aes128-cbc Phase 1 - gateway definition set security ike policy dynvpn mode aggressive set security ike policy dynvpn proposals p1-dynamic-aes set security ike policy dynvpn pre-shared-key ascii-text juniper set set set set

security security security security

ike ike ike ike

gateway gateway gateway gateway

gw-dyn gw-dyn gw-dyn gw-dyn

dynamic hostname dynvpn.juniper.net external-interface fe-0/0/0 ike-policy dynvpn xauth access-profile radius_profile

Phase 2 - vpn definition set security ipsec policy dynvpn proposals p2-dynamic-aes set security ipsec policy dynvpn perfect-forward-secrecy keys group2 set security ipsec vpn ipsec-dyn ike gateway gw-dyn set security ipsec vpn ipsec-dyn ike ipsec-policy dynvpn Add a access profile and users definition for ipsec client authentication (used with xauth)


set access profile radius_profile authentication-order radius set access profile radius_profile radius-server 10.0.0.2 secret juniper123 set access firewall-authentication pass-through default-profile radius_profile Creating security policy to permit vpn client set security policies from-zone untrust to-zone trust policy policy-dynvpn match source-address any destination-address any application any set security policies from-zone untrust to-zone trust policy policy-dynvpn then permit tunnel ipsec-vpn ipsec-dyn

Security policy delivered to client set security dynamic-vpn force-upgrade set security dynamic-vpn access-profile radius_profile set security dynamic-vpn clients irfan remote-protected-resources 10.0.0.0/8 set security dynamic-vpn clients irfan ipsec-vpn ipsec-dyn set security dynamic-vpn clients irfan user irfan set security dynamic-vpn clients irfan ipsec-vpn ipsec-dyn user irfan

run request security pki generate-key-pair certificate-id https Client run on XP





Verifying commands In Operational mode type following cmds show show show show show

security security security security security

dynamic-vpn users dynamic-vpn client version ike security-associations ipsec security-associations ipsec statistics


Lab # 11

Screen Options IP Address 10.0.0.10 trust



RA




Configuration Define ip address on interfaces In configuration mode type following cmds delete set system services web-management http set interfaces fe-0/0/0 unit 0 family inet address 20.0.0.10/8 set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.10/8


set security zones security-zone trust interfaces fe-0/0/1.0 hostinbound-traffic system-services all Define Routing In configuration mode type following cmds set routing-options static route 20.0.0.0/8 next-hop 15.0.0.2 Define Policy from Untrust In configuration mode type following cmds set security policies from-zone untrust to-zone untrusttotrust match source-address any set security policies from-zone untrust to-zone untrusttotrust match destination-address any set security policies from-zone untrust to-zone untrusttotrust match application any set security policies from-zone untrust to-zone untrusttotrust then permit

trust policy trust policy trust policy trust policy

To Block Large ICMP (greater than 1024bytes) In configuration mode type following cmds set security screen ids-option test icmp large set security zones security-zone untrust screen test

To Block IP FRAGMENT In configuration mode type following cmds set security screen ids-option test icmp fragment set security zones security-zone untrust screen test Verifying commands In Operational mode type following cmds show security screen ids-option test show security screen statistics zone untrust | match icmp


Lab # 12

DHCP IP Address 10.0.0.10 trust


DHCP SERVER IP Address Acquired from dhcp

IP Address 20.0.0.1

IP Address Acquired from dhcp

IP Address 20.0.0.2

Configuration In configuration mode type following cmds

set system services dhcp router 10.0.0.10 set system services dhcp pool 10.0.0.0/8 address-range low 10.0.0.2 set system services dhcp pool 10.0.0.0/8 address-range high 10.0.0.254 On pc C :\> ipconfig /release C :\> ipconfig /renew (Noth that the PC will get an ip address from the pool)


Not apply DHCP on this interface In configuration mode type following cmds set system services dhcp propagate-settings fe-0/0/0.0 Verifying Commands. In Operational mode type following cmds show system services dhcp bindings show system services dhcp pool show system services dhcp statistics


Lab # 13

INTER-VLAN ROUTING WITH BVI SRX

Fa 0/1 10.0.0.10

Vlan 10

Host A 10.0.0.1/8 10.0.0.10

Fa 0/0 20.0.0.10

Vlan 20

Host B 20.0.0.1/8 20.0.0.10

Configuration Configure intervlan Routing In configuration mode type following cmds set interfaces fe-0/0/0 unit 0 family ethernet-switching set interfaces fe-0/0/1 unit 0 family ethernet-switching set interfaces vlan unit 10 family inet address 10.0.0.10/8 set interfaces vlan unit 20 family inet address 20.0.0.10/8 Assign interface to Vlan set vlans vlan-10 vlan-id 10 set vlans vlan-10 interface fe-0/0/1.0 set vlans vlan-10 l3-interface vlan.10


set vlans vlan-20 vlan-id 20 set vlans vlan-20 interface fe-0/0/0.0 set vlans vlan-20 l3-interface vlan.20 Assign Vlan interface to Zone set security zones security-zone trust interfaces vlan.10 set security zones security-zone untrust interfaces vlan.20 Create Policy from trust to untrust set security policies from-zone trust to-zone untrust outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust outgoingtraffic match application any set security policies from-zone trust to-zone untrust outgoingtraffic then permit

Verifying Commands. In Operational mode type following cmds show show show show

vlans route ethernet-switching interfaces interface terse



INTER-VLAN ROUTING WITH ROUTED PORT

Trust

Untrust 20.0.0.10 / 8

10.0.0.10 / 8

Fa 0/23

Fa 0/1

Vlan 10

WEB Server 10.0.0.1/8 10.0.0.10

Configuration

EX2200

Fa 0/13

Vlan 20

FTP Server 20.0.0.1/8 20.0.0.10


SRX Configuration Configure intervlan Routing set interfaces fe-0/0/0 vlan-tagging set interfaces fe-0/0/0 unit 10 vlan-id 10 set interfaces fe-0/0/0 unit 10 family inet address 10.0.0.10/8 set interfaces fe-0/0/0 unit 20 vlan-id 20 set interfaces fe-0/0/0 unit 20 family inet address 20.0.0.10/8 Assign interface to Zone set security zones security-zone trust interfaces fe-0/0/0.10 set security zones security-zone untrust interfaces fe-0/0/0.20 Allow trust inbound Services set security zones security-zone trust host-inbound-traffic systemservices all Create Policy from trust to untrust set security policies from-zone trust to-zone untrust outgoingtraffic match source-address any set security policies from-zone trust to-zone untrust outgoingtraffic match destination-address any set security policies from-zone trust to-zone untrust outgoingtraffic match application any set security policies from-zone trust to-zone untrust outgoingtraffic then permit


Switch Configuration Configure Vlan set vlans vlan10 vlan-id 10 set vlans vlan20 vlan-id 20 Assign interface to the Vlan set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan10 set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode access


set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members vlan20 Configure Trunk Port set interfaces ge-0/0/23 set interfaces ge-0/0/23 trunk set interfaces ge-0/0/23 vlan10 set interfaces ge-0/0/23 vlan20

description "trunk to SRX" unit 0 family ethernet-switching port-mode unit 0 family ethernet-switching vlan members unit 0 family ethernet-switching vlan members

Verifying Commands. In Operational mode type following cmds show show show show

vlans route interface terse vlans brief

Jncis Sec(Srx)

Recommend Documents