Set-UP a LAB with
Juniper SRX
Recently I had to setup a Lab environment and our
Firewall is a Juniper SRX 240.These devices have 16 Giga Bit Interfaces and believe it or not you can set each interface with its own IP and in a completely separate network. I think it is great!
In my LAB I am using an SRX100 which comes with 8 Fast
Ethernet Interfaces. This is a very good, cheap and reliable device for branch
offices and also very suitable or LAB environment.
Setting up Interface
- Separate Network on Juniper SRX
I decided to use the interface fe-0/0/3 which is free, so
we need to check if there is any existing configuration already applied to that
specific interface. To configure a Giga Bit interface you will need to replace fe-0/0/3 with ge-0/0/3 for example.
Check
existing config
admin@srx100-01# run show configuration | display set | match
fe-0/0/3
You
should see the following output:
set interfaces fe-0/0/3 unit 0 family ethernet-switching
port-mode accessset interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic protocols all
Delete
existing configuration
delete interfaces fe-0/0/3 unit 0 family ethernet-switching
port-mode accessdelete interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
delete security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic system-services all
delete security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic protocols all
Save
Config
admin@srx100-01# commit
Check
interface config once more
admin@srx100-01# run show configuration | display set | match
fe-0/0/3
You
should see the following output:
set interfaces fe-0/0/3 unit 0 family ethernet-switchingset security zones security-zone trust interfaces fe-0/0/3.0
Delete
the config once more
admin@srx100-01# delete interfaces fe-0/0/3 unit 0 family
ethernet-switchingadmin@srx100-01# delete security zones security-zone trust interfaces fe-0/0/3.0
Save
Config
admin@srx100-01# commit
Check
the config for once more
admin@srx100-01# run show configuration | display set | match
fe-0/0/3
You
should see the following output:
set interfaces fe-0/0/3 unit 0
Delete
the config once more
admin@srx100-01# delete interfaces fe-0/0/3 unit 0
Save
config
admin@srx100-01# commit
Finally let’s config our Interface for our LAB
Set
an IP for the Interface
admin@srx100-01# set interfaces fe-0/0/3 unit 0 family inet
address 192.168.20.1/24
Set
a Security ZONE for the Interface
Set a security ZONE called LAB
set security zones security-zone LAB interfaces fe-0/0/3.0admin@srx100-01# set security zones security-zone LAB interfaces fe-0/0/3.0
Create
Security POLICY to allow Internet Access or any other ZONE you need access
set security policies from-zone LAB to-zone untrust policy
LABPol match source-address anyset security policies from-zone LAB to-zone untrust policy LABPol match destination-address any
set security policies from-zone LAB to-zone untrust policy LABPol match application any
set security policies from-zone LAB to-zone untrust policy LABPol then permit
Create
a NAT Policy to allow Access from Zone LAB to Untrust
set security nat source rule-set LABNatOut from zone LAB
set security nat source rule-set LABNatOut to zone untrustset security nat source rule-set LABNatOut rule LABNatrule match source-address 0.0.0.0/0
set security nat source rule-set LABNatOut rule LABNatrule match destination-address 0.0.0.0/0
set security nat source rule-set LABNatOut rule LABNatrule then source-nat interface
Save
config
admin@srx100-01# commit
Once the
configuration has been commited, you are ready to start using it. You can plug
a server directly to the new Interface you have just set-up or plug it to a
switch, to give you more available ports.
Just
set any server or PC connected to with any IP within the same range 192.168.20.0/24,
the gateway will be 192.168.20.1.
That
is it you should have a brand new isolated network within your Juniper SRX.
No comments:
Post a Comment