AJSEC 12.b LGD PDF
AJSEC 12.b LGD PDF
AJSEC 12.b LGD PDF
12.b
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating syslem has
no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the: Juniper
Networks software. may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
Contents
Lab 1: Implementing AppSecure {Detailed) ............................... 1-1
Part 1: Verifying Access to the CLI andVMware Client ........................................... 1-2
Part 2: Configuring AppFW and ApplD Features ................................................ 1-5
Part 3: Building Custom Application Signatures ........••••................................... 1-16
Part 4: Implementing AppTrack ............................................................ 1-27
This three-day course, which is designed to build off of the currentJunos Security (JSEC) offering,
delves deeper into Junos security. Through demonstrations and hands-on labs, you will gain
experience in configuring and monitoring the advanced Junos OS security features with advanced
coverage of IPsec deployments. virtualization. AppSecure, advanced Network Address Translation
(NAT) deployments, and Layer 2 security. This course uses Juniper Networks SRX Series Services
Gateways for the hands-on component. This course is based on Junos OS Release 12.1X44-010.4.
Objectives
After successfully completing this course, you should be able to:
Demonstrate understanding of concepts covered in the prerequisite Junos Security
course.
Describe the various forms of security supported by the Junos OS.
Implement features of the AppSecure suite, including Appl0, AppFW, and App Track.
Configure custom application signatures.
Describe Junos security handling at Layer 2 versus Layer 3.
Implement Layer 2 transparent mode security features.
Demonstrate understanding of Logical Systems (LSYS).
Implement address books with dynamic addressing.
Compose security policies utilizing ALGs, custom applications. and dynamic
addressing for various scenarios.
Use Junos debugging tools to analyze traffic flows and identify traffic processing
patterns and problems.
Describe Junos routing instance types used for virtualization.
Implement virtual routing instances.
Describe and configure route sharing between routing instances using logical tunnel
interfaces.
Describe and implement static, source, destination, and dual NAT in complex LAN
environments.
Describe and implement variations of persistent NAT.
Describe and implement Carrier Grade NAT (CGN) solutions for 1Pv6 NAT, such as
NAT64, NAT46, and OS-Lite.
Describe the interaction between NAT and security policy.
Demonstrate understanding of DNS doctoring.
Differentiate and configure standard point-to-point IP Security (IPsec) virtual private
network (VPN) tunnels, hub-and-spoke VPNs, dynamic VPNs, and group VPNs.
Implement IPsec tunnels using virtual routers.
Implement OSPF over IPsec tunnels and utilize generic routing encapsulation (GRE) to
interconnect to legacy firewalls.
Monitor the operations of the various IPsec VPN implementations.
Describe public key cryptography for certificates.
Utilize Junos tools for troubleshooting Ju nos security implementations.
Perform successful troubleshooting of some common Junos security issues.
Course Level
Advanced Junos Security is an advanced-level course.
Prerequisites
Students should have a strong level of TCP/IP networking and security knowledge. Stude-nts should
also attend the Introduction to the Junos Operating System (IJOS), Junos Routing Essentials (JRE),
and Junos Security (JSEC) courses prior to attending this class.
Day1
Chapter 1: Course Introduction
Chapter 2: AppSecure
Implementing AppSecure Lab
Chapter 3: Junos Layer 2 Packet Handling and Security Features
Implementing Layer 2 Security Lab
Chapter 4: Virtualization
Implementing Junos Virtual Routing Lab
Day2
Chapter 5: Advanced NAT Concepts
Advanced NAT Implementations Lab
Chapter 6: IPsec Implementations
Hub-and-Spoke IPsec VPNs Lab
Day3
Chapter 7: Enterprise IPsec Technologies: Group and Dynamic VPNs
Configuring Group VPNs Lab
Chapter 8: IPsec VPN Case Studies and Solutions
Implementing Advanced IPsec VPN Solutions Lab
Chapter 9: Troubleshooting Junos Security
Performing Security Troubleshooting Techniques Lab
Appendix A: SRX Series Hardware and Interfaces
Franklin Gothic Normal text. Most of what you read in the Lab Guide
and Student Guide.
CLI Input Text that you must enter. lab@San_Jose> show rc,ute
GUI Input Select File > Save, and type
config. ini in the Filename field.
CLI Undefined Text where the variable's value is Type set policy policy-name.
the user's discretion or text where
ping 10.0.�
the variable's value as shown in
GUI Undefined the lab guide might differ from the Select File > Save, and type
value the user must input filename in the Filename field.
according to the lab topology.
Overvi,ew
In this lab, you will implement features of the AppSecure suite. You will begin by
configuring ApplD and AppFW features to protect the VM server against Application Layer
attacks. Then, you will configure a custom application signature to restrict access to
certain sections of the VM server. Finally, you will configure AppTrack to monitor FTP
exchanges between the VM client and the VM server.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
Configure and monitor ApplD and AppFW features.
Configure and use custom application signatures.
Configure and monitor AppTrack.
In this lab part, you become familiar with the access details used to access the lab
equipment. Once you are familiar with the access details, you will use the
command-line interface (CLI) to log in to your designated station. Then, you verify
that you can log in to the VMware client and confirm that FTP and Web browsing are
available on the desktop.
Note
You will only be able to FTP and Web
browse within the constraints that are
created on the VMware server.
Note
Depending on the class, the lab equipment
used might be remote from your physical
location. The instructor will inform you as to
the nature of your access and will provide
you with the details needed to access your
assigned device.
Step i1
Ensure that you know to which station you are assigned. Check with your instructor if
you are unsure. Consult the Management Network Diagram to determine the
management address of your station. In some classrooms, you might also be able to
access the station by domain name.
Step 1.2
Access the CLI at your station using either the console, Telnet, or SSH as directed by
your instructor. Refer to the Management Network Diagram for the IP address
associated with your workstation. The following example is based on simple Telnet
access using the Secure CRT program.
11 .Connect � I Cancel j
Step i3
Log in as user lab with the password supplied by your instructor.
srxA-1 (ttyuO)
login: lab
Password:
Note
The applications are installed on virtual
network computers. Your access to the
VMware client might vary according to lab
environments. Your instructor will provide
the access method. Please notify your
instructor if you are not sure how to access
the VMware client device.
My Computer
My Network
Places
Recycle Bin
My Documents
-������������---���-
VNC Viewer : ,l\uthentlcation (No Encryption]
Username: �------� CK:)
Pass'rK)fd:
<...........................•.•.••..........•.............•••••• �
In this lab part, you configure an AppFW rule set to block FTP traffic that is being
disguised as Hypertext Transfer Protocol (HTIP) traffic on TCP port 8080. Then, you
will verify that this traffic is being blocked as intended.
Step 2.1
Return to the session established with your assigned SRX device.
From your assigned SRX device, enter configuration mode and load the
labl-start. configfrom the /var/home/lab/aj sec/ directory. Commit
the configuration when complete.
lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# load override ajsec/labl-start.config
[edit]
lab@srxA-1# commit
commit complete
Step 2.2
Over the next few steps, you will create an AppFW rule set that blocks certain
unwanted traffic, and allows all other traffic based on the information contained in
the Application Layer.
Examine the current firewall security policies by navigating to the
[edit security policies] hierarchy level and issue the show command.
[edit]
lab@srxA-1# edit security policies
policy FTP {
match {
source-address any;
destination-address any;
application junos-ftp;
}
then {
permit;
policy DNS {
match {
source-address any;
destination-address any;
application [ junos-dns-tcp junos-dns-udp J;
}
then {
permit;
Step 2.3
Examine the custom-http-8080 application by issuing the top show
applications command.
[edit security policies]
lab@srxA-1# top show applications
application custom-http-8080 {
protocol tcp;
destination-port 8080;
Step 2.4
Return to the VNC session established with the VMware client.
From the VNC session established with VMware client, double-click the gFTP client
icon that is on the desktop.
... . . . . . . . . . . . .. . L�J
Group
Progress
gFTP 2.0.18. Copyr1ght (CJ 1998-2003 Brl,.n Masney <n1o1sl'leyb@yf".p org>. If you h.ive ;my questions. co mments. or SU99Utlot'li
about tnls progr,1m. ple.ise reel free to email !hemto me. 'ltlu can always l'Ind out the latest l'lews about gFTP from my weDsite al.
http://Wwwgrtp.org/
gFTP comes wn:n A.BSOL.U1cLY NO WARRANTY: fordetails. see !he COPYING flle Th!s Is free sortware, and you are welt:ome to
redistribute itundercertalnconditions:rordetails.s eetheCOPYINGl'ile
Step 2.5
Open an FTP session to the aj secserver. aj sec.juniper. net UHL and use
port 8 o 8 o as the destination port. To log in, use the username of lab and password
of labl23.
User Group
·······-
200 Switching l-o Binary mode.
p..•.:o
257 "/homel1ab" I
Loading directory listing /home/lab rrom server (LC_TIME=en_US.UTF-8)
PA:iV
227 Entering Pa,;slve Mede (.1 72 ..16.10,100,183.2471
�''
Step 2.7
Over the next couple of steps, you will examine the ApplD database for application
signatures that are suitable for your situation.
Look for HTIP-related application signatures in the ApplD database by issuing the
run show services application-identification application
sUllllllary I match http command.
[edit security policies]
lab@srxA-1# run show services application-identification application si:lllllilary
match http
junos:FRING-HTTP No 1119 33479
junos:VUZE-HTTP No 1098 33538
junos:ZATTOO-HTTP No 1070 33543
junos:DIASPORA-HTTP No 1065 33541
junos:XBOX-HTTP No 1056 33532
junos:XBOX-LIVE-HTTP No 1042 33435
junos:HTTP-VIDEO No 1032 33564
junos:HABBO-HTTP No 1029 33520
junos:IMESH-HTTP No 1026 33511
junos:SOPCAST-HTTP No 1021 33481
junos:YAHOO-MESSENGER-HTTP No 809 33315
junos:HTTP-AUDIO-CONTENT No 806 33565
junos:TEAMVIEWER-HTTP No 495 32992
junos:RTSP-OVER-HTTP No 215 46
junos:HTTP No 64 179
Step 2.8
Take a closer look at the junos: HTTP application signature by issuing the run
show services application-identification application detail
junos:HTTP command.
[edit security policies]
lab@srxA-1# run show services application-identification application d,;itail
junos:HTTP
Application Name: junos:HTTP
Application type: HTTP
Description: This signature detects HyperText Transfer Protocol (HTTP), which
is a protocol used by the World Wide Web. It defines how messages
are formatted and transmitted and what actions Web servers and
Step 2.9
Navigate to the [edit security application-firewalll hierarchy level
and configure a rule set to only permit HTTP traffic and deny all other traffic. Then,
return to the [edit security policies from-zone Untrust to-zone
Trust] hierarchy level and apply the AppFW rule set to the HTTP security policy.
Also, configure the HTTP security policy to log session initialization attempts and
session closures.
[edit security policies]
lab@srxA-1# up 1 edit application-firewall rule-sets protect-server
Step2.10
Navigate to the [edit system sys log] hierarchy level and configure the
AppSecure-logfile to log messages with the severity and facility levels of any
any. Then, configure the log file to only match messages that contain the RT_ FLOW
tag. Commit the configuration when you are finished.
[edit security policies from-zone Untrust to-zone Trust]
lab@srxl\.-1# top edit system syslog
'
!,� Fiiename Size; User i Group
Filename Progress
Step2.14
Examine the AppSecure-log f or the results of the session messages that relate
to the FTP session by issuing the run show log AppSecure-log command.
[edit system syslog]
lab@srxA-1# run show log AppSecure-log
May 10 17:26:28 srxA-1 RT FLOW: RT_FLOW SESSION_CREATE: session created
172.16.l.100/54734->172.16.10.100/8080 None 172.16.1.100/
54734->172.16.10.100/8080 None None 6 HTTP Untrust Trust 24206 N/A(N/A)
ge-0/0/8.0
May 10 17:26:28 srxA-1 RT_FLOW: RT_FLOW SESSION_DENY: session denied
172.16.l.100/54734->172.16.10.100/8080 None 6(0) HTTP Untrust Trust FTP
UNKNOWN N/A(N/A) ge-0/0/8.0 No
May 10 17:26:28 srxA-1 RT FLOW: RT_FLOW_SESSION_CLOSE: session closed
application failure or action: 172.16.1.100/54734->172.16.10.100/8080 None
172.16.1.100/54734->172.16.10.100/8080 None None 6 HTTP Untrust Trust 24206
4(226) 2(132) 1 FTP UNKNOWN N/A(N/A) ge-0/0/8.0 No
In this lab part, you will configure a custom application signature that you will use in
an AppFW rule set to block specific traffic. Then, you will verify that this traffic is
being blocked by the AppFW rule set.
Step 3.1
Return to the VNC session established with the VMware client.
From the VNC session established with VMware client, open the Web browser by
double-clicking the Firefox icon.If necessary, you can close the gFTP client now.
Step 3.2
When the Web browser opens, the home page should open to the
http: I I aj secserver.aj sec.juniper. net/test. html URL.Once the
Web browser has opened, click the AJSEC FILES bookmark.
Note
If clicking the AJSEC FILES or the TESTURL
bookmark produces an error, please inform
your instructor immediately.
lnd��f /files
Nan1e J.ast.mo<l.ified S.iz.11 D.!).�_uJption
.> P.�rnnt..Q.ice.�.tQJ:y
El S.BX.i'}_Qi 10-Feb-2011 02,46
� h.�.ci,.d.QSli Ol-Nov-2010 02,04 9.9K
iI
[[) l:!r11L�1i.Q Ol-Nov-2010 02,04 68K 11
�l2il..!L!lill Ol-Nov-2010 02,04 20ij L.l
Step 3.3
Over the next couple steps, you will create a custom application signature that will
block users from accessing the URL that contains the AJSEC files. However, this
custom application signature must allow unhindered HTIP access to the rest of the
VM server.
To begin creating a custom application signature, it is best to copy a current
application signature and make adjustments to it. In the current task, you must
restrict access to a specific part of a URL, but allow access to the rest of the server.
To restrict access in this manner, you must use a custom nested application, which
allows you to specify context values.
Return to the session established with your assigned SRX device.
From your assigned SRX device, you must first examine a nested application that
uses HTIP as the Layer 7 protocol. Examine the junos:FACEBOOK-ACCESS
nested application by issuing the run show services
application-identification application detail
junos: FACEBOOK-ACCESS command.
[edit system syslog]
lab@srxA-1# run show services application-identification application detail
junos:FACEBOOK-ACCESS
Application Name: junos:FACEBOOK-ACCESS
Application type: FACEBOOK-ACCESS
Description: This signature detects requests to Facebook.com, a social
networking Web site.
Application ID: 311
Disabled: No
Number of Parent Group(s): 1
Application Groups:
junos:social-networking:facebook
Application Tags:
characteristic Loss of Productivity
characteristic Supports File Transfer
characteristic Known Vulnerabilities
characteristic Capable of Tunneling
characteristic Can Leak Information
risk 5
subcategory Facebook
www.juniper.net Implementing AppSecure (Detailed) • Lab 1-17
Advanced Junos Security
category : Social-Networking
Signature NestedApplication:FACEBOOK-ACCESS
Layer-7 Protocol: HTTP
Chain Order: Yes
Maximum Transactions: 20
Order: 33312
Member(s): 1
Member o
Context: http-header-host
Pattern: (.*\.)?(facebook\.comlfbcdn\.net)(:\d+)?
Direction: CTS
Step3.4
Copy the j unos : FACEBOOK-ACCESS nested application by issuing the,
run request services application-identification application
copy junos: FACEBOOK-ACCESS command.
Note
Note
direction client-to-server;
maximum-transactions 20;
Step 3.6
Rename the nested application and signature to my:AJSEC-FILES. Then,
navigate to the [edit services application-identification
nested-application my:AJSEC-FILES signature my:AJSEC-FILES]
hierarchy level.
maximum-transactions 20;
Step 3.9
Navigate to the [edit security application-firewall rule-sets
restrict-aj sec-files] hierarchy level. Then, create the rule AJSEC-FILES
that denies traffic when it matches on the nested application signature
my:AJSEC-FILES. Configure the default-rule with the action of permit.
[edit security application-firewall rule-sets restrict-ajsec-filesl
lab@srxP.,-1# top edit security application-firewall rule-sets
restrict-ajsec-files
}
default-rule
permit;
Step 3.10
Navigate to the [edit security policies from-zone Untrust
to- zone Trust] hierarchy level. Then, configure the HTTP security policy to
reference the restrict-aj sec-files AppFW rule set. Commit the
configuration when you are finished.
[edit services application-identification nested-application my:AJSEC-E'ILES
signature my:AJSEC-FILES]
lab@srxA-1# top edit security policies from-zone Untrust to-zone Trust
Index of /files
Name Last modified .s.iz!l Description
.,�lllQ.i.r�
E:) SJlX.2!.lQI 10-Feb-2011 02:46
� )?JL<Lr!.ai;x Ol-Nov-2010 02:04 9.9K
� l!r"lllllK..<il Ol-Nov-2010 02:04 68K
� ):,..lliLp..l).f Ol-Nov-2010 02:04 20K
{lo� Ol-Nov-2010 02:04 7.SK
�.!li0.Llmll 17-Feb-2011 01:02 68
� elcar com txt 17-Feb-2011 01:02 68
{lo eic<lC com.zip 17-Feb-2011 01:02 184
{lo .e.i��.r.r&n:iJ.,Z.ill. 17-Feb-2011 01:02 308
� g:QQ.Q. QJ;�
0Q Ol-Nov-2010 02:04 9.8K
� !JQ.9.d.,fill!l Ol-Nov-2010 02:04 68K
� g:QQ.d.,l)..c;IJ Ol-Nov-2010 02:04 21K
{), !).Q.Q.\L.;Qll Ol-Nov-2010 02:04 7.3K
�juniper-rocks docx Ol-Nov-2010 02:04 9.BK
� ss-eicar.com OS-Nov-2010 07:23 77
�ss-eicar.txt 05-Nov-2010 07:22 78
Done
Step 3.12
Return to the session established with your assigned SRX device.
From your assigned SRX device, examine the AppFW rule sets and ASC by issuing
therun show security application-firewall rule-set
restrict-ajsec-£i1es and therun show services
application-identification application-system-cache
commands.
[edit security policies from-zone Untrust to-zone Trust]
lab@srxA-1# run show security application-firewall rule-set
restrict-ajsec-files
Rule-set: restrict-ajsec-files
Rule: AJSEC-FILES
Dynamic Applications: my:AJSEC-FILES
Action:deny
Number of sessions matched: O
Default rule:permit
Number of sessions matched: 2
Number of sessions with appid pending: 0
Step3.14
Navigate to the [edit services application-identification)
hierarchy level. Once you are there, disable the recording of nested applications in
the ASC and commit the configuration.
[edit security policies from-zone Untrust to-zone Trust]
lab@srxA-1# top edit services application-identification
Juniper Rocks!
/
Waiting ror ajsecserver.ajsec.juniper.net. ..
Step 3.16
Return to the open Telnet session for your assigned SRX device. Examine the AppFW
restrict-ajsec-files rule set by issuing the run show security
application-firewall rule-set restrict-ajsec-files command.
Then, examine the AppSecure-log syslog file to find the
RT_FLOW_SESSION_DENY logs for the blocked session.
In this lab part, you will configure App Track to record statistics about the sessions
that pass through the router.
Step 4.1
To complete this lab part, you will first need to configure an interface policer that
limits the amount of bandwidth that can ingress the ge-0/0/9 interface. You must
apply this policer to extend the transfer sessions so you can see the features of
AppTrack in action.
Navigate to the [edit firewall policer ftp-policer] hierarchy level
and configure a band wid th-limit of lm and a burst -size-limit of 20k.
Then, configure an action of discard. Then, apply the policer to the ge-0/0/9
interface as an input policer.
[edit services application-identification]
lab@srxA-1# top edit firewall policer ftp-policer
then discard;
[edit security]
lab@srxA-1# set application-tracking first-update
[edit security]
lab@srxA-1#
Step4.3
Apply application tracking to the Trust zone. Commit the configuration when you
are finished.
[edit security]
lab@srxA-1# set zones security-zone Trust application-tracking
[edit security]
lab@srxA-1# commit
commit complete
Step4.4
Return to the VNC session established with the VMware client.
From the VNC session established with VMware client and close the Firefox browser
if necessary. Then, double-click the gFTP client icon.
.........-1
---�Pass:
····
om s
l/h e11ab/aJ ec ·························-····---···· .. - - ···················-�
(Local] (All Ries] ..
!t("" '
11 ·!,!
Rl@name I Size User Group _(
i I'
L - ___ ______J.,
---====:i: I
�''�- --
- ---·_... !
.---- �
---T�I
Step 4.5
Open a connection to the aj secserver.aj sec.juniper. net server using the
default FTP port of 21, username of lab, and a password of labl23. Then, begin
to download the file named 1 OMB.txt.
\mome/lab/ajsec lfhome/lab
__
l1::.1?.t::�D !� Ales] ajse_cserver.ajsec.Juniper.net
. [FTP} (Cached) {All Ales]-+-
&., Filename Size
[�] i�
r Fllen�me
't.. :
. .. ........ .. . .. ·········· ·· · Slze �User
4:095
-
0
Group
Step 4.7
Once the file transfer is complete, examine the AppTrack counters by issuing the
run show security application-tracking counters command.
Step4.8
Examine the AppTrack log messages for the logs pertaining to the FTP data session
by issuing the run show log AppSecure-log I match
ftp-data-session-id command, where the match condition is the session ID
of the FTP data session that you obtained in step 4.6.
[edit security]
lab@srxl\.-1# run show log AppSecure-log I match ftp-data-session-id
May 11 16:45:04 srxA-1 RT_FLOW: APPTRACK_SESSION_CREATE: AppTrack session
created 172.16.l.100/58637->172.16.10.100/22424 None ftp-data UNKNOWN
172.16.l.100/58637->172.16.10.100/22424 None None 6 FTP Untrust Trust 25595
N/A N/A N/A
May 11 16:47:27 srxA-1 RT_FLOW: APPTRACK_SESSION_CLOSE: AppTrack session closed
TCP FIN: 172.16.l.100/58637->172.16.10.100/22424 None ftp-data UNKNOWN
172.16.l.100/58637->172.16.10.100/22424 None None 6 FTP Untrust Trust 25595
6453(336464) 7245(10863956) 144 N/A N/A N/A
[edit security]
lab@srxA-1# coilllllit
commit complete
Step4.10
Return to the VNC session established with the VMware client.
From the VNC session established with the VMware client, begin the FTP transfer of
the 1 OMB.txt file again. Overwrite the existing 1 OMB. txt file when you are
prompted to do so.
gFTP 2.0.18
EJ L.li:J
.. .. . . . . . . . . . . . . . - -· · · · .·;·, ==
= = ·=· ·=· · ··=· · · :::::. · ·, ·:·= · =· ==· · ·= · =··· = · · ·
:; � tlost [•i:•::.:'.:'.'.�rajse:ju�;P.�'..��t Port !,iser i1ab
!
i,i,ome,lab/ajsec j j..., l/home,1ab
�
{Local} (All Files} �secserver.aisec.juniper.net [FTP] [All Files]• ···------
_________·-··-------,
!,; Rlename Size User Group
The ronowing rile(s) exist on both the local and remote computer
10,485,760 lab Please select what you would like to do
J�
O lOMB.txt � 500
500
Alename [ ajsecserver.<. local files�st_1 Action
i _ _ _ _ 500
_ _ _ ___ ___ ____
� 500
··1
I 500
I " 500
� 500
Rlename Proqress
....
I I
......•....
overwrite Resume S�p Rle ]
e
···········---�· Se1 ct_AJ1 _____....--�
e e ect. Al l
[_·-·-·· D s l _=1
227 Entenng Passive Mode (172.16,10,100,
P.1! ri-t ;horn�.,1.:�b/lOMB.V\t
150 Opening BINARY mode data connectior
�---------------- - - �
226 File send OK.
Successfully transferred /home/lab/lOMB.txt at 66.90 KB/s
Successruny changed mode of JhomeJlab/ajsec/lOMB.txtto 644
�
Step4.11
Return to the session established with your assigned SRX device.
From your assigned SRX device, issue the run show security flow
session command to obtain the FTP data session ID.
[edit security]
lab@srxA-1# run show security flow session
Session ID: 25599, Policy name: FTP/8, Timeout: 1720, Valid
Resource information : FTP ALG, 2, 0
In: 172.16.1.100/44035 --> 172.16.10.100/2l;tcp, If: ge-0/0/8.0, Pkts: 19,
Bytes: 900
Step4.12
Once the FTP transfer is complete, examine the AppTrack counters by issuing the
run show security application-tracking counters command.
[edit security]
lab@srxA-1# run show security application-tracking counters
Application tracking counters:
Step4.14
Exit configuration mode and log out of your assigned SRX device.
[edit security]
lab@srxA-1# exit configuration-mode
Exiting configuration mode
lab@srxA-1> exit
srxA-1 (ttyuO)
login:
1:1:111(
�
Workstations
Management Addressing
srxA-1 srxD-1 I
srxA-2 I srxD-2 I
srxB-1 vr-device I
srxB-2 Server
srxC-1 Gateway
srxC-2 Term Server
Server Note: Your instructor will provide address and access information.
�
� Internet
.
'--'
1
·;--------! I
VMClient
172.16.1.100
UntrustZone
ge-0/0/8
__ __
172.16.1.1/24
........
srxA-K
K = pod
---(1or2)
iilil
VMServer
172.16.10.100
�:--J;;J, VM Client
--../.
172.16.1.100
U ntrustZone
ge-0/0/8
172.16.1.1/24
<(=pod
---(1or2)
�-.L--�
srxB-K
VMServer
172.16.10.100
�•-• �����-v��lie�t
172.16.1.100
UntrustZone
ge-0/0/8
172161.1/24
,--""""'----, X=pod
--- (1or2)
srxC-K
VMServer
172.16.10.100
A,-- --Q
� VMClient
172.16.1.100
UntrustZone
Pft-0/0/8
17 2161.1/24
.....-.......----, ---X=pod
(1or2)
srxD-K
ge-0/0/9
17216.10.1/24
Trust Zone
•
,_/ .....
VMServer
172.16.10.100
Overvh�w
In this lab, you will implement Layer 2 security. You will work with the remote student team
within your pod to verify Ethernet switching and transparent mode operations. You will
also configure Layer 2 security, and verify the results.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
Verify Ethernet switching behavior.
Implement transparent mode.
Secure Layer 2 traffic.
In this lab part, you load the starting configuration for Lab 2. Next, you will examine
Ethernet switching behavior. You will configure two interfaces with Ethernet
switching and will verify the results by passing Layer 2 traffic through your
SRX device.
Note
Depending on the class, the lab equipment
used might be remote from your physical
location. The instructor will inform you as to
the nature of your access and will provide
you the details needed to access your
assigned device.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the Management Network Diagram to
determine the management address of your student device.
Step 1.2
Access the command-line interface (CLI) at your station using either the console,
Telnet, or SSH as directed by your instructor.
Hostname:
Port:
I: Connecl ,J I Concel J
login: :tab
Password:
[edit]
lab@srxl,-1# load override ajsec/lab2-start.aonfig
load complete
[edit]
lab@srxl\-1# coIIII!lit
commit complete
[edit]
lab@srxl\-1#
Step 1.4
Check the status of the switched interface you configured using the run show
ethernet-switching interfaces command.
[edit]
lab@srxl'.-1# run show ethernet-switching interfaces
Interface State VLAN members Tag Tagging Blocking
ge-0/0/4.0 up vr241 241 tagged unblocked
Note
In the next two steps, you will configure the
ge-0/0/1 and ge-0/0/2 interfaces. These
interfaces will be used for testing the
Ethernet switching connection to the pod
team member's SRX device.
Step i5
Navigate to the [edit interfaces] hierarchy. If your assigned device is SRX1,
configure the ge-0/0/2 interface for vlan-tagging. If your assigned device is
SRX2, configure the ge-0/0/1 interface for vlan-tagging. Also specify the
VLAN ID associated with your pod team member's Juniper customer network, and
configure the IP address 1 72. 20. _y. 50/24, where the value of _y is the VLAN
associated with your pod team member's Juniper customer network.
[edit]
lab@srxA-1# edit interfaces
[edit interfaces]
lab@srxA-1# set interface vlan-tagging
[edit interfaces]
lab@srxA-1# set interface unit Remote-VLAN-ID family inet address
172. 20 .y. 50/24
[edit interfaces]
lab@srxA-1# set interface unit Remote-VLAN-ID vlan-id Remote-VLAN-ID
[edit interfaces]
lab@srxA-1# show interface
vlan-tagging;
unit 242 {
vlan-id 242;
family inet {
address 172.20.242.50/24;
[edit interfaces]
lab@srxA-1#
Step 1.6
Add the interface you configured in the previous step to the untrus t zone. If your
assigned device is SRX1, add the ge-0/0/2 interface. If your assigned device is
SRX2, add the ge-0/0/1 interface. Configure the host-inbound-traffic
command to allow inbound ping and ftp traffic on the interface.
[edit interfaces]
lab@srxA-1# top set security zones security-zone untrust interface
interface.Remote-VLAN-ID host-inbound-traffic system-services ping
[edit interfaces]
lab@srxA-1# top set security zones security-zone untrust interface
interface.Remote-VLAN-ID host-inbound-traffic system-services ftp
[edit interfaces]
lab@srxA-1# top show security zones security-zone untrust
interfaces {
ge-0/0/3.0;
ge-0/0/2.242
host-inbound-traffic
Step 1.7
If your assigned device is SRX1, configure the ge-0/0/1.0 interface for family
ethernet-swi tching with port-mode access. If your assigned device is
SRX2, configure the ge-0/0/2.0 interface for family ethernet-switching
with port-mode access. Also configure the interface with the VLAN member
vrlocal-Juniper-VLAN, where the value of local -Juniper-VLAN is the
remainder of the VLAN ID associated with your local Juniper customer network.
Commit the configuration when complete.
[edit interfaces]
lab@sr��-1# set interface.a family ethernet-switching port-mode access
[edit interfaces]
lab@sr�-1# set interface.a family ethernet-switching vlan members
vrlocal -Juniper-VLAN
[edit interfaces]
lab@srxi�-1# show interface
unit a {
family ethernet-switching
port-mode access;
vlan {
members vr241;
[edit interfaces]
lab@srxl,-1# commit
commit complete
Step 1.8
Check the status of the switched interface you configured using the run show
ethernet-switching interfaces command.
[edit interfaces]
lab@srxJ,-1# run show ethernet-switching interfaces
Interface State VLAN members Tag Tagging Blocking
ge-0/0/1..0 up vr241 241 untagged unblocked
ge-0/0/4.0 up vr241 241 tagged unblocked
Ensure that the remote student team within your pod has finished this
section before continuing.
Step 1.9
Note
This lab step requires you to open a
separate Telnet session to the virtual router
to emulate an external host.
Keep the current Telnet session
established with your assigned SRX device
open to monitor results.
The virtual router is a J Series Services
Router configured as several logical
devices. Refer to the Management Network
Diagram for the IP address of the vr-device.
Protocol:
Hostname:
Port e=:J Firewall [None ··----··--··- ················· ,.,]
Connect J I Cancel I
vr-device (ttydO)
login: 11sername
Password:
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
al@vr-de,vice>
Step 1.11
From the Telnet session established with the virtual router, test your recently
configured Ethernet switching implementation by initiating a rapid ping test to the
remote team's I 72. 20. y. so address that was configured in step 1.5, where yis
the value of the VLAN associated with your local Juniper customer network. Source
the connection from the virtual router's routing instance associated with your local
Juniper customer network. Refer to the lab network diagram if needed.
al@vr-device> ping 172.20.�.50 routing-instance vrlocal-Juniper-VLAN rapid
PING 172.20.241.50 (172.20.241.50): 56 data bytes
al@vr-device>
Step 1.12
Return to the session established with your assigned SRX device.
From your assigned SRX device, change the port-mode on your untrust family
ethernet-switching interface from access to trunk. If your assigned device is
SRX1, modify the ge-0/0/1 interface. If your assigned device is SRX2, modify the
ge-0/0/2 interface. When finished, navigate to the top of the configuration hierarchy
and commit the configuration.
[edit interfaces]
lab@srxA-1# set interface.O family ethernet-switching port-mode trunk
[edit interfaces]
lab@srxA-1# top
[edit]
lab@srxA-1# commit
commit complete
0 Ensure that the remote student team within your pod has finished this
section before continuing.
Step 1.13
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, initiate the piing test
again.
al@vr-device> ping 172.20.y.so routing-instance vrlocal-Juniper-VLAN rapid
PING 172.20.241.50 (172.20.241.50): 56 data bytes
. ! ! ! !
--- 172.20.241.50 ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max/stddev = 2.109/3.216/4.305/0.946 ms
Note
You might see the first ping response time
out due to the ARP entry being resolved.
Step 1.14
Return to the session established with your assigned SRX device.
From your assigned SRX device, review the current VLAN member configuration for
Ethernet switching by issuing the command show vlans and answer the following
question.
[edit]
lab@srxl,-1# show vlans
vr241 {
vlan-id 241;
Step 1.15
In this step, you will configure the vlan interface that will be used to route Layer 3
traffic for the Ethernet switching hosts. Issue the command set interfaces
vlan unitlocal-Juniper-VLAN family inet address
172. 20 .y.1/24, where yis the value of the VLAN associated with your local
Juniper customer network.
[edit]
[email protected]# set interfaces vlan unit local-Juniper-VLAN family inet address
172. 2'0 .y.1/24
[edit]
[email protected]# show interfaces vlan
unit 241 {
family inet
address 172.20.241.1/24;
Step 1.16
Apply the vlan interface you created in the previous step as a Layer 3 interface with
the command set vlans vr local-Juniper-VLAN 13-interface
vlan.local-Juniper-VLAN, where local-Juniper-VLANis the value of
the VLAN associated with your local Juniper customer network.
[edit]
lab@srxA-1# set vlans vrlocal-Juniper-VLAN 13-interface vlan. local-Juniper-VLAN
Step 1.17
Add the interface you configured in the previous step to your local Juniper customer
network security zone. Configure the host-inbound-traffic command to
allow inbound ping on the interface. When finished commit the configuration.
[edit]
lab@srxA-1# set security zones security-zone Juniper-local interface
vlan.local-Juniper-VLAN host-inbound-traffic system-services ping
[edit]
lab@srxA-1# commit
commit complete
Step 1.18
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, initiate a rapid ping test
to the Internet host address 172.31.15.1. Source the connection from the virtual
router's routing instance associated with your local Juniper customer network. Refer
to the lab network diagram if needed.
al@vr-device> ping 172.31.15.1 routing-instance vrlocal-Juniper-VLAN rapid
PING 172.31.15.1 (172.31.15.1): 56 data bytes
! ! ! ! !
--- 172.31.15.1 ping statistics
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.650/3.769/4.795/0.901 ms
al@vr-device>
0 Do not proceed to the next lab part until directed by the instructor to do
so.
In this lab part, you become familiar with transparent mode operations. The rest of
the lab steps for this part will be performed on SRX1. You will remove any
unnecessary configuration from your assigned SRX device, and configure the ge-0/
0/1 and ge-0/0/4 interfaces to pass Layer 2 traffic in transparent mode. You will
also configure transparent mode device management.
Note
Note
Step 2.1
Delete the [edit security] and [edit routing-options] configuration
hierarchies.
[edit]
lab@srxA-1# delete security
[edit]
lab@srxA-1# delete routing-options
Step 2.2
Delete the [edit firewall] and [edit vlans] configuration hierarchies.
Then, delete all of the interfaces.
[edit]
lab@srxA-1# delete vlans
[edit]
lab@srxA-1# delete interfaces
Step2.3
Navigate to the [edit interfaces) hierarchy. Configure the ge-0/0/:L interface
forvlan-tagging,family bridge interface-mode trunk,and
vlan-id-list 241-248.
[edit]
lab@srxA-1# edit interfaces
[edit interfaces]
lab@srxA-1# set ge-0/0/1 vlan-tagging
[edit interfaces]
lab@srxA-1# set ge-0/0/1 unit O family bridge interface-mode trunk
[edit interfaces]
lab@srxA-1# set ge-0/0/1 unit O family bridge vlan-id-list 241-248
Step2.4
Configure the ge-0/0/4 interface forvlan-tagging, family bridge
interface-mode trunk, andvlan-id-list 241-248.
[edit interfaces]
lab@srxA-1# set ge-0/0/4 vlan-tagging
[edit interfaces]
lab@srxA-1# set ge-0/0/4 unit O family bridge interface-mode trunk
[edit interfaces]
lab@srxA-1# set ge-0/0/4 unit O family bridge vlan-id-list 241-248
Step2.5
Navigate to the [edit security) hierarchy. Create a security zone named
Untrust-L2. Apply the ge-0/0/1 interface to the zone.
[edit interfaces]
lab@srxA-1# top edit security
[edit security]
lab@srxA-1# set zones security-zone Untrust-L2 interfaces ge-0/0/1.0
[edit security]
lab@srxA-1#
[edit security]
lab@srxA-1# set policies from-zone Juniper-L2 to-zone Untrust-L2 policy Allow
match source-address any
[edit security]
lab@srxl,-1# set policies from-zone Juniper-L2 to-zone Untrust-L2 policy Allow
match destination-address any
[edit security]
lab@srxl,-1# set policies from-zone Juniper-L2 to-zone Untrust-L2 policy Allow
match application any
[edit security]
lab@srxl,-1# set policies from-zone Juniper-L2 to-zone Untrust-L2 policy Allow
then permit
Step2.8
In this step, you will configure a routing instance that will forward the Layer 2
transparent mode traffic. Navigate to the [edit routing-instances
GIG-Switch] hierarchy. Configure the routing instance with instance-type
virtual-switch. Add the ge-0/0/1 and ge-0/0/4 interfaces to the routing
instance.
[edit security]
lab@srxll-1# top edit routing-instances GIG-Switch
Step2.10
Perform a commit check command on the configuration.
[edit routing-instances GIG-Switch]
lab@srxA-1# commit check
warning: Interfaces are changed from route mode to transparent mode. Please
reboot the device or all nodes in the HA cluster!
configuration check succeeds
Step2.11
Commit the configuration, and then reboot the SRX device.
[edit routing-instances GIG-Switch]
lab@srxA-1# commit
commit complete
warning: Interfaces are changed from route mode to transparent mode. Pl.ease
reboot the device or all nodes in the HA cluster!
Shutdown NOW!
[pid 3049]
login:
Step2.12
Log back in as user lab with the password labl23 after the device has finished
· rebooting.
srxll.-1 (ttyuO)
login: 2ab
Password:
Step2.14
Return to the session established with your assigned SRX1 device.
From your assigned SRX1 device, issue the command show security flow
session, and answer the question that follows.
www.juniper.net Implementing Layer 2 Security (Detailed) • Lab 2-15
Advanced Junes Security
lab@srxA-1> show security flow session
Session ID: 8829, Policy name: Allow/4, Timeout: 2, Valid
In: 172.20.241.10/116 --> 172.20.241.50/58070;icmp, If: ge-0/0/4.0, Pkts: 1,
Bytes: 102
Out: 172.20.241.50/58070 --> 172.20.241.10/116;icmp, If: ge-0/0/1.0, Pkts: 1,
Bytes: 102
Step 2.15
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, press Ctrl + c to
terminate the ping.
al@vr-device>
Do not proceed to the next lab part until directed by the instructor to do
so.
In this lab part, you secure Layer 2 traffic in transparent mode. The rest of the lab
steps for this part will be performed on SRX1. You will configure a security zone
policy to only allow FTP traffic from the virtual router host to the SRX2 host, and
verify the results.
Note
Perform the rest of this lab part only on the
SRX1 device. Both teams should be
working only from SRX1!
Step3.3
Press Ctrl + c to terminate the FTP connection, and then initiate the same rapid ping
test performed in the previous lab part to the SRX2 address.
Connected to 172.20.241.50.
220 srxA-2 FTP server (Version 6.00LS) ready.
Name (172.20.241.50:al): Ac
Step 3.4
Return to the session established with your assigned SRX1 device.
From assigned SRX1 device, create a family bridge firewall filter named TM-Filter
to discard all traffic from interface
ge-0/0/4.0.
[edit security policies]
lab@srxA-1# top
[edit]
lab@srxA-1# set firewall family bridge filter TM-Filter term 1 from interface
ge-0/0/4.0
[edit]
lab@srxA-1# set firewall family bridge filter TM-Filter term 1 then discard
[edit]
lab@srxA-1#
Step 3.5
Apply the TM-Filter as a family bridge output filter on the ge-0/0/1.0 interface.
Commit your configuration when complete.
[edit]
lab@srxA-1# set interfaces ge-0/0/1.0 family bridge filter output TM-Filter
[edit]
lab@srxA-1# commit
commit complete
Step 3.6
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, initiate the FTP
connection again.
al@vr-device> ftp 172.20.y.so routing-instance vrlocal-Juniper-VLAN
ftp: connect: Operation timed out
ftp>
Step 3.7
Type bye to exit the FTP connection. Then, exit the open Telnet session on the
virtual router.
ftp> byE!
al@vr-device> exit
vr-devic:e (ttydO)
login:
Step 3.8
Return to the session established with your assigned SRX1 device.
From your assigned SRX1 device, log out using the exit command.
[edit]
[email protected]# exit
Exiting configuration mode
lab@srxA,-1> exit
srxA-1 (ttyuO)
login:
Management Addressing
srxA-1 srxD-1 I
srxA-2 I srxD-2
srxB-1 vr-device
I srxB-2 Server
'[i]
srxG-1 Gateway
I srxC-2 Term Server
Server Note: Your instructor will provide address and access information.
Host 172.31.15.1
r
UntrustZone
vlan.242
172.20.242.0/24
l) (.10)
vr242
�------- Virtual Routers _
]
-Ju-n-iper--':y/- _ _______ ...!Juniper-WF
__
UntrustZone
srxB-2
172.20 243.Q/24 ge-0/0/1(.50)
�-----1
172.20.244.0/24
vr244 I
Junipe rSY
- Juniper-WF
,--fil
Host 172.31.15.1
UntrustZone
srxC-2
172.20 245.0/24 ge-0/0/1(.50)
(10)
-
'" - i- - SV__, ---- -------Virtual Routers - -------- -1 u i r-W
Jun per - - J n pe F
�""·""'� �r� =" -
�.,Tugf¥1"' '?A!'\
1lJu1upt1 Nttworla, !flt" All ilghh te",t!Wd JUn1Per Worldwide EducaUonSen:ices \'ll'l'IW ,unipern�t
�-�-"---- ----- -- - �
Host 172.31.15.1
UntrustZone
"",2"-48�,
����l,--v
����
Virtual Routers ���
Juniper-SV Juniper-WF
Overvi1ew
In this lab, you will configure two virtual routing instances. You will then configure the
virtual routers (VRs) to communicate with the Internet host, and then to communicate
with each other. You will then configure filter-based forwarding to direct traffic over the
ge-0/0/1 interface.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
Configure Internet access for the VRs.
Configure inter-VR communication.
Configure filter-based forwarding.
In this lab part, you will become familiar with the access details used to access the
lab equipment. Once you are familiar with the access details, you will use the CLI to
log in to your designated station. Then, you will load the starting configuration for
lab 3. Then, you will configure two VRs-Juniper and ACME. You will then configure
Internet access for these VRs.
Note
Depending on the class, the lab equipment
used might be remote from your physical
location. The instructor will inform you as to
the nature of your access and will provide
you the details needed to access your
assigned device.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the Management Network Diagram to
determine the management address of your student device.
Step 1.2
Access the CLI at your station using either the console, Telnet, or SSH as directed by
your instructor. Refer to the Management Network Diagram for the IP address
associated with your workstation. The following example is based on simple Telnet
access using the Secure CRT program.
login: Iab
Password:
[edit]
lab@srxl,-1# load override ajsec/lab3-start.con£ig
[edit]
lab@srxl,-1# commit
commit complete
[edit]
lab@srxA-1#
Note
You may have to reboot the SRX device if
the interfaces mode changes from
transparent to route.
Step 1.4
Navigate to the [edit routing- instances J hierarchy level. Configure two
VRs-Juniper and ACME. The Juniper VR should contain the VLAN interface that
directly connects your SRX device with the Juniper device. Then, the ACMEVR should
contain the VLAN interface that directly connects your SRX device with the ACME
device. When you are finished, commit your configuration.
[edit]
lab@srxA-1# edit routing-instances
[edit routing-instances]
lab@srxA-1# set Juniper instance-type virtual-router
[edit routing-instances]
lab@srxA-1# set Juniper interface vlan.local-Juniper-vlan
[edit routing-instances]
lab@srxA-1# set ACME instance-type virtual-router
[edit routing-instances]
lab@srxA-1# set ACME interface vlan.local-ACME-vlan
[edit routing-instances]
lab@srxA-1# show
ACME {
instance-type virtual-router;
interface vlan.201;
}
Juniper {
instance-type virtual-router;
interface vlan.101;
[edit routing-instances]
lab@srxA-1# commit
commit complete
[edit routing-instances]
lab@srxA-1#
Note
L Connect J[ Cancel I
Step 1.6
Log in to the virtual router using the login information shown in the following table:
vr-device (ttypO)
login: al
Password:
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
al@vr-de�vice>
Step 1.8
Return to the session established with your assigned SRX device.
From your assigned SRX device, issue the run show route table
juniper. inet. 0 and run show route table acme. inet. 0 commands.
Note
[edit routing-instances]
lab@srxA-1# run show route table juniper.inet.O
[edit routing-instances]
Step 1.9
Configure the Juniper and ACME routing instances to use the main routing
instance's inet.0 routing table for unknown destinations. When you are finished,
commit the configuration.
[edit routing-instances]
lab@srxA-1# set Juniper routing-options static route 0/0 next-table inet.O
[edit routing-instances]
[email protected],-1# set ACME routing-options static route 0/0 next-table inet.O
[edit routing-instances]
lab@srxA-1# commit
commit complete
Step 1.10
Issue the commands run show route table juniper. inet. O and
run show route table acme.inet.O.
[edit routing-instances]
lab@srxA-1# run show route table juniper.inet.0
[edit routing-instances]
[email protected]# run show route table acme.inet.0
Step 1.11
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, ping the Internet host by
issuing theping 172.31.15.1 routing-instance vrlocal-Juniper
vlan command, where local -Juniper-vlan is the VLAN ID associated with
your directly connected Juniper customer device. Please refer to Network Diagram:
Lab 3 for the correct VLAN ID value.
al@vr-device> ping 172.31.15.1 routing-instance vrlocal-Juniper-vlan count 2
PING 172.31.15.1 (172.31.15.1): 56 data bytes
64 bytes from 172.31.15.1: icmp_seq=O ttl=63 time=3.765 ms
64 bytes from 172.31.15.1: icmp_seq=l ttl=63 time=3.366 ms
Step 1.12
Return to the session established with your assigned SRX device.
From your assigned SRX device, issue the run show route table inet. O
command and examine the routing table.
In this lab part, you will configure inter-VR communication through the use of the
logical tunnel interface.
Step 2.1
Navigate to the [edit interfaces] hierarchy level. Remove the firewall filters
associated with the VLAN interfaces. When you are finished, commit the
configuration.
[edit routing-instances]
lab@srxA-1# top edit interfaces
www.juniper.net Implementing Junos Virtual Routing (Detailed) • Lab 3-9
Advanced Junos Security
[edit interfaces]
lab@srxA-1# delete vlan unit local-Juniper-vlan family inet filter
[edit interfaces]
lab@srxA-1# delete vlan unit local-Acme-vlan family inet filter
[edit interfaces]
lab@srxA-1# show vlan
unit 101 {
family inet {
address 172.20.101.1/24;
unit 201
family inet
address 172.20.201.1/24;
[edit interfaces]
lab@srxA-1# commit
commit complete
[edit interfaces]
lab@srxA-1#
Step2.2
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, test communication
between the Juniper and ACME customer devices that are directly connected to your
assigned SRX device. Issue the telnet local-ACME-device-address
routing-instance vrlocal-Juniper-vlan command. Please refer to your
lab 3 diagram for the correct VLAN ID value.
al@vr-device> telnet local-ACME-device-address routing-instance
vrlocal-Juniper-VLAN
Trying 172.20.201.10...
telnet: connect to address 172.20.201.10: Operation timed out
telnet: Unable to connect to remote host
Step2.3
Return to the session established with your assigned SRX device.
From your assigned SRX device, issue the commands run show route table
juniper. inet. 0 and run show route table acme. inet. 0.
[edit interfaces]
lab@srxl,-1# run show route table juniper.inet.0
[edit interfaces]
lab@srxA-1# run show route table acme.inet.O
Step 2.4
Navigating to the [edit interfaces lt- 0/0/0] hierarchy level.Configure
unit 1 with the IP address of 172.2 1.1.1/30, and unit 2 with the IP address of
172.2 1.1.2/30.Configure peering between the two units, and configure both units
with Ethernet encapsulation.
[edit interfaces]
lab@srxA-1# edit lt-0/0/0
unit 2
encapsulation ethernet;
peer-unit l;
family inet {
address 172.21.1.2/30;
[edit routing-instances]
lab@srxA-1# set Juniper interface lt-0/0/0.1
[edit routing-instances]
lab@srxA-1# set ACME interface lt-0/0/0.2
[edit routing-instances]
lab@srx�-1# set Juniper protocols ospf area O interface vlan.local-Juniper-vlan
passive
[edit routing-instances]
lab@srxA-1# set ACME protocols ospf area O interface lt-0/0/0.2
[edit routing-instances]
lab@srxA-1# set ACME protocols ospf area O interface vlan.local-ACME-vlan
passive
[edit routing-instances]
lab@srxA-1# show
ACME {
instance-type virtual-router;
interface lt-0/0/0.2;
interface vlan.201;
routing-options {
static {
route 0.0.0.0/0 next-table inet.O;
protocols {
ospf {
area 0.0.0.0 {
interface lt-0/0/0.2;
interface vlan.201 {
passive;
Juniper
instance-type virtual-router;
interface lt-0/0/0.1;
interface vlan.101;
routing-options {
static {
route 0.0.0.0/0 next-table inet.O;
[edit routing-instances]
lab@srxA-1# commit
commit complete
Step 2.7
Issue the run show ospf interface command.
[edit routing-instances]
lab@srxA-1# run show ospf interface
OSPF instance is not running
Step 2.8
Issue the commands run show ospf interface instance Juniper and
run show ospf interface instance ACME.
[edit routing-instances]
lab@srxA-1# run show ospf interface instance Juniper
Interface State Area DR ID BDR ID Nbrs
lt-0/0/0.1 DR 0.0.0.0 172.20.101.1 0.0.0.0 0
vlan.101 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
[edit routing-instances]
lab@srxA-1# run show ospf interface instance ACME
Interface State Area DR ID BDR ID Nbrs
lt-0/0/0.2 DR 0.0.0.0 172.20.201.1 0.0.0.0 0
vlan.201 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
Step 2.9
Test connectivity between the Juniper and ACME VR routing instances by issuing
the run ping 172.21.1.2 routing-instance Junipercommand.
[edit routing-instances]
lab@sr�A-1# run ping 172.21.1.2 routing-instance Juniper count 2
PING 172.21.1.2 (172.21.1.2): 56 data bytes
Step 2.10
Issue the run show security zones command.
[edit routing-instances]
lab@srxl\-1# run show security zones
Step 2.11
Bind the lt-0/0/0.1 interface to the Juniper zone. Bind the lt-0/0/0.2 interface to the
ACME zone. Allow both logical tunnel interfaces to process ping requests and OSPF
packets. When you are finished, commit the configuration.
[edit routing-instances]
lab@srxA-1# top edit security zones security-zone Juniper-local
interfaces {
vla:n.101
host-inbound-traffic {
system-services {
ping;
}
lt-0/0/0.1
host-inbound-traffic {
system-services {
ping;
protocols
ospf;
lt-0/0/0.2
host-inbound-traffic {
system-services {
ping;
protocols
ospf;
Step 2.13
Issue the commands run show ospf interface instance Juniper and
run show ospf interface instance ACME.
[edit security zones]
lab@srxA-1# run show ospf interface instance Juniper
Interface State Area DR ID BDR ID Nbrs
lt-0/0/0.1 BDR 0.0.0.0 172.20.201.1 172.20.101.J. 1
vlan.101 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
Step 2.14
Check the status of the OSPF neighbor adjacencies by issuing the command
run show ospf neighbor instance all.
Note
Instance: Juniper
Address Interface State ID Pri Dead
172.21.1.2 lt-0/0/0.1 Full 172.20.201.1 128 32
Step 2.1!:i
Examine the Juniper and ACME VR instances routing tables.
[edit security zones]
lab@srxA-1# run show route table juniper.inet.0
Step2.16
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, test communication
between the Juniper and ACME customer devices that are directly connected to your
assigned SRX device. Issue the telnet local-ACME-device-address
routing-instance vr local-Juniper-vlan command. Please refer to your
lab 3 diagram for the correct VLAN ID value.
al@vr-device> telnet local-ACME-device-address routing-instance
vrlocal-Juniper-vlan
Trying 172.20.201.10...
Connected to 172.20.201.10.
A
Escape character is ' l '
vr-device (ttypl)
login:
vr-device (ttypO)
login: al
Password:
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
al@vr-device>
Step2.18
Return to the session established with your assigned SRX device.
From your assigned SRX device, find the recently created Telnet session in the
session table.
[edit security zones]
lab@srxA-1# run show security flow session application telnet
Session ID: 57866, Policy name: intrazone-Juniper-SV/4, Timeout: 3394, Valid
In: 172.20.101.10/56290 --> 172.20.201.10/23;tcp, If: vlan.101, Pkts: 27,
Bytes: 1568
Out: 172.20.201.10/23 --> 172.20.101.10/56290;tcp, If: lt-0/0/0.1, Pkts: 21,
Bytes: 1543
In this lab part, you will configure filter-based forwarding for traffic between the
ACME-SV and ACME-WF devices.
Step 3.1
Configure the ge-0/0/1 interface with the correct interface address and netmask.
Refer to your lab 3 diagram for the specific interface address.
[edit security zones]
lab@srxA-1# top edit interfaces ge-0/0/1
[edit routing-options]
lab@srxl,-1# show
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
}
rib-groups {
ACME-to-Main
import-rib [ ACME.inet.Oinet.O];
[edit routing-options]
lab@srxA-1# top edit routing-instances ACME routing-options
Step 3.6
Configure a forwarding routing instance named FBF-instance. Configure a
default static route that will send all traffic to the remote SRX device over the
ge-0/0/1 interface.
[edit routing-instances ACME routing-options]
lab@srxA-1# top edit routing-instances FBF-instance
Step3.7
Configure the FBF-fil ter firewall filter to send any traffic destined to the remote
ACME device to the FBF-instance routing instance. Configure a counter named
FBF-counterto count any packets that match the filter.
[edit routing-instances FBF-instance]
lab@srxA-1# top edit firewall family inet filter FBF-filter term FBF
}
then {
count FBF-counter;
routing-instance FBF-instance;
Step3.9
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, issue the command
ping remote-ACME-address routing-instance vrlocal-AC'ME-vlan
to establish communication between the ACME-SV and ACME-WF customer devices.
al@vr-device> ping remote-ACME-address routing-instance vrlocal-ACME-vlan count
2
PING 172.20.202.10 (172.20.202.10): 56 data bytes
36 bytes from 172.20.201.1: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 36d8 O 0000 40 01 4c93 172.20.201.10 172.20.202.10
Step3.10
Return to the session established with your assigned SRX device.
From your assigned SRX device, issue the command run show firewall
filter FBF-filter.
[edit interfaces vlan unit.201]
lab@srxA-1# run show firewall filter FBF-filter
Filter: FBF-filter
Counters:
Name Bytes Packets
FBF-counter 168 2
Step3.11
Issue the run show route table FBF-instance. inet. O command.
[edit interfaces vlan unit 201]
lab@srxA-1# run show route table FBF-instance.inet.0
Step3.12
Configure the Main-to-FBF RIB group to copy interface routes from the inet.0
routing table to the FBF-instance. inet. o routing table. Configure a policy to
allow only the 172.19.1.0/30 prefix to be copied from the inet. o routing table.
When you are finished, commit the configuration and exit to operational mode.
[edit interfaces vlan unit 201]
lab@srxA-1# top edit policy-options policy-statement only-172.19.1.0/30 term
accept-route
term reject-routes
then reject;
[edit routing-options]
lab@srxA-1# set interface-routes rib-group inet Main-to-FBF
[edit routing-options]
lab@srxA-1# show
interface-routes {
rib-group inet Main-to-FBF;
}
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
}
rib-groups {
ACME-to-Main
import-rib [ ACME.inet.O inet.O J;
}
Main-to-FBF {
import-rib [ inet.O FBF-instance.inet.O J;
import-policy only-172.19.1.0/30;
lab@srxA-1>
Step3.13
Issue the show route table FBF-instance. inet. O command and
examine the routing table.
lab@srxl\-1> show route table FBF-instance.inet.O
Ensure that the remote student team within your pod has finished the
previous step before continuing.
Step3.14
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, issue the command
ping remote-ACME-address routing-instance vrlocal-ACME-vlan
to establish communication between the ACME-SV and ACME-WF devices.
al@vr-device> ping remote-ACME-address routing-instance vrlocal-ACME-vlan rapid
PING 172.20.201.10 (172.20.201.10): 56 data bytes
! ! ! ! !
--- 172.20.201.10 ping statistics ---
5 packets transmitted, s packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.791/6.730/16.669/4.978 ms
Step3.15
Initiate a Telnet session from the local ACME device to the remote ACME clevice.
Issue the telnet remote-ACME-address routing-instance
vrlocal-ACME-vlan command.
al@vr-device> telnet remote-ACME-address routing-instance vrlocal-ACME-vlan
Trying 172.20.202.10 ...
Connected to 172.20.202.10.
Escape character is ' A l'.
vr-device (ttypl)
login:
Step3.16
Log in to the virtual router to ensure that the Telnet session does not time out. Use
the login information shown in the following table:
vr-device (ttypO)
login: al
Password:
NOTE: This router is divided into many virtual routers used by different teams.
PleaE:e only configure your own virtual router.
al@vr-device>
Step 3.17
Return to the session established with your assigned SRX device.
From your assigned SRX device, issue the command
show security flow session application telnet and examine the
session table.
lab@srxl\-1> show security flow session application telnet
Session ID: 7881, Policy name: FBF-ACME-SV/4, Timeout: 1594, Valid
In: 172.20.201.10/62847 --> 172.20.202.10/23;tcp, If: vlan.201, Pkts: 26,
ByteE:: 1515
Out: 172.20.202.10/23 --> 172.20.201.10/62847;tcp, If: ge-0/0/1.0, Pkts: 20,
ByteE:: 1490
Step3.18
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, exit the sessic,n.
al@vr-device> exit
Step3.19
Return to the session established with your assigned SRX device.
From your assigned SRX device, log out using the exit command.
lab@srxA-1> exit
srxA-1 (ttyuO)
login:
Management Addressing
srxA-1 srxD-1
srxA-2 srxD-2
srxB-1 vr-device
srxB-2 Server
srxG-1 Gateway
srxG-2 Term Server ______,,
Server Note: Your instructor will provide address and access information.
Host 172.31.15.1
-- Virtual Routers --
Juniper-SY ACME-SY Juniper-WF AC M EWF
-
c
c
\',,
Ai-----�
'<'Y' t:{J Host 172.31.15.1
'b'),•
'},'>'
�
Juniper-SY
-
0:�0.!.3Jullli;,t:rNt.t'#ork$, lne-.AUt!�ts tt�IJ:r.tl!d
�- -�--�-1-- - -
JUn!£?€r Worldwide Education Services WWY'J 1un1p
vlan.107 n
(.1) vla .207 --- n rfaceg - -- vlan.108
l te e 0/0/4
172 20 2070/24 172.20.1080/24
(. � (.�
In this lab, you will implement Network Address Translation (NAT) in several real-world
scenarios. You will configure and monitor source and destination NAT, and you will see
how NAT rules work together with security policies to address different real-world
objectives. Then, you will examine how routing-behavior can impact some NAT
implementations and resolve those issues so the desired objectives can be
accomplished.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
Use the Junos command-line interface (CLI) to load the baseline configuration.
Use the Junos CLI to make configuration changes necessary to implement
various NAT scenarios.
Configure and monitor pool-based destination NAT.
Configure and monitor interface-based source NAT.
Configure and monitor proxy address resolution protocol (ARP).
Configure and monitor NAT64 and NAT46 operations.
In this lab part, you load the baseline configuration. You will also work witi1 the
remote student team within your pod, and execute a quick verification that you can
reach the remote team's device through the use of the ping utility and review the
route being used. You will also make configuration changes that will allow you to
implement advanced NAT scenarios presented in subsequent parts.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the Management Network Diagram to
determine the management address of your student device.
Step 1.2
Access the command-line interface (CLI) at your station using either the console,
Telnet, or SSH as directed by your instructor.
I, Connect ,! J Cancel l
Step 1.3
Log in as user lab with the password labl2 3. Enter configuration mode and load
the lab4-start. configfrom the /var/home/lab/ajsec/ directory. Commit the
configuration and exit to operational mode when complete.
srxA-1 (ttyuO)
login: lab
Password:
[edit]
lab@srxl\.-1# load override ajsec/lab4-start.config
load complete
[edit]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxl,-1>
Step 1.4
Verify that you can reach the remote pod team's SRX interfaces that are connected
to their virtual routers. Use rapid pings to verify connectivity to both of the remote
pod team's SRX interfaces that are connected to the Juniper and ACME virtual
routers.
lab@srxA-1> ping remote-Juniper-address source local-Juniper-address rapid
PING 172.20.102.1 (172.20.102.1): 56 data bytes
! ! ! ! !
--- 172.20.102.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.911/4.063/4.269/0.135 ms
Step 1.5
Review the routing table and determine which route is used to reach the remote
device networks.
Step 1.6
Enter configuration mode. Configure the ge-0/0/2 interface with the address shown
in the lab network diagram.
lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# edit interfaces
[edit interfaces]
lab@srxA-1# set ge-0/0/2 unit O family inet address address/24
[edit interfaces]
lab@srxA-1#
Step 1.7
Create a new security zone named Public-Facing and add the ge-0/0/2
interface to the zone.
[edit interfaces]
lab@srxll,-1# top edit security zones
then {
permit;
Step 1.9
Delete the existing static default route and create a new static default route for your
assigned SRX device. The new route should use the IP address associated with the
remote team's ge-0/0/2 interface as the next hop.
[edit security policies from-zone Juniper-SV to-zone Public-Facing policy
Allow-Outbound-Telnet]
lab@srxA-1# top edit routing-options
[edit routing-options]
lab@srxA-1# delete static route 0/0
[edit routing-options]
lab@srxA-1# set static route 0/0 next-hop address
[edit routing-options]
lab@srxA-1# show static
route 0.0.0.0/0 next-hop 10.0.1.129;
[edit routing-options]
lab@srxA-1#
Step 1.10
Navigate to the top of the configuration hierarchy. Remove all stateless firewall filter
configuration on your assigned SRX device. When you are finished, commit the
configuration.
[edit routing-options]
lab@srxA-1# top
[edit]
lab@srxJ\-1# delete firewall
[edit]
lab@srxJ\-1# show I display set I match "filter"
set interfaces loO unit O family inet filter input protect-cp
set interfaces vlan unit 101 family inet filter input Juniper-SV-to-ACME-SV
set interfaces vlan unit 201 family inet filter input ACME-SV-to-Juniper-SV
[edit]
lab@srxA-1# delete interfaces loO unit O family inet filter
[edit]
lab@srxA-1# delete interfaces vlan unit local-Juniper-unit family inet filter
[edit]
lab@srxl,-1# delete interfaces vlan unit local-ACME-unit family inet filter
[edit]
lab@srxl,-1# commit
commit complete
[edit]
lab@srxA-1#
0 Do not proceed to the next lab part until directed by the instructor to do
so.
rule-set From-Internet {
from zone Public-Facing;
rule To-Telnet-Server {
match {
source-address [ 172.20.96.0/20 172.20.192.0/19 ];
destination-address 10.0.1.126/32;
destination-port 23;
}
then {
destination-nat pool Telnet-Server;
}
attach {
zone Public-Facing;
lab@srxA-1>
Ensure that the remote student team within your pod has finished this
section before continuing.
Step 2.7
Note
Step 2.8
Log in to the virtual router using the login information shown in the following table:
vr-device (ttydO)
login: username
Password:
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
al@vr-device>
Step 2.9
From the Telnet session established with the virtual router, test your recently
configured NAT implementation by initiating a Telnet connection to the remote
team's external NAT address you configured in step 2.5. If your assigned device is
SRX1, use the 1 o. o. 1. 2 54 address. If your assigned device is SRX2,use the
1 o. o.1. 126 address. Source the connection from the virtual router's routing
instance associated with your local Juniper customer network. Refer to the lab
network diagram if needed.
al@vr-device> telnet address routing-instance vrlocal-Juniper-VLAN
Trying 10.0.1.254...
Connected to 10.0.1.254.
Escape character is ' A l'
vr-device (ttypl)
login:
Step 2.10
Return to the session established with your assigned SRX device.
From your assigned SRX device, issue the show security flow session
command.
lab@srxA-1> show security flow session
Session ID: 42005, Policy name: Allow-Outbound-Telnet/10, Timeout: 1784, Valid
In: 172.20.101.10/54242 --> 10.0.l.254/23;tcp, If: vlan.101, Pkts: 9, Bytes:
619
Out: 10.0.1.254/23 --> 172.20.101.10/54242;tcp, If: ge-0/0/2.0, Pkts: 8,
Bytes: 589
Total sessions: 1
Note
You might see more than one session. In
addition to the session you initiated, you
might also see a session originating from
your local Juniper customer network as the
remote student team tests their
implementation.
Step 2.11
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, press Ctrl + c to
terminate the Telnet session.
vr-device (ttypl)
al@vr-device>
Do not proceed to the next lab part until directed by the instruc1tor to do
so.
In this lab part, you make additional configuration changes to expand your
implementation to allow internal hosts to reach internal resources that are publicly
available by connecting to the public-facing IP address on your SRX device.
You will learn how this implementation works in a routed environment, and how it
differs in a switched environment.
Step 3.1
From the Telnet session established with the virtual router, initiate a Telnet session
to the external NAT address on the ge-0/0/2 interface for your assigned SF�X device.
If your assigned device is SRX1, use the 1 o. o. l .126 address. If your assigned
device is SRX2,use the lo. o. l. 2 54 address. Source the telnet connection from
the virtual router's routing instance associated with your local Juniper customer
network as shown on the lab network diagram.
al@vr-device> telnet address routing-instance vrlocal-Juniper-VLAN
Trying 10.0.1.126 ...
Step 3.2
Return to the session established with your assigned SRX device.
From your assigned SRX device , Enter configuration mode and review the existing
NAT implementation to see if you can identify the problem.
lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# edit security nat destination rule-set From-Internet
Lab 4-16 • Advanced NAT Implementations (Detailed) www.juniper.net
Advanced Ju nos Security
Step 3.3
Modify the existing rule set From-Internet so sessions initiated from the local
Juniper and ACME customer networks will be evaluated for NAT. When you are
finished, commit the configuration.
[edit security nat destination rule-set From-Internet]
lab@srxA-1# set from zone Juniper-local
Step 3.4
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, initiate the Telnet
session again. If your assigned device is SRX1, use the 1 o. o. 1. 126 adclress. If
your assigned device is SRX2,use the 1 o. o.1. 254 address.
al@vr-device> telnet address routing-instance VR-Juniper-instance
Trying 10.0.1.126 ...
Step 3.5
Return to the session established with your assigned SRX device.
From your assigned SRX device, issue the run show security flow
session command.
[edit security nat destination rule-set From-Internet]
lab@srxA-1# run show security flow session
Total sessions: O
Step 3.6
Review the existing security policy that accommodates the traffic sent between the
local Juniper and ACME customer networks.
[edit security nat destination rule-set From-Internet]
lab@srxA-1# top edit security policies
Step 3.7
Create a security policy that accommodates Telnet traffic sent from your local
Juniper customer network to your local ACME customer network. Use the existing
vrl oyaddress-book entry for your policy's source-addres s match, where the
value of yis the remainder of the VLAN ID associated with your local Juniper
customer network. Configure the destination-addres s to match the
address-book entry vr20Y, where the value of yis the remainder of the VLAN ID
associated with your local ACME customer network. When you are finished, commit
the configuration.
[edit security policies]
[email protected],-1# edit from-zone Juniper-local to-zone ACME-local
vr-device (ttypO)
login:
Step3.9
Return to the session established with your assigned SRX device.
From your assigned SRX device, issue the run show security flow
session command.
[edit security policies from-zone Juniper-SV to-zone ACME-SV]
lab@srxA-1# run show security flow session
Session ID: 24091, Policy name: Allow-Internal-Telnet/12, Timeout: 1760, Valid
In: 172.20.101.10/58540 --> 10.0.l.126/23;tcp, If: vlan.101, Pkts: 9, Bytes:
619
Out: 172.20.201.10/23 --> 172.20.101.10/58540;tcp, If: vlan.201, Pkts: 8,
Bytes: 589
Total sessions: 1
Step3.10
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, press Ctrl + c to
terminate the Telnet session.
al@vr-device>
Step3.U
Return to the session established with your assigned SRX device.
From your assigned SRX device, use the run show security nat
destination SUlllIIlary command to confirm that traffic initiated from the ACME
customer zone will be evaluated by the rule-set From-Internet NAT.
[edit security policies from-zone Juniper-SV to-zone ACME-SV]
lab@srX:11.-1# top
[edit]
lab@srX:11.-1# run show security nat destination summary
Total pools: 1
Pool name Address Routing Port Total
Range Instance Address
Telnet-Server 172.20.201.10 - 172.20.201.10 default 0 1
Total rules: 1
Rule name Rule set From Action
To-Telnet-Server From-Internet ACME-SV
Juniper-SV
Public-Facing Telnet-Server
[edit]
lab@srxA-1#
Step3.12
Use the run show security policies command to confirm that intrazone
traffic is configured for the ACME customer zone.
[edit]
lab@srxl,-1# run show security policies from-zone ACME-local to-zone ACME-local
From zone: ACME-SV, To zone: ACME-SV
Policy: intrazone-ACME-SV, State: enabled, Index: 5, Scope Policy: 0, Sequence
number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Step3.13
Return to the Telnet session established with the virtual router.
Step3.14
Return to the session established with your assigned SRX device.
From the Telnet session established with your assigned SRX device, issue the run
show security flow session command.
[edit]
lab@srxA-1# run show security flow session
Session ID: 2148, Policy name: intrazone-ACME-SV/5, Timeout: 16, Valid
In: 172.20.201.10/59302 --> 10.0.l.126/23;tcp, If: vlan.201, Pkts: 2, Bytes:
128
Out: 172.20.201.10/23 --> 172.20.201.10/59302;tcp, If: vlan.201, Pkts: 0,
Bytes: 0
Total sessions: 1
Note
Step 3.15
Configure double NAT by adding interface-based source NAT to disguise the
IP address of the originating host.Name the NAT rule set
Accommodate-Switched-Network. Name the rule NAT-Return-Flow. The
rule should only apply source NAT to intrazone traffic. The rule should not make
exclusions based on the destination address. When you are finished, navigate to the
top of the command hierarchy, and commit the configuration.
[edit]
lab@srxA,-1# edit security nat source
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 3.16
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, initiate the Telnet
session again. If your assigned device is SRX1, use the 1 o. o.1.126 address. If
your assigned device is SRX2,use the 1 o. o .1. 254 address.
vr-device (ttyp3)
login:
Note
Step 3.18
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, press Ctrl + c to
terminate the Telnet session.
vr-device (ttypl)
al@vr-device>
Do not proceed to the next lab part until directed by the instructor to do
so.
In this lab part, you configure and verify operations for NAT64.This 1Pv6 NAT
implementation requires both destination NAT and source NAT for proper operation.
Both pod teams will configure the same 1Pv6 subnet addressing within the local
Juniper customer network, and will perform NAT64 to properly translate ttle 1Pv6
addresses to 1Pv4 addresses.
The 1Pv6 NAT implementation will allow an 1Pv6 host within the Juniper customer
network on the virtual router to telnet to an 1Pv4 host resource on the remote
student team's ACME customer network through a public-facing IP address
associated with the ge-0/0/2 interface of your assigned SRX device.
Step4.1
Configure your VLAN interface associated with your local Juniper customer's network
with the 1Pv6 address 2001:db8::1/64.
[edit]
lab@srxA-1# set interfaces vlan unit local-Juniper-unit family inet6 address
2001:dbS::1/64
Step4.2
Delete the 1Pv4 address from your VLAN interface associated with your local Juniper
customer's network.
[edit]
lab@srxA-1# delete interfaces vlan unit local-Juniper-unit family inet
Step4.3
For steps 4.3-4.5, you will configure destination NAT64 to translate the 1Pv6
destination traffic to an 1Pv4 address. Navigate to the [edit security nat
destination] hierarchy. Configure a destination NAT pool named
ipv6-dest-pool with the IP address of the remote student team's external NAT
address. If your assigned device is SRX1, use the lo. o. l. 254 address. If your
assigned device is SRX2,use the 10. o.1.126 address.
[edit]
lab@srxA-1# edit security nat destination
pool ipv6-dest-pool
address 10.0.1.254/32;
Step4.5
Configure a rule within the rule set ipv6 -dest named ipv6-local to match
traffic destined for the 1Pv6 address 2001:dbB::5/128. Next, specify that the
destination address of the matching traffic will be translated to the pool
ipv6-dest-pool.
[edit security nat destination]
lab@srxA-1# set rule-set ipv6-dest rule ipv6-local match destination-address
2001:dbS::5/128
Step4.6
For steps 4.6-4.8, you will configure source NAT64 to translate the 1Pv6 source
traffic to an 1Pv4 address. Navigate to the [edit security nat source)
hierarchy. Configure a source NAT pool named ipv6-source-pool with an
external NAT64 IP address on the Public-Facing zone subnet. If your assigned
device is SRX1, specify the 1 o. o. 1. 1 o address. If your assigned device is SRX2,
specify the 1 o. o. 1. 21 o address.
[edit security nat destination]
lab@srxA-1# top edit security nat source
Step4.7
Configure a source NAT rule set named ipv6-source with a directional context
that will perform NAT on traffic coming from your local Juniper customer network's
zone and destined for the Public-Facing zone.
[edit security nat source]
lab@srxA-1# set rule-set ipv6-source from zone Juniper-local
rule-set ipv6-source {
from zone Juniper-SV;
to zone Public-Facing;
rule ipv6-host {
match {
source-address 2001:dbS: :10/128;
destination-address 10.0.1.254/32;
}
then {
source-nat
pool {
ipv6-source-pool;
Step4.9
Navigate to the [edit security nat destination rule-set
From-Internet rule To-Telnet-Server] hierarchy. Configure an
additional matching source address for the remote team's external NAT address that
was configured in step 4.6. If your assigned device is SRX1, specify the
1 o. o.1 . 21 o address. If your assigned device is SRX2, specify the 1 o. o. 1 . 1 o
address.
[edit security nat source]
lab@sr��-1# top edit security nat destination rule-set From-Internet rule
To-T,:!lnet-Server
proxy-ndp {
interface vlan.101 {
address {
2001:db8::5/128;
Step4.13
Navigate to the [edit security policies] hierarchy. Configure a security
policy named Allow-ipv6-Telnet from your local Juniper customer zone to the
Public-Facing zone to allow only telnet traffic. Configure the source address to
match the address book entry ipv6-address. Specify the destination address as
any.
[edit security natl
lab@srxA-1# top edit security policies
policy Allow-Remote-Public
match {
source-address Remote-Public;
destination-address vr201;
application junos-telnet;
}
then {
permit;
Step 4.15,
Enable 1Pv6 flow-based mode on your assigned SRX device at the [edit
security forwarding-options] hierarchy and then commit the
configuration. The SRX will require a reboot to enable 1Pv6 flow-based mode. Issue
the command request system reboot after the commit is complete.
[edit security policies]
lab@srxA-1# top set security forwarding-options family inet6 mode flow-based
Shutdown NOW!
[pid 3934]
Step4.16
Log back into the SRX device as user lab after it has finished rebooting.
srxA-1 (ttyuO)
login: lab
Password:
Ensure that the remote student team within your pod has finished steps
4.1 to 4.16 before continuing.
Step4.17
Test your recently configured NAT64 implementation. Return to the Telnet session
established with the virtual router.
From the Telnet session established with the virtual router, initiate an 1Pv6 Telnet
session to the 1Pv6 address 2001:dbS::5. Source the telnet connection from the
routing instance associated with your local Juniper customer network.
al@vr-device> telnet inet6 2001:dbS::5 routing-instance vrlocal-Juniper-VLAN
Trying 2001:dbB::5...
Connected to 2001:dbB::5.
Escape character is ' A l'.
vr-device (ttypl)
login:
Note
Note
Step4.rn
Issue the commands show security nat destination rule all and
show security nat source rule ipv6-host.
lab@srxl�-1> show security nat destination rule all
Total destination-nat rules: 2
Total referenced IPv4/IPv6 ip-prefixes: 4/1
Match
Source addresses 172.20.96.0 - 172.20.111.255
172.20.192.0 - 172.20.223.255
10.0.1.210 - 10.0.1.210
Destination addresses 10.0.1.126 - 10.0.1.126
Destination port 23
Action Telnet-Server
Translation hits 0
Destination port 0
Action ipv6-dest-pool
Translation hits 5
Step4.20
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, press Ctrl + c to
terminate the Telnet session.
al@vr-device>
Do not proceed to the next lab part until directed by the instructor to do
so.
In this lab part, you configure and verify NAT46 operations. This NAT implementation
requires both destination NAT and source NAT for proper operation. Both pod teams
will configure source and destination NAT to perform NAT46, to translate the 1Pv4
addresses to 1Pv6 addresses.
The 1Pv6 NAT implementation will allow an 1Pv4 host within the ACME customer
network on the virtual router to telnet to an 1Pv6 host resource on the remote
student team's Juniper customer network through a public-facing IP address
associated with the ge-0/0/2 interface.
Step 5.1
For steps 5.1-5.3, you will configure destination NAT to translate a local 1Pv4
address within the ACME customer network to a public facing address that will be
used for NAT46. Enter configuration mode and navigate to the [edit security
nat destination] hierarchy. Configure a destination NAT pool named
nat46public-dest-pool with a public-facing address that will be used for
NAT46. If your assigned device is SRX1, specify the address 1 o. o.1. 211. If your
assigned device is SRX2, configure the address 1 o. o. 1. 11.
[edit]
lab@srx�-1# edit security nat destination
Step 5.2
Configure a destination NAT rule set named nat46public-dest with a
directional context that will perform NAT on traffic coming from your local ACME
customer network's zone.
[edit security nat destination]
lab@srxA-1# set rule-set nat46public-dest from zone ACME-local
Step 5.4
Configure another destination NAT pool named nat46remote-dest-pool with
the 1Pv6 address 2008:dbS::10/128. This pool will be used to perform NAT46 on
the traffic from the remote student team's ACME customer network.
[edit security nat destination]
lab@srxA-1# set pool nat46remote-dest-pool address 2001:dbS::10/128
Step 5.5
Under the destination NAT rule-set From-Internet, configure another source NAT
rule named nat46-remote to match Telnet traffic sourced from the
172.20.192.0/19 prefix. Apply this rule to traffic destined to the remote team's
nat46public-dest-pool IP address. If your assigned device is SRX1, specify
the address Io. o .1 .11. If your assigned device is SRX2, configure the address
1 o. o. 1 . 211. Specify that the destination address of the matching traffic will be
translated to the pool nat46remote-dest-pool.
Note
Step 5.8
Configure a source NAT rule for the nat46-source rule-set named nat46-host
to match traffic sourced from the 172.20.192.0/19 prefix. Apply this rule to traffic
destined to the 2001:db8::10/128 address. Then specify that the source address of
the matching traffic will be translated to the pool nat46-source-pool.
[edit security nat source]
lab@srxJl,-1# set rule-set nat46-source rule nat46-host match source-address
172.20.192.0/19
lab@srxA-1>
Ensure that the remote student team within your pod has finished
Part 5 before continuing.
Step 5.14
Verify your recently configured NAT46 implementation. Return to the Telnet session
established with the virtual router.
From the Telnet session established with the virtual router, initiate a new Telnet
session to the address 172. 20. address. 5, where address is your local ACME
customer network. Source the Telnet connection from the virtual router's routing
instance associated with your local ACME customer network as shown on the lab
network diagram.
al@vr-device> telnet 172.20.address.5 routing-instance vrlocal-ACME-VLAN
Trying 172.20.201.5 ...
Connected to 172.20.201.5.
Escape character is ' A l'.
vr-device (ttypl)
login:
Step 5.16
Return to the Telnet session established with the virtual router.
From the Telnet session established with the virtual router, press Ctrl + c to
terminate the Telnet session, then log out using the exit command.
vr-device (ttypl)
al@vr-device> exit
Step 5.17
Return to the session established with your assigned SRX device.
From your assigned SRX device, log out of your assigned device using the exit
command.
lab@srxA-1> exit
srxA-1 (ttyuO)
login:
Mana@mentAddressing
srxA-1 srxD-1 I
srxA-2 srxD-2 I
srxB-1 vr-<levice I
srxB-2 Server
srxC-1 Gateway
srxC-2 I Term Server
Server Note: Your instructor will provide address and access information.
172.20 1010/24
L::'.::J
�)
vr201
--'
Jun ipe r ':N
- ,__M_
AC E--':N
-- Virtual Routers -- Juniper-WF
:(12013JunlperNetwork,,
, r
lnc.AAnfits remve(! Juniper Worldwide Education SeMces WWW 1un1p
-- �-��
- --·- ----· -----l-- ---- "�
10.0.1.D/24
vlan.202
1Pv6Subnet
Added
ACME-':N Juniper-WF AC M E W
- F
�--��- ���
;s,... , "' ," r
JUnL�f
.,,,
:--El
vlan.103
1001 0/24
vlan.204
1Pv6Subnet
Added
vr103 I
Juniper- SY Juniper-WF
vlan.105
--VirwalRouters .--
Juniper-SY ACME-SY Junipe r-WF ACME-WF
()-2013Jt1nlperNetwork,, lttt: AIJnJts re1erv� JUn� Worldwide Education Services WNW JUn1p
--- - -A- �� j
vlan.206
1Pv6Subnet
Added
Juniper-SY ACME-WF
Host 172.31.15.1
vlan.107 (�lan208
172 20 208.Q/24
(10)
vlan.208
1Pv6Subnet
Added (10)
In this lab, you will load the baseline configuration for your device. The configuration will
include interfaces, interfaces assigned to their zones, security policies to allow traffic
between zones, and a stateless firewall filter for selective packet-based services. You will
then configure your device to act as a hub in a hub-and-spoke IP Security (IPsec) virtual
private network (VPN). You will use the loopback interface as your gateway interface. The
spokes have been preconfigured with all the necessary requirements. The IPsec tunnel
will be configured to encrypt and pass traffic for the Local-VR network attached to each
student device. After completing your configuration, you will verify the IPsec functionality
on your local device.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
Use the Junos command line interface (CLI) to load the baseline configuration.
Use the Junos CLI to configure the IPsec VPN parameters.
Assign interfaces to security zones.
Implement security policies between zones.
Verify that the expected traffic traverses the VPN.
Monitor the effects of the configuration from both the local device.
In this lab part, you become familiar with the access details used to access the lab
equipment. Once you are familiar with the access details, you will use the CU to log
in to your designated station. Then, you will load the starting configuration for Lab 5.
Next, you will run a ping command from the Local-VR routing instance to ensure
connectivity.
Note
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device.
Step 1.2
Access the CU at your station using either the console, Telnet, or SSH as directed by
your instructor. Refer to the Management Network Diagram for the IP address
associated with your workstation. The following example is based on simple Telnet
access using the Secure CRT program.
I, Connect � J C,ncel j
login: lab
Password:
[edit]
lab@srxA-1# load override ajsec/lab5-start.config
[edit]
lab@srx/\.-1# commit
commit complete
[edit]
lab@srxA-1#
Step i4
In this lab you, use the Local-VR device, which is a routing instance on your assigned
SRX device, to test connectivity through the IPsec tunnels. Verify the connectivity of
the Local - VR routing instance by pinging the address of the Internet interface that
is associated with your assigned SRX device (ge-0/0/3).
[edit]
lab@srxA-1# run ping remote-ge-0/0/3-address routing-instance Local-VR rapid
PING 172.18.1.1 (172.18.1.1): 56 data bytes
! ! ! ! !
--- 172.18.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = l.825/l.947/2.051/0.096 ms
Step i5
Review the routing table of the Local-VR routing instance to determine which route is
used to reach the IP address in the previous step.
[edit]
lab@srxl\.-1# run show route table Local-VR.inet.O
In this lab part, you configure the additional interfaces for this lab. You will create a
vpn zone and assign the appropriate interfaces. You will then create policies to
allow traffic to use this zone.
Step 2.1
Configure the stO interface with the IP address and network that is defined in the
following table for your assigned device. Ensure that the stO interface can facilitate
multiple Internet key exchange (IKE) and IPsec security associations
establishments.
srxC-1 10.10.30.1/24
srxC-1 10.10.30.2/24
srxD-1 10.10.40.1/24
srxD-2 10.10.40.2/24
[edit]
lab@srxA,-1# edit interfaces stO.O
Step 2.2
Navigate to the [edit security zones] hierarchy and add the loopback
interface to the untrust zone. When you add the loO interface to this zone, allow
IKE as host-inbound-traffic for this interface.
[edit interfaces stO unit OJ
lab@srxA-1# top edit security zones
Step 2.3
Create a zone named vpn and add the stO interface. Verify the recent changes to
both zones.
[edit security zones]
lab@srxA-1# set security-zone vpn interfaces stO.O
Step 2.4
Navigate to the [edit security policies] hierarchy and create two policies.
The first policy should allow traffic from the trust zone to enter the vpn zone and
should be named local -VR-to-vpn. The second policy should allow traffic to
enter the trust zone from the vpn zone and should be named
vpn-to-local-VR. When you are finished, commit the configuration c1nd exit to
operational mode.
[edit security zones]
lab@srxA-1# up 1 edit policies from-zone trust to-zone vpn
lab@srxA-1>
Note
For the purposes of this lab, we want to
allow all traffic, from the Local-YR network
to the spoke sites, to pass through the
IPsec VPN and vice versa. In a production
network this might not be the ideal
situation, and you can limit the traffic
allowed to pass through the IPsec tunnel by
restricting the source, destination, and
applications allowed.
Do not proceed to the next lab part until directed by the instructor to do
so.
In this lab part, you configure the properties to establish the IKE security
associations (SAs). You will also configure the necessary IPsec properties to
establish your IPsec SAs.
Step 3.1
Enter configuration mode and navigate to the [edit security ike] hierarchy.
Begin by defining an IKE policy named policy-1. The spokes are configured to
use main mode, and they also takes advantage of the predefined standard
proposal-set. The spokes are also configured to use a pre-shared-key; the
key is juniper. Configure your IKE policy to match the spokes' settings. Heview the
policy before continuing.
lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# edit security ike
}
gateway spoke-2 {
ike-policy policy-1;
address 192.168.10.4;
external-interface loO.O;
}
· gateway spoke-3 {
ike-policy policy-1;
address 192.168.10.5;
external-interface loO.O;
Step 3.3
Navigate to the [edit security ipsec] hierarchy. Begin by defining the policy
named policy-sec. The spokes are configured to use the predefined standard
proposal-set. You must configure your local policy to use the same
proposal -set.
[edit security ike]
lab@srxA-1# up 1 edit ipsec
vpn srxA-1-to-spoke-l {
bind-interface stO.O;
ike {
gateway spoke-1;
ipsec-policy policy-sec;
establish-tunnels immediately;
vpn srxA-1-to-spoke-2
bind-interface stO.O;
ike {
gateway spoke-2;
ipsec-policy policy-sec;
establish-tunnels immediately;
vpn srxA,-1-to-spoke-3
bind-interface st0.0;
ike {
gateway spoke-3;
ipsec-policy policy-sec;
esta.blish-tunnels immediately;
Step 3.5
The next step is to define the traffic that you want to traverse the VPN, also known
as interesting traffic.As you might remember from the lecture, the hub-and-spoke
solution only works as a route-based VPN. Navigate to the [edit
routing-options] hierarchy level and configure static routes for each spoke's
hosts that are associated with your assigned SRX device. These host addresses are
defined on your network diagram in the Spoke Hosts table for your assigned
SRX device. Remember that you must use the interface address of the spoke's stO
interface for the next hop of the static route. The addresses of the stO interfaces for
the spokes can also be found on your network diagram.After you add these static
routes, commit the configuration, and exit to operational mode.
[edit security ipsec]
lab@srxA-1# top edit routing-options
[edit routing-options]
lab@srxA-1# set static route spoke-I-host-address next-hop spoke-1-stO-address
[edit routing-options]
lab@srxA-1# set static route spoke-2-host-address next-hop spoke-2-stO-address
[edit routing-options]
lab@srxA-1# set static route spoke-3-host-address next-hop spoke-3-stO-address
[edit routing-options]
lab@srxA-1# show
static {
route 0.0.0.0/0 next-hop 172.18.1.l;
route 192.171.10.3/32 next-hop 10.10.10.3;
route 192.171.10.4/32 next-hop 10.10.10.4;
route 192.171.10.5/32 next-hop 10.10.10.5;
[edit routing-options]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1>
Do not proceed to the next lab part until directed by the instruc:tor to do
so.
In this lab part, you verify your IPsec VPN using operational mode commands. You
will begin by verifying that the IKE negotiation has completed and you have valid
SAs. You will then verify that you have established IPsec SAs. Next, you will use the
ping utility to verify that traffic traverses the IPsec tunnel to reach the spoke hosts.
After verifying that traffic traverses the IPsec tunnels, you will examine the next-hop
tunnel binding (NHTB) table.
Step4.1
Enter configuration mode and begin by verifying that your IKE SAs has been
established by issuing the run show security ike
security-associations command.
[edit]
lab@srxA-1# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
6356229 UP 06d4bed7e8f843bf b29ad645317fc091 Main 192.168.10.3
6356230 UP 53f6a5586c6d39e9 b16e00218bbcdbdf Main 192.168.10.4
6356231 UP 1134243107e8c9ea cda8320e185dc9d9 Main 192.168.10.5
Step4.2
Next, take a look at the IPsec SA by issuing the run show security ipsec
security-associations command.
[edit]
lab@srxA-1# run show security ipsec security-associations
Total active tunnels: 3
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:3des/shal beea905b 3077/ unlim root 500 192.168.10.3
>131073 ESP:3des/shal 7328eaf7 3077/ unlim root 500 192.168.10.3
<131074 ESP:3des/shal 3flb22d6 3077/ unlim root 500 192.168.10.4
>131074 ESP:3des/shal c48fa439 3077/ unlim root 500 192.168.10.4
Step4.3
Review the current statistics for your IPsec VPN using the run show security
ipsec statistics command.
[edit]
lab@srxA-1# run show security ipsec statistics
ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: O
AH Statistics:
Input bytes: O
Output bytes: O
Input packets: o
Output packets: O
Errors:
AH authentication failures: 0, Replay errors: O
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: O
Step4.4
Execute a quick verification test from your Local-VR routing instance to determine
whether traffic traverses your IPsec tunnel.You should ping each spoke's. host
address and source the ping from the Local - VR routing instance.Ping each host
address 5 times.Refer to your network diagram to obtain the host addresses of your
assigned spoke devices.
[edit]
lab@srxA-1# run ping spoke-2-host-address routing-instance Local-VR rapid
PING 192.171.10.4 (192.171.10.4): 56 data bytes
! ! ! ! !
--- 192.171.10.4 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = l.994/2.952/5.650/l.363 ms
[edit]
lab@srxi\-1# run ping spoke-3-host-address routing-instance Local-VR rapid
PING 192.171.10.5 (192.171.10.5): 56 data bytes
Step 4.5
Examine the output from the run show security ipsec statistics
command.
[edit]
lab@srxA-1# run show security ipsec statistics
ESP Statistics:
Encrypted bytes: 1360
Decrypted bytes: 1260
Encrypted packets: 10
Decrypted packets: 15
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: O
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
Step 4.6
Examine the routing table for the routes that lead to the spoke host address for your
assigned device.
[edit]
lab@srxA-1# run show route spoke-1-host-address table inet.0
[edit]
lab@srxA-1# run show route spoke-2-host-address table inet.O
[edit]
lab@srxA-1# run show route spoke-3-host-address table inet.O
Step 4.7
Issue the run show security ipsec next-hop-tunnels command to
view the current next-hop tunnel bindings.
[edit]
lab@srxA-1# run show security ipsec next-hop-tunnels
Next-hop gateway interface IPSec VPN name Flag
10.10.10.3 stO.O srxA-1-to-spoke-l Auto
10.10.10.4 stO.O srxA-1-to-spoke-2 Auto
Step 4.8
Navigate to the [edit interfaces stO unit o family inet] hierarchy
level and add a static next hop tunnel binding for spoke 3's stO interface that is
associated with your assigned SRX device. When you are finished, commit the
configuration and exit to operational mode.
lab@srxA-1>
Step4.9
Issue the show security ipsec next-hop-tunnels to view the current
next hop tunnel bindings.
lab@srxA-1> show security ipsec next-hop-tunnels
Next-hop gateway interface IPSec VPN name Flag IKE-ID
XAUTH username
10.10.10.3 sto.o srxA-1-to-spoke-l Auto
192.168.10.3
10.10.10.4 stO.O srxA-1-to-spoke-2 Auto
192.168.10.4
10.10.10.5 sto.o srxA-1-to-spoke-3 Static
192.168.10.5
Step4.10
Examine the routing table for the routes that lead to the spokes host address that
are associated with your assigned SRX device.
lab@srxA-1> show route spoke-l-host-address table inet.O
Step4.11
Clear the IPsec statistics by issuing the clear security ipsec statistics
command. Then, issue 5 ping packets, which are sourced from the interface that is
directly connected to the Juniper customer device, to each spoke host address that
is associated with your assigned SRX device.
lab@srxA-1> clear security ipsec statistics
Step4.12
Issue the show security ipsec statistics command to verify that the
ping packets entered the IPsec tunnels.
lab@srxA-1> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 2040
Decrypted bytes: 1260
Encrypted packets: 15
Decrypted packets: 15
AH Statistics:
Input bytes: O
Output bytes: O
Input packets: O
Output packets: O
Errors:
AH authentication failures: 0, Replay errors: O
ESP authentication failures: 0, ESP decryption failures: O
Bad headers: 0, Bad trailers: O
Step4.13
Log out of your assigned SRX device to return it to the login prompt.
lab@srxA-1> exit
srxA-1 (ttyuO)
login:
ManagementAddressing
srxA-1 srxD-1
srxA-2 srxD-2
srxB-1 vr-device
srxB-2 Server
Server Note: Your instructor will provide address and access information.
Spoke
stO 10.10.10. 4/24
loO 192.168.10.4
Spoke3A-1
stO: 1010.10.5/ 24
loO 192.168.10.5
NonJunos / �NonJunos
Device Device
srxA-1 srxA-2
stO 10.10.10.1/24 stO 10.1010.2/24
loO 192.168.10.1 'O) (.1) loO 192.168.10. 2
( ":!!.------"-----�
Local-VR L\:·::;;
---� 172.20.200.G/24
Spoke3B-1
stO: 10.10.20.5/24
loO 192.168.20.5
NonJunos / """NonJunos
Device Device
srxB-1 srxB-2
stO 10.10.20.1/24 stO 10.10.20.2/24
loO: 192.168.20.1 (.l) loO: 192.168.20.2
. O�ll-- "-=====;;..J
Local-VR ll(,1::l.
=
©2013JuniperNetwork,, Int AJlo:(ht� reserved JUn�f Worldwide Education Services 'l'll"IW )lHllP
- .
NonJunos NonJunos
Device Device
srxC-2
stO 10.10.30.2/24
�-
( 10)
Local-VR �· _.: =) loO: 192.168.30.2
(i
--------'
172.20 1000/24 '----.J '----.J 172.20.200.0/24
/
Spoke2 192.171. 40.4 loO 192.168.40.3 loO 192.168.40.6 Spoke2 192.171.40.7
Spoke3 192.171. 40.5 Spoke3 192.171. 40.8
Spoke30-1
stO 10.10 .40.5/24
loO 192.168.40.5
NonJunos / "'NonJunos
Device Device
srxD-1 srxD-2
stO 10.10 40 1/24 10 402/24
I 1
._
1 o0:_ 1_ 9 _ ._ 1_.._.._
_2 _.1_68.40 9 2.168.40.2
-!.;r-1�0:!JJ Local-VR Local-VR .
172.20.100.0/24 .____..... ... --� ( 172202000/24
(.1)
.10)
'ir
,&2 ,i "� _,[;'
/?;---- =-�--�- =
'l'. JUf7l1Der WorldwideEducatlonServices ¥'1WWJUA1pernet
Overview
In this lab, you will load the baseline configuration for your device. The configuration will
include interfaces, interfaces zone assignments, security policies to allow traffic between
zones, and a stateless firewall filter for selective packet-based services. You will then
configure your device to act as a member of a group IP Security (IPsec) virtual private
network (VPN). You will use the loopback interface as your gateway interface. The key
server has been preconfigured with all the necessary requirements. The IPsec tunnel will
be configured to encrypt and pass traffic for the Juniper customer networks attached to
each student device within a single pod. After completing your configuration, you will
verify the IPsec VPN status on your local device. You will also verify functionality and
reachability from the virtual router device. For all IP addresses and network information,
please refer to the Network Diagram: Lab 6 slide in your Lab Diagrams handout.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
Use the Junos command-line interface (CLI) to load the baseline configuration.
Use the Junos CLI to configure the group IPsec VPN parameters.
Assign interfaces to security zones.
Implement security policies between zones.
Verify that the expected traffic traverses the VPN.
Monitor the effects of the configuration from the local device.
Verify reachability by using the virtual router (VR) device.
In this lab part, you change the current configuration for the loopback IP address.
You will then add the loopback to the appropriate zone and allow appropriate
host-bound traffic. You will configure the appropriate policies to allow
communication to the loopback interface.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the Management Network Diagram to
determine the management address of your student device.
Step 1.2
Access the command-line interface (CLI) at your station using either the console,
Telnet, or SSH as directed by your instructor.
Po1t
Connect J I Cancel
Step 1.3
Log in as user lab with the password lab123. Enter configuration mode and load
the lab6-start. configfrom the /var/home/lab/ajsec/ directory. Commit the
configuration and exit to operational mode when complete.
srxA-1 (ttyuO)
login: lab
Password:
[edit]
lab@srxA-1# load override ajsec/lab6-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 1.4
Navigate to the [edit interfaces] hierarchy. Change the loopback interface
address to correlate with the loopback address for your assigned device, as defined
in the network diagram.
[edit]
lab@srxA-1# edit interfaces
[edit interfaces]
lab@srxA-1# show loO
unit O {
family inet {
filter {
input protect-cp;
address 192.168.1.1/32;
[edit interfaces]
[email protected],-1# delete loO. 0 family inet address address
[edit interfaces]
lab@srx A -1# set loO.O family inet address address
[edit interfaces]f
lab@srx A -1# show loO
unit O {
family inet {
filter {
input protect-cp;
address 192.168.11.1/32;
[edit interfaces]
lab@srxA-1#
Step 1.5
Navigate to the [edit security zones security-zone untrust]
hierarchyand add the loopback interface. After adding the interface , configure the
loopback interface to allow Internet keyexchange (IKE) packets.
[edit interfaces]
lab@srxA-1# top edit security zones security-zone untrust
[edit security]
lab@srxA-1# edit policies
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
0 Do not proceed to the next lab part until directed by the instructor to do
so.
In this lab part, you configure the local group IPsec VPN parameters needed to
establish the VPN to the key server. Please refer to network diagram for the IP
address information for the key server. You will begin by defining your IKE policy and
gateway information. You then will configure the correct parameters for the IPsec SA.
Throughout this lab part, we include examples of the corresponding key server's
configuration.
Note
The following configuration is the key
server's IKE policy configuration that
corresponds to your next step.
Note
The following configuration snippet is one
of the key server's IKE gateway
configurations, which corresponds to your
next step.
This specific configuration snippet is only
for srxA-1. Each student device will have a
similar configuration on the key server.
Note
The following configuration represents the
key server's IPsec proposal that will be
used in the IPsec policy.
You will not locally define an IPsec proposal
or policy, because the key server is
responsible for pushing these parameters
to all group members.
Note
The following configuration defines the
group properties, for the student devices in
Pod A, on the key server. Note that the
policies that define interesting traffic are
defined on the key server under the group
configuration. Please note that this
configuration is only for the devices
participating in group 1. For members of
another group, the server configuration is
very similar, but will contain the appropriate
group, server address, gateways, and policy
addresses. All other properties are
configured the same.
ipsec-sa group-1-sa {
proposal group-proposal;
match-policy dynamicl {
source 172.20.101.0/24;
destination 172.20.102.0/24;
source-port O;
destination-port O;
protocol O;
match-policy dynamic2
source 172.20.102.0/24;
destination 172.20.101.0/24;
source-port O;
destination-port O;
protocol O;
Step 2.3
Navigate to the [edit security group-vpn member ipsec] hierarchy and
create a VPN named vpn-group. Define your IKE gateway you created in the
previous step to be used for this VPN. Also define the external interface from which
to signal the IKE and IPsec SAs as your local loO.O interface. Finally, configure your
device to be a member of VPN group number according to the following table.
srxC-1 3
srxD-1 4
srxD-2 4
Step 2.4
Navigate to the top of the configuration hierarchy, and commit the configuration.
[edit security group-vpn member ipsec]
lab@srxA-1# top
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
0 Do not proceed to the next lab part until directed by the instructor to do
so.
In this lab part, you alter the current security policies to send the Juniper customer
traffic into the IPsec VPN that you have created.
Step 3.1
Navigate to the [edit security policies] hierarchy and create a security
policy named secure- traffic that allows traffic from the Juniper customer zone
to the untrust zone. Use the existing vrlOyaddress-book entry for your policy's
source-address match. The value of yis the remainder of the VLAN ID
associated with your local Juniper customer network. Configure the
destination-address to match the address-book entry vrlOlf, where the
value of lf is the remainder of the VLAN ID associated with your remote team
member's Juniper customer network. Indicate that matching traffic should be sent
to the IPsec VPN.
[edit]
lab@srxA-1# edit security policies
policy secure-traffic {
match {
source-address vrlOl;
destination-address vrl02;
application any;
}
then {
permit
tunnel
ipsec-group-vpn vpn-group;
Step 3.2
Re-order the policies under the [edit security policies from-zone
Juniper-local to-zone untrust] hierarchy level using the insert
command. When finished, navigate to the top of the configuration hierarchy, and
commit the configuration.
[edit security policies from-zone Juniper-SV to-zone untrust]
lab@srxA-1# insert policy secure-traffic before policy internet-Juniper-local
policy internet-Juniper-SV
then {
permit;
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
0 Before proceeding, ensure that the remote student team in your pod
finishes the previous steps.
In this lab part, you verify that both the IKE SA and IPsec SA have been negotiated.
You will also verify that you have an established key encryption key (KEK) SA for your
VPN. You will then review the policies that have been sent to your device from the
key server. Finally, you will verify that traffic from your local Juniper site will use the
IPsec VPN to reach the remote Juniper site using the ping utility.
Step4.1
Verify that the IKE SA has been correctly negotiated using the run show
security group-vpn member ike security-associations command.
[edit]
lab@srxA-1# run show security group-vpn member ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
1 UP Oe3d5fc9f338a9b7 bl5c33725729b52c Main 192.168.11.3
Step4.2
Verify that you have a valid IPsec SA using the run show security group-vpn
member ipsec security-associations command.
[edit]
lab@srxA-1# run show security group-vpn member ipsec security-associations
Total active tunnels: 1
ID Server Port Algorithm SPI Life:sec/kb Gid vsys
>133955586 192.168.11.3 848 ESP: 3des/shal 6669c709 1038/ unlim 1 root
<133955586 192.168.11.3 848 ESP: 3des/shal 6669c709 1038/ unlim 1 root
Step4.3
Next, verify that you have a valid KEK SA using the run show security
group-vpn member kek security-associations command.
[edit]
lab@srxA-1# run show security group-vpn member kek security-associations
Index Remote Address State Initiator cookie Responder cookie Groupid
3 192.168.11.3 UP 047ee7f0deb048d5 1699fe96e61343b5 1
Step4.4
Use the run show security dynamic-policies command to review the
policies being used on your local device that were sent down from the key server.
[edit]
lab@srxA-1# run show security dynamic-policies
From zone: Juniper-SV, To zone: untrust
Policy: secure-traffic-0001, State: enabled, Index: 1048582, Scope Policy: 6,
Sequence number: 1
Source addresses:
N/A: 172.20.101.0/24
Destination addresses:
N/A: 172.20.102.0/24
Applications: Unknown, Unknown( [0-0]->[0-0]/0)
Action: permit, tunnel
Step4.5
Issue the run clear security group-vpn member ipsec statistics
command to clear the group VPN statistics.
[edit]
lab@srxA-1# run clear security group-vpn member ipsec statistics
Note
The next lab steps require you to log in to
the virtual router attached to your team's
device. The virtual routers are logical
devices created on a J Series Services
Router. Refer to the Management Network
Diagram for the IP address of the vr-device.
Although you have two virtual routers
attached to your student device, you only
need to establish a single session.
Step4.6
Open a separate Telnet session to the virtual router attached to your device.
11 Connect J I Cancel J
Step4.7
Log in to the virtual router using the login information shown in the following table:
vr-device (ttydO)
login: username
Password:
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
al@vr-device>
Step4.8
From the Telnet session established with the virtual router, verify that your local
Juniper customer device can ping the remote team's Juniper customer device. To
confirm reachability, ping the remote virtual routers attached to the remote peer
device. Source the ping from the virtual router's routing instance associated with
your local Juniper customer network. Refer to the lab network diagram if needed.
Ping this destination 5 times.
al@vr-device> ping remote-Juniper-vr-address routing-instance
vrlocal-Juniper-VLAN count 5
PING 172.20.102.10 (172.20.102.10): 56 data bytes
64 bytes from 172.20.102.10: icmp_seq=O ttl=62 time=5.196 ms
64 bytes from 172.20.102.10: icmp_seq=l ttl=62 time=3.950 ms
64 bytes from 172.20.102.10: icmp_seq=2 ttl=62 time=3.979 ms
64 bytes from 172.20.102.10: icmp_seq=3 ttl=62 time=4.230 ms
64 bytes from 172.20.102.10: icmp_seq=4 ttl=62 time=3.940 ms
Step4.9
Once you have verified that the pings complete, log out of the virtual router and
close out the session.
al@vr-device> exit
vr-device (ttydO)
login:
Step4.10
Return to the session established with your assigned SRX device.
From your assigned SRX device, review the IPsec statistics to verify that the ping
packets you sent from the virtual router device used the IPsec VPN. This can be
accomplished using the run show security group-vpn member ipsec
statistics command.
[edit]
lab@srxA-1# run show security group-vpn member ipsec statistics
ESP Statistics:
Encrypted bytes: 680
Decrypted bytes: 420
Encrypted packets: 5
Decrypted packets: 5
AH Statistics:
Input bytes: O
Output bytes: O
Input packets: O
Output packets: O
Errors:
AH authentication failures: 0, Replay errors: O
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: O
Step4.11
Exit configuration mode and log out of your assigned device using the exit
command.
[edit]
lab@srxA-1# exit
Exiting configuration mode
lab@srxA-1> exit
srxA-1 (ttyuO)
login:
ManagementAddressing
�-1 I srxD-1 I
xA-2 srxD-2 I
j srxB-1 I vr-device I
srxB-2 Server
srxC-1 Gateway
srxC-2 Term Server
Server Note: Your instructor will provide address and access information.
-- lnterfacege-0/0/4 --
172.20.201.0/24 172.20.102.0/24
(� (�
-- lnterfacege-0/0/4 --
172 20 203 0/24
(.10)
vlan.105
-- lnterfacege-0/0/4 --
172.20.205.Q/24
(.10)
Juniper-SY ACME-WF
(.l) v lan.20?
-- lnterfacege-0/0/4 ---
172 20 2070/24 172 20 108 0/24
(.� (.�
Overviiew
In this lab, you will load the baseline configuration for your device. The configuration will
include interfaces, interfaces assigned to their zones, security policies to allow traffic
between zones, and a stateless firewall filter for selective packet-based services. You will
then configure your device to peer with the remote device in your pod through a route
based site-to-site IP Security (IPsec) VPN. You will use the external ge-0/0/3 interface as
your gateway. You will then configure a generic routing encapsulation (GRE) tunnel to
operate over the site-to-site IPsec VPN. After establishing GRE through the IPsec tunnel
you will configure your device to establish an OSPF adjacency with the remote peer over
this GRE tunnel as well as with the local Juniper customer site. Next, you will configure
static NAT to route traffic between the overlapping address space of your assigned
Local-VR device and the remote Local-VR device. After completing your configuration, you
will verify the functionality on your local device using show commands as well as using
the ping utility. For all IP addresses and network information please refer to the Lab 7
network diagram for your assigned pod.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
Use the Junos command line interface (CU) to load the baseline configuration.
Use the Junos CU to configure the IPsec VPN parameters.
Use the Junos CU to configure the GRE tunnel.
Use the Junos CU to configure the OSPF protocol.
Assign interfaces to security zones.
Implement security policies between zones.
Verify that the expected traffic traverses the VPN using the OSPF route.
Use the Junos CU to configure static NAT.
Monitor the effects of the configuration from the local device.
In this lab part, you become familiar with the access details used to access the lab
equipment. Once you are familiar with the access details, you will use the CLI to log
in to your designated station. Then, you will load the starting configuration for Lab 7.
Next, you will examine the routing tables to determine the paths that traffic will use.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device.
Step 1.2
Access the CLI at your station using either the console, Telnet, or SSH as directed by
your instructor. Refer to the Management Network Diagram for the IP adclress
associated with your workstation. The following example is based on simple Telnet
access using the Secure CRT program.
� . Connect �
. '
I Cancel I
Step 1.3
Log in as user lab with the password labl23. Enter configuration mode and load
the lab7-start. configfrom the /var/home/lab/ aj sec/ directory.
Commit the configuration when complete.
login: Iab
Password:
[edit]
lab@srxl,-1# load override ajsec/lab7-start.config
[edit]
lab@srxl,-1# commit
commit complete
[edit]
lab@srxl,-1#
Step 1.4
Review the routing tables and determine which routes are used to reach the remote
device networks.
lab@srxll-1# run show route
In this lab part, you configure the interfaces for the route based IPsec VPI\J. You will
configure the Internet key exchange (IKE) and IPsec parameters to establish the
IPsec tunnel between the external ge-0/0/3 interfaces.You will then create a vpn
zone and assign the appropriate interfaces. You will then create policies to allow
traffic to use the vpn zone.
Step 2.1
Configure the stO interface with the IP address and network that is defined in the
following table for your assigned device.
srxA-2 10.10.10.2/24
srxB-1 10.10.20.1/24
srxB-2 10.10.20.2/24
srxC-1 10.10.30.1/24
srxC-2 10.10.30.2/24
srxD-1 10.10.40.1/24
srxD-2 10.10.40.2/24
[edit]
lab@srxA-1# edit interfaces
[edit interfaces]
lab@srxA-1# set stO unit O family inet address stO-address/24
[edit interfaces]
lab@srxl,-1#
Step 2.2
Navigate to the [edi t security ike] hierarchy and create a policy called
policy-1. Configure the IKE policy to use main mode and take advantage of the
pre-defined standard proposal-set. Configure your policy to use a
pre-shared-key, the key should be defined as juniper. Review the policy
before moving on.
[edit interfaces]
lab@srxl,-1# top edit security ike
establi:ah-tunnels immediately;
Step 2.7
Create a zone named vpn and add the stO interface. Verify the recent changes to
both zones.
[edit security zones]
lab@srxA-1# set security-zone vpn interfaces stO.O
Step 2.8
Navigate to the [edit security policies] hierarchy and create two policies.
The first policy will allow traffic from the Juniper customer zone to enter tile vpn
zone and will be named juniper-to-vpn. The second policy will allow traffic to
enter the Juniper customer zone from the vpn zone and will be named
vpn-to-juniper. Once you have verified your configuration, commit these
changes and exit to operational mode.
[edit security zones]
lab@srxA-1# up 1 edit policies from-zone Juniper-local to-zone vpn
lab@srxl,-1>
Note
Before proceeding, ensure that the remote student team in your pod
finishes the previous steps.
Step 2.9
Verify that the IKE SA has been correctly negotiated using the show security
ike security-associations command.
Step 2.10
Next, verify that you have a valid IPsec SA using the show security ipsec
security-associations command.
lab@srxA-1> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/shal e9829557 3506/ unlim root 500 172.18.2.2
>131073 ESP:3des/shal ec47b6d2 3506/ unlim root 500 172.18.2.2
Do not proceed to the next lab part until directed by the instruc:tor to do
so.
In this lab part, you configure a GRE tunnel. This tunnel will establish over the
existing IPsec VPN to the remote site's gateway device. This tunnel will be sourced
from the sto interface and will terminate on the remote team's stO interface. You
will add the GRE interface to your Juniper customer zone. You will then configure the
vpn zone to recognize and allow the GRE traffic coming in from the IPsec VPN.
Step 3.1
Enter configuration mode and navigate to the [edit interfaces gr-0/0/0
unit o] hierarchy. Configure the source and destination addresses that are going
to be used to establish the GRE tunnel. The tunnel source should be configured as
your local stO interface address, and the destination address should be configured
as the remote team's stO interface address. After defining the source and
destination of the tunnel, you need to specify the IP address for the GRE interface,
which is defined on the network diagram for your assigned pod.
lab@srxi\-1> configure
Entering configuration mode
[edit]
lab@srxl\-1# edit interfaces gr-0/0/0.0
interfaces
vlan.101;
gr-0/0/0.0;
lab@srxA-1>
0 Before proceeding, ensure that the remote student team in your pod
finishes the previous steps.
Step3.4
Clear the statistics for the IPsec VPN by issuing the clear s ecurity ipsec
statistics command.This command clears all statistics related to all traffic that
has traversed the IPsec VPN. After clearing the statistics, ping through the IPsec
VPN, by pinging the remote GRE interface address 5 times.This task can be
accomplished using the ping remote-GRE-IP-address rapid command.
After pinging the remote GRE interface, review the IPsec statistics to verify the traffic
is traversing the tunnel.
lab@srxA-1> clear security ipsec statistics
Do not proceed to the next lab part until directed by the instructor to do
so.
In this lab part, you configure OSPF to establish an adjacency over the GRE tunnel.
You will also add the Juniper customer facing interface to you OSPF area. The
Juniper customer zone must be configured to allow the OSPF protocol. After
establishing your adjacencies, you will review your route table and ensure you have
the correct OSPF routes. You will finally verify that you are able to reach the remote
Juniper customer site using the ping utility.
[edit]
lab@srxA-1# edit protocols ospf area O
lab@srxA-1>
Before proceeding, ensure that the remote student team in your pod
finishes the previous steps.
Step4.3
Begin verifying your configuration by looking at the OSPF neighborships.
Step4.4
Review the OSPF routes installed in your routing table.
lab@srxA-1> show route protocol ospf
Answer: Yes, you should see the OSPF routes for the
route for the remote team's Juniper customer
network and well as the remote Juniper customer
site's loopback address.
Step 4.5
Verify reachability to the remote Juniper customer's site.You will use the ping utility
to send 5 ICMP requests to the Juniper customer device's IP address. Your local
device will use the route learned through OSPF, which is established over the GRE
tunnel which is signalled over your IPsec VPN.You can accomplish this task by
issuing the ping remote-juniper-IP-address rapid command.
lab@srxA-1> ping remote-juniper-vr-address rapid
PING 172.20.102.10 (172.20.102.10): 56 data bytes
! ! ! ! !
--- 172.20.102.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.668/2.901/3.195/0.190 ms
Note
0 Do not proceed to the next lab part until directed by the instructor to do
so.
In this lab part, you configure static NAT on your SRX device to facilitate
communication between your Local-VR device and the remote team's Local-VR
device even though they use the same address space. Once you have configured
static NAT, you will direct this traffic over the IPsec tunnel that you have previously
configured.
Step 5.1
Enter configuration mode and navigate to the [edit security policies]
hierarchy level and configure your SRX device to allow all communication between
the acquired zone and the vpn zone.
lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# edit security policies from-zone acquired to-zone vpn
Note
Step 5.3
Navigate to the [edit security nat static] hierarchy level. Configure a
rule set that only translates traffic that traverses the ge-0/0/3 interface.
[edit security policies from-zone vpn to-zone acquired]
lab@srxA-1# top edit security nat static rule-set static-nat
Step 5.7
To further diagnose the problem, issue the run traceroute 10. 211._¥.10
routing-instance Local-VR command. Where _ris 2 if your assigned device
is SRX1 and Xis 1 if your assigned device is SRX 2.
[edit security nat static]
lab@srxA-1# run traceroute 10.211._¥.10 routing-instance Local-VR
traceroute to 10.211.2.10 (10.211.2.10), 30 hops max, 40 byte packets
1 172.20.100.1 (172.20.100,1) 1.950 ms 2.386 ms 1.654 ms
2 * * *
29 * * *
30 * * *
Step 5.8
Configure a static route for the remote team's external NAT address space and use
the stO interface as the next hop for the route. Remember that you can view the
remote team's external NAT address space by examining your Lab 7 network
diagram. When you are finished, commit the configuration.
[edit security nat static]
lab@srxA-1# top edit routing-options
[edit routing-options]
lab@srxA-1# set static route remote-teams-external-nat-address/24. next-hop stO
[edit routing-options]
lab@srxA-1# show
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
route 10.211.2.0/24 next-hop stO.O;
[edit routing-options]
lab@srxA-1# commit
commit complete
[edit routing-options]
lab@srxA-1#
Step 5.9
Clear the static NAT statistics by issuing the run clear security nat
statistics static rule all command. Then, test connectivity by pinging
the remote team's Local-VR device 5 times by issuing the run ping
10.211._r.10 routing-instance Local-VR rapid command. Where_ris
.r
2 if your assigned device is SRX1 and is 1 if your assigned device is SRX2.
[edit routing-options]
lab@srxA-1# run clear security nat statistics static rule all
[edit routing-options]
lab@srxA-1# run ping 10.211._!'.10 routing-instance Local-VR rapid
[edit routing-options]
lab@srxA-1# top deactivate protocols ospf
[edit routing-options]
lab@srxA-1# top edit security nat static
lab@srxA-1>
0 Before proceeding, ensure that the remote student team in your pod
finishes the previous steps.
Step 5.12
Clear the current IPsec statistics by issuing the clear security ipsec
statistics command. Then, test connectivity by pinging the remote team's
Local-VR device 5 times by issuing the ping 10. 211._r. 10
routing-instance Local-VR rapid command, where_ris 2 if your
assigned device is SRX1 and Xis 1if your assigned device is SRX2.
lab@srxA-1> clear security ipsec statistics
Step 5.14
Log out of your assigned SRX device to return it to the login prompt.
lab@srxA-1> exit
srxA-1 (ttyuO)
login:
., .,
ge-0/0/0(on allstudentdevices)
--·@/ srxA-1
----�
_......--
R ··· ·········· ·• Serial Console�
sea.�
,
Terminal\�'- Connections srxA-2
Server \ '- Workstations
'\
, '-,
\' .......
\' .......�
\e
Management Addressing
\' srxD-2 �
srx A -1 I srxD-1
\ '\
11
srxA-2 I srxD-2
srxB-1 I vr-device
\ vr-device srxB-2 I Server
srxC-1 I Gateway
srxC-2 I Term Server
Server Note: Your instructor will provide address and access informabon.
vr202
ACME-WF
Ecal-VR I
(.10)\
Juniper-SY ACME-WF
...
�::i:t� t:;.o,;;�;��llig?it;�tstlWQ JUnJPff Worldwide Education Services jUn1p�r t �,
�-- � ---� -- -
\'mll."1
'
-- lnterfacege-0/0/4 --
172.20 2050/24 172.20106.0/24
(� (�
vr108
....,.,,......,,..,,..- -- Virtual Routers --
Juniper-WF ACME-WF
Overvi,ew
In this lab, you will examine log outputs to determine useful troubleshooting information.
You will then configure security flow traceoptions to troubleshoot a failing Telnet session.
When you discover the reason behind the Telnet session failure you will fix the problem.
You will then work as a team to troubleshoot a down IP Security (IPsec) tunnel. Once the
problem with the IPsec tunnel has been discovered, you will fix it and bring the tunnel
back to its operational state.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab you will perform the following tasks:
View and examine logs.
Configure security traceoptions.
Troubleshoot a failing Telnet session.
Troubleshoot an IPsec tunnel that is down.
In this lab part, you examine various logs that will aid in the troubleshooting process.
You will also configure and examine security flow traceoptions to troubleshoot a
failing Telnet session.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device.
Step 1.2
Access the command-line interface (CLI) at your station using either the console,
Telnet, or SSH as directed by your instructor.
Connect J J Cancel I
Step 1.3
Log in as user lab with the password labl2 3. Enter configuration mode and load
the 1 abB -start . config from the /var/home/lab/ajsec/ directory. Commit the
configuration and exit to operational mode when complete.
srxA-1 (ttyuO)
login: lab
Password:
[edit]
lab@srxA-1# load override ajsec/labB-start.config
load complete
[edit]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxi\-1>
Step 1.4
The following output was obtained from a previous IPsec lab. Examine this output
and answer the following question.
lab@srxi\-1> show log kmd I match ike I last 500
May 17 01:27:13 ike_encode_packet: Start, SA= { Oxa6aa156a 570e2c7a - b4beflbl
9735b07c } I 00000000, nego = -1
May 17 01:27:13 ike_send_packet: Start, send SA= { a6aa156a 570e2c7a - b4beflbl
9735b07c}, nego= -1, src= 172.18.1.2:500, dst= 172.18.2.2:500, routing
table id= O
May 17 01:27:13 ike_get_sa: Start, SA= { a6aa156a 570e2c7a - b4beflbl 9735b07c
} I 00000000, remote= 172.18.2.2:500
May 17 01:27:13 ike sa find: Found SA= { a6aa156a 570e2c7a - b4beflbl 9735b07c
}
May 17 01:27:13 ike_decode_packet: Start
May 17 01:27:13 ike_decode_packet: Start, SA= { a6aa156a 570e2c7a - b4beflbl
9735b07c} I 00000000, nego= -1
May 17 01:27:13 ike_st_i_nonce: Start, nonce[O..64] = 5ad36bfc 546ea59b
May 17 01:27:13 ike_st_i_ke: Ke[O..128] = Ola07b91 cad30148 ...
May 17 01:27:13 ike-st-i-er: Start
May 17 01:27:13 ike st i cert: Start
May 17 01:27:13 ike-st_i_private: Start
May 17 01:27:13 ike st 0 id: Start
May 17 01:27:13 ike_st_o_hash: Start
May 17 01:27:13 ike_find_pre_shared_key: Find pre shared key key for
172.1.8.1.2:500, id= ipv4(udp:500, [0..3]=172.18.1.2) -> 172.18.2.2:500, id
No Id
May 17 01:27:13 ike_policy_reply_find_pre_shared_key: Start
May 17 01:27:13 ike_calc_mac: Start, initiator= true, local true
May 17 01:27:13 ike_st_o_status_n: Start
May 17 01:27:13 ike_st_o_private: Start
May 17 01:27:13 ike_policy_reply_private_payload_out: Start
May 17 01:27:13 ike st o encrypt: Marking encryption for packet
May 17 01:27:13 ike_=-en�ode_packet: Start, SA= { Oxa6aa156a 570e2c7a - b4beflbl
9735b07c } I 00000000, nego= -1
May 17 01:27:13 ike_send_packet: Start, send SA= { a6aa156a 570e2c7a - b4beflbl
9735b07c}, nego = -1, src= 172.18.1.2:500, dst= 172.18.2.2:500, routing
table id= O
May 17 01:27:13 ike_get_sa: Start, SA= { a6aa156a 570e2c7a - b4beflbl 9735b07c
} I d9fa307f, remote= 172.18.2.2:500
Step 1.5
Examine the following output and answer the question.
lab@srxA-1> show log kmd I match "initiator/responder" I last 500
May 17 01:23:03 172.18.1.2:500 (Responder) <-> 172.18.2.2:500 { 8e0364fc
54639b87 - 53869911 bd032772 [-lJ / OxOOOOOOOO } IP; Reserved 1 not O
May 17 01:23:03 172.18.1.2:500 (Responder) <-> 172.18.2.2:500 { 8e0364fc
54639b87 - 53869911 bd032772 [-lJ / OxOOOOOOOO } IP; Error = Payload
malformed (16)
May 17 01:23:13 ike_init_isakmp_sa: Start, remote = 172.18.2.2:500, initiator
1
May 17 01:23:13 ike calc mac: Start, initiator = true, local = true
May 17 01:23:13 172�18.1�2:500 (Responder) <-> 172.18.2.2:500 { 8be54c6d
6eb863f3 - f05b6749 Obb9795b [OJ I Ox2f8a2la3 } Info; Notification data has
attribute list
May 17 01:23:13 172.18.1.2:500 (Responder) <-> 172.18.2.2:500 { 8be54c6d
6eb863f3 - f05b6749 Obb9795b [OJ I Ox2f8a2la3 } Info; Notify message version
= 1
May 17 01:23:13 172.18.1.2:500 (Responder) <-> 172.18.2.2:500 { 8be54c6d
6eb863f3 - f05b6749 Obb9795b [OJ I Ox2f8a2la3 } Info; Offending payload type
= 156
[edit]
lab@srxA-1# edit security nat destination
Step i8
Navigate to the [edit security nat destination rule-set
dst-nat-untrust] hierarchy level. Configure the rule set to accept connections
from the untrust zone, and then configure a rule named dst-telnet to match
Telnet traffic on the destination address of the ge-0/0/3 interface address. Next,
configure the rule dst-telnet to use the NAT pool dst-nat-pool fo1·
connections that match this rule's criteria.
[edit security nat destination]
lab@srxA-1# edit rule-set dst-nat-untrust
rule-set dst-nat-untrust
from zone untrust;
rule dst-telnet {
match {
destination-address 172.18.1.2/32;
destination-port 23;
}
then {
destination-nat pool dst-nat-pool;
Step 1.9
Navigate to the [edit security flow traceoptions] hierarchy level.Store
the traceoptions in the file named dst-nat-telnet. log, and configure the
flag all option.Once you are finished, commit the configuration.
[edit security nat destination rule-set dst-nat-untrust]
lab@srxA-1# up 3
[edit security]
lab@srxA-1# edit flow traceoptions
Step 1.11
Log in to the VR using the login information shown in the following table:
vr-device (ttypO)
login: username
Password:
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
al@vr-device>
Step 1.1.2
From the Telnet session established with the virtual router, initiate a Telnet
connection to your assigned SRX device's ge-0/0/3 interface address. Source the
telnet connection from the virtual router's ISP routing instance
internet-instance, where instance is the letter of your assigned pod. Refer
to the following table.
Step 1.13
Return to the session of your assigned SRX device.
From your assigned SRX device, troubleshoot the issue by examining the recently
configured traceoptions using therun show log dst-nat-telnet.log
command.
[edit security flow traceoptions]
lab@srxA-1# run show log dst-nat-telnet.log
May 17 00:48:47 00:48:46.1274154:CID-0:RT: refreshing session
Step 1.14
Configure the packet filter telnet-sessions in the security flow traceoptions
that will only allow the log file to collect information from sessions using the
destination port number 23. Commit the configuration when you are finished.
[edit security flow traceoptions]
lab@srxA-1# set packet-filter telnet-sessions destination-port telnet
Step 1.18
Navigate to the [edit security zones security-zone untrust]
hierarchy level. Configure the untrust zone with the address book entry of
isp-int for the interface address of the ISP virtual router.
[edit security flow traceoptions]
lab@srxA-1# up 2
[edit security]
lab@srxA-1# edit address-book untrust
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 1.20
Return to the Telnet session established with the virtual router.
vr-device (ttypl)
login:
Step 1.21
Return to the session established with your assigned SRX device.
From your assigned SRX device, remove the traceoptions configured under the
[edit security flow] hierarchy level. When you are finished, commit the
configuration.
[edit]
lab@srxA-1# delete security flow traceoptions
[edit]
lab@srxA-1# coilllllit
commit complete
[edit]
lab@srxA-1#
0 Do not proceed to the next lab part until directed by the instructor to do
so.
In this lab part, you troubleshoot an IPsec tunnel that is down.The team that is
working on srx�-2. where� is the letter of your assigned pod, will load a
configuration that will cause the previously established site-to-site IPsec tunnel to go
down. Both teams will then work together and troubleshoot the tunnel from sr�-1's
perspective.
Step 2.1
Issue the run show security ike security-associations and run
show security ipsec security-associations commands.
[edit]
lab@srxA-1# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7999631 UP f847490a6634589a 4f76c4285dfdObed Main 172.18.2.2
[edit]
lab@srxA-1# run show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:3des/shal 74955979 2899/ unlim root 500 172.18.2.2
>131073 ESP:3des/shal 52c2db54 2899/ unlim root 500 172.18.2.2
Step 2.2
Note
From the session established with srxx-2, load the labB-IPsec_down. config
from the /var/home/lab/ajsec/ directory.Commit the configuration and exit to
operational mode when complete.
[edit]
lab@srxA-2# load override ajsec/lab8-IPsec_down.config
load complete
lab@srxA-2>
Note
Step 2.3
From the Telnet session established with srxx-1, issue the clear security ike
security-associationsand clear security ipsec
security-associationscommands. Then issue the show security ike
security-associationsand show security ipsec security
associationscommands.
[edit)
lab@srxA-1# run clear security ike security-associations
[edit)
lab@srxA-1# run clear security ipsec security-associations
[edit)
lab@srxA-1# run show security ike security-associations
[edit)
lab@srxA-1# run show security ipsec security-associations
Total active tunnels: O
Step 2.4
Ping the remote side of the IPsec tunnel to test connectivity.
[edit]
[email protected]# run ping 172.18.2.2 detail count 2
PING 172.18.2.1 (172.18.2.2): 56 data bytes
64 bytes from 172.18.2.2 via ge-0/0/3.0: icmp_seq=O ttl=64 time=6.842 ms
64 bytes from 172.18.2.2 via ge-0/0/3.0: icmp_seq=l ttl=64 time=7.340 ms
Step 2.5
Navigate to the [edit security ike] hierarchy level.Configure the
traceoptions to record any IKE related activity.
[edit]
lab@srxA-1# edit security ike
[edit security]
lab@srxA-1# edit ipsec
Step 2.7
Clear the kmd log file of old information by issuing the run clear log kmd
command. Examine the kmd log file by issuing the run show log kmd
command.
Note
Step 2.8
Filter the kmd logs by issuing the run show log kmd I match ike command.
[edit security ipsec]
lab@srxA-1# run show log kmd I match ike
May 17 23:46:22 ike decode packet: Start, SA { d4577a78 Od5cl5e0 - 4228ba42
fb2el2b8} / 00000000, n;go = -1
May 17 23:46:22 ike_decode_payload_sa: Start
Step 2.9
Filter the kmd logs by issuing the run show log kmd I match
"initiator/ responder" command.
[edit security ipsec]
lab@srxA-1# run show log kmd I match "initiator/responder"
Note
Step 2.10
Navigate to the [edit securi tyJ hierarchy.Change the pre-shared key, located
within the policy policy-1, to juniperRocks. Commit the configuration when
complete.
[edit security ipsecJ
lab@srxA-1# top edit security
[edit security]
lab@srxA-1# commit
commit complete
[edit security]
lab@srxi'>.-1#
Step2.11
Issue the show security ike security-associations and show
security ipsec security-associations commands.
[edit security]
lab@srxA-1# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7999688 UP db463a8d62e4a2ee 0901447ee7eef5c0 Main 172.18. 2.2
[edit security]
lab@srxA-1# run show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:3des/shal ac88ee70 3572/ unlim root 500 172.18.2.2
>131073 ESP:3des/shal b40c7e65 3572/ unlim root 500 172.18.2.2
Note
Step2.12
Enter configuration mode and load the reset.config file from the /var/home/lab/
ajsec/ directory. Commit the configuration and return to operational mode when
complete. Log out of your assigned device using the exit command.
lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# load override ajsec/reset.config
[edit]
lab@srxA-1# commit and-quit
www.juniper.net Performing Security Troubleshooting Techniques (Detailed) • Lab 8-23
Advanced Junos Security
commit complete
Exiting configuration mode
lab@srxA-1> exit
srxA-1 (ttyuO)
login:
Management Addressing
srxA-1 srxD-1
-i
_i
-I
srxA-2 srxD-2
srxB-1 vr.<fevice
srxB-2 Server
\ srxC-1 _ Gateway ii
'E1
-
srxC-2 Term Server ii
Server Note: Your instructor will provide address and access information.
--- lnterfacege-0/0/4 --
172.20.2010/24 17220 1020/24
(.� (.�
vlan.103
--- lnterfacege-0/0/4 -----�
172.20.2030/24
(.10)
vlan.105
-- lnterfacege-0/0/4 --
172.20.205.0/24 172.20.106.0/24
(.10) (.10)
vlan.107
-- lnterfacege-0/0/4 -�----
172 20 2070/24
(.10)