Junos
Reply
Contributor
mjm111690
Posts: 15
Registered: ‎12-04-2011
0
Accepted Solution

Newbie Configuring J2320

Please help this newbie, I was volunteered for this and need to have something by the end of tomorrow...

I've inherited a J2320 which is the WAN connection for an internal LAN and I need some fast advice on how to configure it.  I understand the technology, I have configured some Cisco routers in the past, first time for Juniper and I don't have a contract with Juniper to get help.  On-line documentation doesn't help me.  What I need is this:

My public WAN IP is 12.35.45.202.  That is the only IP alloted for the LAN.  There are three internal LANs with private IP 10.1.1.0.24, 10.2.1.0/24 and 10.3.1.0/24.  The downstream connection from the J2320 is a Cisco switch configured with VLANs 10, 20 and 30 for those three private subnets.  The J2320 will have one port connected to the public IP and another port connected to the switch over a trunk consisting of the three VLANs (subnets).
Right now -on that first subnet will be a Subversion server 10.1.1.35, and a Web server 10.1.1.36 and an FTP server 10.1.1.37.  On the second subnet are the laptops of folks that need to get out on the internet as well as have access to the three servers.  They will get DHCP from the J2320 on the 10.2.1.0/24.   Third subnet, what I'll do in the future is add a proxy server for all internet access for all users, not doing that yet.
Can I get help on this?  Can someone give the configuation they would do for this?  
In order of importance...
Most concerned about the port forwarding to get the servers to be available to the public.  
Second concern is getting the DHCP server to work for the workstations on the 10.2.1.0/24 network and the Natting so the workstations can get out on internet.  
Third most important is the trunking connection between the J2320 and the switch.
Fourth is making sure the firewall capability is working for the J2320 to protect all three subnets as well as the router itself from the internet.  
Last on the list is the provision for the proxy  -(which I imagine has to do with the security zones)
Please, this may seem like a lot but not for someone versed in Juniper.  I would really appreciate the help.  If you have a config for this please share.

Super Contributor
ronf
Posts: 217
Registered: ‎04-04-2011
0

Re: Newbie Configuring J2320

The attached config should get you started.  This configuration has all three internal sub-interfaces in the same security zone, but you could of course seperate them out into multiple different zones if desired.  I did not validate everything, but if you have experience with networking, you should be able to  use this to get started.  Also, if you have an ios configuration, you could try the i2j tool to convert it into a JunOS configuration as a starting point.

 

Ron

JNCIE-SEC #127
Distinguished Expert
lyndidon
Posts: 1,214
Registered: ‎06-06-2011
0

Re: Newbie Configuring J2320

Just a quick suggestion: Next time, don't enter your real IP address in the forum (assuming that you did- no need to comment to validate or invalidate this assumption). You never know who is out there trolling for info to attack your network.

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Contributor
mjm111690
Posts: 15
Registered: ‎12-04-2011
0

Re: Newbie Configuring J2320

Thanks

Contributor
mjm111690
Posts: 15
Registered: ‎12-04-2011
0

Re: Newbie Configuring J2320

Hi Ron-  Great so far, I think I am making progress.  Couple things though.

 

1.  Ping.  At the moment the router can't ping out and does not respond to ping.  Am I missing something?

I am not at the point yet where I test whether the internal workstations and servers can ping out.  I am just testing the router itself.

 

2.  I am adding another server that will need to be accessed from outside.  So I will have to add it to my rule-set inbound section of my natting.  We'll call it ...

pool newserver {
                address 10.1.1.38/32

 

...and then the

rule newserver-nat {
                    match {
                        destination-address 12.35.45.202/32;

 

But this will differ from the other servers in that I want to port forward udp 999.

So what is the next line?  Is it this?...

destination-port udp 999;     

 

Thanks     

Contributor
mjm111690
Posts: 15
Registered: ‎12-04-2011
0

Re: Newbie Configuring J2320

In the meantime I screwed something up.  I added the "zone" information in and while I was committing the changes it got hung up and when I got out and tried to log back in I was locked out, never got login prompt again.  I was on the one interface that I had not configured anything new, the 192.168.1.1 web configuration interface that I had been using to configure the router.  I had not done anything to that interface yet, and adding the security zone info per your suggestion, kept me out.

 

So I have to go into the console port and see if I can undue what I did.  I have to postpone this action a couple days...

Any suggestions?

Distinguished Expert
muttbarker
Posts: 2,346
Registered: ‎01-29-2008
0

Re: Newbie Configuring J2320

Well if you are locked out you are going to have to go into the box via the console. Please note that a great command to use is the "commit confirmed" command. By default if you use this then you must log back into the box within 10 minutes or you last commit is automatically rolled back. 

 

Great way to prevent lock out. You can also change the time from the 10 minute default to some other value. 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
mjm111690
Posts: 15
Registered: ‎12-04-2011
0

Re: Newbie Configuring J2320

Thank you.  I certainly will when I get back to it on Monday.  I am curious how I did that to myself, unless there was a typo.

Contributor
mjm111690
Posts: 15
Registered: ‎12-04-2011
0

Re: Newbie Configuring J2320

I'm back in business, at least back to where I was before I commited the zone changes and knocked myself off.  Turns out that I didn't include my web config interface in the host-inbound-traffic allowing traffic in.

 

Still have a little ways to go since dhcp service doesn't appear to work yet.  This is what I have, am I omitting anything:

 

dhcp {
            pool 10.2.1.0/24 {
                address-range low 10.2.1.10 high 10.2.1.200;
                domain-name domain.com;
                name-server {
                    208.67.222.222;
                    208.67.220.220;
                }
                router {
                    10.2.1.1;
                }
            }
        }

 

Contributor
mjm111690
Posts: 15
Registered: ‎12-04-2011
0

Re: Newbie Configuring J2320

Got the DHCP part to work, finally.  It was a connectivity issue.

 

Just have that one final issue where I can't seem to do port forwarding on a udp port.

 

security nat destination rule-set inbound rule server-nat match destination-port udp 999

 

It doesn't like that/  How do I get around this and be able to use a udp port?

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.