Junos OS

Please help this newbie, I was volunteered for this and need to have something by the end of tomorrow...

The attached config should get you started.  This configuration has all three internal sub-interfaces in the same security zone, but you could of course seperate them out into multiple different zones if desired.  I did not validate everything, but if you have experience with networking, you should be able to  use this to get started.  Also, if you have an ios configuration, you could try the i2j tool to convert it into a JunOS configuration as a starting point.

Ron

Attachment(s)

ron-test.txt   7 KB 1 version

Hi Ron-  Great so far, I think I am making progress.  Couple things though.

1.  Ping.  At the moment the router can't ping out and does not respond to ping.  Am I missing something?

I am not at the point yet where I test whether the internal workstations and servers can ping out.  I am just testing the router itself.

2.  I am adding another server that will need to be accessed from outside.  So I will have to add it to my rule-set inbound section of my natting.  We'll call it ...

pool newserver {
                address 10.1.1.38/32

...and then the

rule newserver-nat {
                    match {
                        destination-address 12.35.45.202/32;

But this will differ from the other servers in that I want to port forward udp 999.

So what is the next line?  Is it this?...

destination-port udp 999;     

Thanks     

In the meantime I screwed something up.  I added the "zone" information in and while I was committing the changes it got hung up and when I got out and tried to log back in I was locked out, never got login prompt again.  I was on the one interface that I had not configured anything new, the 192.168.1.1 web configuration interface that I had been using to configure the router.  I had not done anything to that interface yet, and adding the security zone info per your suggestion, kept me out.

So I have to go into the console port and see if I can undue what I did.  I have to postpone this action a couple days...

Any suggestions?

Well if you are locked out you are going to have to go into the box via the console. Please note that a great command to use is the "commit confirmed" command. By default if you use this then you must log back into the box within 10 minutes or you last commit is automatically rolled back. 

Great way to prevent lock out. You can also change the time from the 10 minute default to some other value. 

Thank you.  I certainly will when I get back to it on Monday.  I am curious how I did that to myself, unless there was a typo.

I'm back in business, at least back to where I was before I commited the zone changes and knocked myself off.  Turns out that I didn't include my web config interface in the host-inbound-traffic allowing traffic in.

Still have a little ways to go since dhcp service doesn't appear to work yet.  This is what I have, am I omitting anything:

dhcp {
            pool 10.2.1.0/24 {
                address-range low 10.2.1.10 high 10.2.1.200;
                domain-name domain.com;
                name-server {
                    208.67.222.222;
                    208.67.220.220;
                }
                router {
                    10.2.1.1;
                }
            }
        }

Got the DHCP part to work, finally.  It was a connectivity issue.

Just have that one final issue where I can't seem to do port forwarding on a udp port.

security nat destination rule-set inbound rule server-nat match destination-port udp 999

It doesn't like that/  How do I get around this and be able to use a udp port?

Done some research, and a way to do this is to use "match protocol" option to include udp.

But unfortuneately "match protocol" does not appear to be an option in my IOS.  Here are my only choices when I get this far...

rtr-1# set security nat destination rule-set inbound rule newserver-nat match ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Destination address
> destination-port     Destination port
+ source-address       Source address
[edit]

So apparantly I don't have an option to match against a udp port??

Is there another way to do port forwarding on udp ports?

Otherwise do I have to upgrade my IOS (10.R3.10) to a later version that supports "match protocol"?  (I hope not)

Just a quick suggestion: Next time, don't enter your real IP address in the forum (assuming that you did- no need to comment to validate or invalidate this assumption). You never know who is out there trolling for info to attack your network.

Thanks