SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Configuring SRX for home use

    Posted 11-16-2013 18:51

    Hello, all. I am trying to configure my SRX as my internet gateway. My current Topology is :

    SRXEnviroment.png

     

     

    I have put the following configuration in my SRX per reading my SRX Book. (I have xxxd out some ips and passwords)

     

    version 12.1R7.9;
system {
    host-name Internet_Gateway;
    root-authentication {
        encrypted-password "xxxxxxxxxxxxx"; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        208.xx.222.xxx;
        208.xx.220.xxx;
    }
    services {
        ssh {
            protocol-version v2;
        }
        web-management {
            https {
                system-generated-certificate;
                interface vlan.100;
            }
        }
        dhcp {
            pool 192.168.1.0/24 {
                address-range low 192.168.1.50 high 192.168.1.200;
                default-lease-time 3600;
                router {
                    192.168.1.1;
                }
                propagate-settings ge-0/0/0.0;
            }
        }
    }
    ntp {
        server 192.xxx.xxx.0;
        server 192.xxx.xxx.xx8;
    }
}
interfaces {
    interface-range interface-trust {
        member fe-0/0/2;
        member fe-0/0/3;
        member fe-0/0/4;
        member fe-0/0/5;
        member fe-0/0/6;
        member fe-0/0/7;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/0 {
        description Internet_Link;
        unit 0 {
            family inet {
                dhcp {
                    update-server;
                }
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    vlan {
        unit 100 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
security {
    nat {
        source {
            rule-set internal-to-internet {
                description "NAT anything from trust zone to untrust (LAN to Internet)";
                from zone trust;
                to zone trust;
                rule internet-access {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy defaul-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone untrust {
            description "Internet Link - DHCP Configured";
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone trust {
            description "Local Area Network";
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.100;
                fe-0/0/2.0;
                ge-0/0/1.0;
                fe-0/0/3.0;
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 100;
        l3-interface vlan.100;
    }
}

     

    Where am I going wrong? I am completely stumped! 

     

    Thanks!

     



  • 2.  RE: Configuring SRX for home use
    Best Answer

    Posted 11-16-2013 19:13

    Just figured it out..... My NAT was set from Zone Trust to Zone Trust.....



  • 3.  RE: Configuring SRX for home use

    Posted 07-28-2016 10:12

    Good stuff. I am new to Juniper and I am trying to setup my SRX210 to my cable modem.

    I have tried so many different things but I am trying to use your config as a learning example.

    Question, I see that the VLANS you only have the Trust VLAN. Do you need an UNTRUST VLAN too?

     

    Thanks

     

     

     



  • 4.  RE: Configuring SRX for home use

    Posted 07-29-2016 03:20

    You only need vlans when you want to have multiple interfaces in the same broadcast domain on the SRX itself.

     

    So typically the untrust interfaces will by a single interface in layer 3 and won't need a vlan.  Even if you have two untrust interfaces they will likely be two separate ip addresses and thus in different broadcast domains.