SRX

I'm trying to find an example config for the SRX210. I'll be using it at home with a residential cable modem service with a dynamic IP. I would like to us fe-0/0/7 as the "untrust" connection to the cable modem and then the other ports will be set up as a switch and a dhcp svr. Any example configs of others using a SRX in a senario like this would be greatly apreciated.

Thanks!

I would suggest that you look at http://kb.juniper.net/InfoCenter/index?page=content&id=KB15694&smlogin=true as this is a great place to start.  Its where I started.

However here is rough cut and pasted copy of my config.  I have not had time to test it.  Please make sure that you use the correct values for your setup.  DNS, IP, host and domain names.

You will need to use the console or SSH config mode to enter this.

set system host-name yoursrxhostname
set system domain-name fool.com
set system domain-search foo.com

set system name-server xxx.xxx.xxx.xxx
set system name-server xxx.xxx.xxx.xxx

set system services dhcp maximum-lease-time 86400
set system services dhcp default-lease-time 86400
set system services dhcp name-server xxx.xxx.xxx.xxx
set system services dhcp name-server xxx.xxx.xxx.xxx

set system services dhcp pool 192.168.0.0/24 address-range low 192.168.0.1
set system services dhcp pool 192.168.0.0/24 address-range high 192.168.0.253
set system services dhcp pool 192.168.0.0/24 router 192.168.0.254
set system services dhcp pool 192.168.0.0/24 server-identifier 192.168.0.254

set interfaces fe-0/0/7 description "Connection to cable internet"
set interfaces fe-0/0/7 unit 0 family inet dhcp

set interfaces vlan unit 0 family inet address 192.168.0.254/24

set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces fe-0/0/0.0
set security zones security-zone trust interfaces fe-0/0/1.0
set security zones security-zone trust interfaces fe-0/0/2.0
set security zones security-zone trust interfaces fe-0/0/3.0
set security zones security-zone trust interfaces fe-0/0/4.0
set security zones security-zone trust interfaces fe-0/0/5.0
set security zones security-zone trust interfaces fe-0/0/6.0

set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/7.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/7.0 host-inbound-traffic system-services tftp

set security zones security-zone trust address-book address addr_192_168_0_0_24 192.168.0.0/24

set security policies from-zone trust to-zone untrust policy trust-to-untrust-allow-ALL match source-address addr_192_168_0_0_24
set security policies from-zone trust to-zone untrust policy trust-to-untrust-allow-ALL match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust-allow-ALL match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust-allow-ALL then permit

set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 192.168.0.0/24
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

This is what I have so far. Let me know where I need to make changes.

--- JUNOS 10.2R3.10 built 2010-10-16 20:36:59 UTC
 eric@SRX210> show configuration
## Last commit: 2011-03-04 00:37:27 EST by root
version 10.2R3.10;
system {
    host-name SRX210;
    time-zone America/New_York;
    root-authentication {
        encrypted-password "$1$9kBlrO.i$zyroxBDDGRBAYu4Pap27k0"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user eric {
            uid 2002;
            class super-user;
            authentication {
                encrypted-password "$1$gQkHMOTL$UDXH432yZIKKlw6P8Qtzo."; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.10 high 192.168.1.99;
            }
            propagate-settings fe-0/0/7;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    interface-range interfaces-trust {
        member ge-0/0/0;
        member ge-0/0/1;
        member fe-0/0/2;
        member fe-0/0/3;
        member fe-0/0/4;
        member fe-0/0/5;
        member fe-0/0/6;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
poe {
    interface all;
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

i would move all your dhcp settings under the pool:

from this:

 dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.10 high 192.168.1.99;
            }
            propagate-settings fe-0/0/7;
        }

 to this:

dhcp {
            pool 192.168.1.0/24 {
                address-range low 192.168.1.10 high 192.168.1.99;
                maximum-lease-time 7200;
                default-lease-time 3600;
                domain-name yourisp.com;
                name-server {
                    208.67.222.222;
                    208.67.220.220;
                }
                router {
                    192.168.1.1;
                }
                server-identifier 192.168.1.1;
                propagate-settings fe-0/0/7;
            }
        }

 this will allow  you to easily add a second pool if you want another network on there. ie- i have a second network for my wireless network with much tighter restrictions, etc. 

if you want to add any static dhcp bindings:

dhcp {
            static-binding [**mac-address**] {
                fixed-address {
                    [**fixed-ip**];
                }
            }
        }

other than that, everything looks good. 

Was there any reason to allow tftp on fe-0/0/7.0?

David.

I would also disable POE on all interfaces. Just enable on the ones you need it on,

same for telnet and web-management.

disable remote root-login like this

services {
        ssh {
            root-login deny;
        }

enable ntp

set system ntp peer 193.0.0.228 version 4
set system ntp peer 193.0.0.228 prefer
set system ntp server 193.0.0.228
set system ntp source-address <public-address>

I  also would put a Firewall filter on the lo0 interface

I know I am digging up an old thread here, but this particular thread has helped me quite a bit.  As a rookie SRX user, can someone please critique the following config?

set system host-name SRX210
set system time-zone America/New_York
set system root-authentication plain-text-password "$1$9kBlrO.i$zyroxBDDGRBAYu4Pap27k0"
set system name-server x.x.x.x
set system name-server x.x.x.x
set system services ssh
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 10
set system max-configuration-rollbacks 10
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval

set dhcp pool 192.168.1.0/24 address-range low 192.168.1.10 high 192.168.1.99
set dhcp pool 192.168.1.0/24 maximum-lease-time 7200
set dhcp pool 192.168.1.0/24 default-lease-time 3600
set dhcp pool 192.168.1.0/24 domain-name yourisp.com
set dhcp pool 192.168.1.0/24 name-server x.x.x.x
set dhcp pool 192.168.1.0/24 name-server x.x.x.x
set dhcp pool 192.168.1.0/24 router 192.168.1.1
set dhcp pool 192.168.1.0/24 server-identifier 192.168.1.1
set dhcp pool 192.168.1.0/24 propagate-settings fe-0/0/7

set interfaces interface-range interfaces-trust member ge-0/0/0
set interfaces interface-range interfaces-trust member ge-0/0/1
set interfaces interface-range interfaces-trust member fe-0/0/2
set interfaces interface-range interfaces-trust member fe-0/0/3
set interfaces interface-range interfaces-trust member fe-0/0/4
set interfaces interface-range interfaces-trust member fe-0/0/5
set interfaces interface-range interfaces-trust member fe-0/0/6
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 description "To Cable Modem"
set interfaces fe-0/0/7 unit 0 family inet dhcp
set interfaces vlan unit 0 family inet address 192.168.1.1/24

set poe interface fe-0/0/2
set poe interface fe-0/0/3

set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust screen untrust-screen

set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

I have a Motorola sb6120 with Comcast Xfinity.  Currently I have the Motorola sb6120 connecting to a Linksys E4200 Wireless router.  connected to the wireless router is a Window DC that is running DHCP and DNS.  I am going to be adding the devices as follows: 

Motorola sb6120 --->Juniper SRX100 --->Juniper EX2200 12port (L3 Device)

From what I have seen I have set up the untrusted port for a dynamic ISP.  When connecting the Motorola sb6120 to the juniper SRX100 the protocol comes up on the untrusted interface but I am unable to ping any address on the internet from the trusted interface that I am connected via my PC with a static lan address.

Below is the config:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.12.08 14:46:48 =~=~=~=~=~=~=~=~=~=~=~=

--- JUNOS 10.0R3.10 built 2010-04-16 08:47:35 UTC
admin@SRX100> show configuration
## Last commit: 2013-12-08 15:21:12 UTC by admin
version 10.0R3.10;
system {
host-name SRX100;
root-authentication {
encrypted-password "$1$Yi.wvAVl$lC7/gWE0MlIptvKKad8Pt."; ## SECRET-DATA
}
name-server {
8.8.8.8;
8.8.4.4;
}
login {
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$FIQOoTp7$v0Yaxo9CcwcxAYNufYF3L."; ## SECRET-DATA
}
}
}
services {
ssh {
---(more)--- root-login allow;
}
telnet;
web-management {
http {
interface [ vlan.0 ];
}
https {
system-generated-certificate;
interface [ vlan.0 ];
}
}
dhcp {
domain-name domain.com;
name-server {
192.168.69.128;
}
router {
192.168.69.3;
}
propagate-settings fe-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
interface-range interfaces-trust {
member fe-0/0/1;
member fe-0/0/2;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
member fe-0/0/7;
member fe-0/0/3;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/0 {
unit 0 {
description Comcast;
family inet {
dhcp {
update-server;
}
}
}
}
ge-0/0/0 {
unit 0 {
family inet;
}
}
fe-0/0/3 {
unit 0 {
description "LAN";
}
}
vlan {
unit 0 {
family inet {
address 192.168.69.1/24;
}
}
}
}
security {
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
ssh;
http;
https;
ping
}
protocols {
all;
}
}
interfaces {
vlan.0;
fe-0/0/3.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ssh;
https;
}
}
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
ge-0/0/0.0;
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy permit-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
vlans {
default;
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}

Any help would be greatly appreciated!

Send me a PM or add me on skype and i can help you with what you guys need.