SRX

i have purchased a  new srx  can u help me in configuring that firewall with DMZ Network,

i am using 2 leased line lets say there are public ip are 122.176.X.X AND 122.175.X.X and my internal network is using 192.168.1.0 subnet.i want to put my mail server and ssl vpn server  in the DMG network and want to give them a different subnet. lets say they will use192.168.2.0 but my other server will be used in the 192.168.1.0 network like AD server my storage and my application virtualization server.now can any one help me in configuration,my ssl server will sync with AD server,

i also want to ask you 1 things

1 IS it possible to do load balancing between 2 ISP or fail over

kindly suggest me what can i do more to my these 2 server which will be access publicaly by my remote user

Thanks

---

@Rohit wrote:

i have purchased a  new srx  can u help me in configuring that firewall with DMZ Network,

 

i am using 2 leased line lets say there are public ip are 122.176.X.X AND 122.175.X.X and my internal network is using 192.168.1.0 subnet.i want to put my mail server and ssl vpn server  in the DMG network and want to give them a different subnet. lets say they will use192.168.2.0 but my other server will be used in the 192.168.1.0 network like AD server my storage and my application virtualization server.now can any one help me in configuration,my ssl server will sync with AD server,

 

i also want to ask you 1 things

 

1 IS it possible to do load balancing between 2 ISP or fail over

 

kindly suggest me what can i do more to my these 2 server which will be access publicaly by my remote user

 

 

Thanks

 

---

Most of the questions you're asking (configuration wise) can be answered by reading this free online book: http://www.juniper.net/us/en/community/junos/training-certification/day-one/dynamic-services-series/deploying-srx-series/

However to briefly touch on one of your questions.

No it is not possible (as of today on the branch) to load balance two ISP connections without an ugly amount of configuration hacking. Just don't go down that road.

Yes you can do fail over between two ISP's. Look at ip-monitoring, a new feature in 11.2 if I recall correctly (previous to that it was done with an event script)

Hope this helps,

-Tim Eberhard

ohk i will go thorugh this book then i will let you know but right now today when i just opened the box and connected to my lapi i m unable tp launch web gui for inital configuration even the box is not able to reset when i press the reset config button at that time nothing happend ,i press the reset button for more then a min,but still it didnot reboot , 

can u help me its a new box i just opened but unable to do the inital configuration,one more thing which i want to ask you is it giving a different subnet to my DMG network will help in securing them ,as  when my remote user connect to my DMG Server they will also access my LAN server.or it does not change any thing 

Thanks for youre reply.

OK

Please let me know first that what model are you using?

Well, no answer regarding to model number yet, and I gotta go, but it's probably SRX210 or SRX240, so I wore the following based on these models. You might have to change the interface name if you're using the other models.

If you configure your laptop interface in a way to obtain an IP address automatically by DHCP, and connect your laptop to one of those interfaces somewhere in middle, you're laptop get an IP address automatically probably in range of 192.168.1.0/24, then you can connect to the device by address 192.168.1.1. But honestly it's not my favorite method, I like to do it manually, delete everything and config it from scratch, so if you want to do it in my way please read the following.

Do it step by step:

1. connect to the device via console.

2. Login as "root" user and just leave the password blank, just press enter.

3. Issue the command "cli"

3. Your promt should be ending with ">" mark.

4. Type "configure" and press enter.

5. Type following commands one by one:

delete

yes

set system root-authentication plain-text-password

New password:

Retype new password:

set system hostnam MyFirewall

set system services web-management https port 5050 system-generated-certificate

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24

set security zone security-zone Internal-LAN interface ge-0/0/0.0 host-inbound-traffic system-services https

set security zone security-zone Internal-LAN interface ge-0/0/0.0 host-inbound-traffic system-services ping

set security zone security-zone Internal-LAN interface ge-0/0/0.0 host-inbound-traffic system-services ssh

set system services web-management https port 5050 system-generated-certificate

set system services ssh

commit

PLEASE NOTE THAT CONFIGURATION SHOULD BE COMMITTED SUCCESSFULLY, IT'S POSSIBLE THAT I MISSED SOMETHING HERE, PLEASE LET ME KNOW IF YOU CAN'T COMMIT THE CONFIG, AND SEND ME IT'S ERROR TOO.

AND ALSO PLEASE NOTE, THIS CONFIGURATION HELPS YOU TO JUST GET STARTED.

All you have to do is to set an address to your laptop, let's say 192.168.1.10/24 and plug the patch cord to ge-0/0/0 that is the first interface from the left. Then connect to the device by typing this URL in your browser: https://192.168.1.1:5050

However I prefer ssh 😉

For more information refere to Study guides in Fast track program, or DayOne guides as Tim said.

Hope this is helps

its a SRX 100 H,

Ok, you have to just replace "ge-0/0/0" with "fe-0/0/0" in the config that I just sent to you. 🙂

I know but ping is not coming i tryied to do the reset process but even that is also not happening,bcoz as per my knowledge when we do reset process RTO STOPS CMING FOR 10 second then interface up agin but it does not ahppend with this box if i press the reset button then after 30 sec first 2 light become light red then but port did not go in to down state then up,i just got RTO contiously.

is the BOX faulty .

It's probably not a hardware problem, you should give it some time, SRX is slow too booting up completely, when is booted up completly you have to hold the reset button for 15 seconds, until the Status LED get amber and steadily, and wait, give it some time, it's slow, trust me.

CONNECT TO IT VIA CONSOLE PORT, WAIT UNTIL YOU GET LOGIN MESSAGE.

i am changing my network little bit,

MODEM >>>JUNIPER >>>PROXY>>>LAN ,ON PROXY I WILL CREATE 2 GROUPS ,ONE WHICH HAS FULL ACCESS AND OTHER GROUP HAS LIMITED ACCESS,MY PROXY IP IS 192.168.1.9 THIS IS ALSO MY MAIL SERVER WHICH IS ACCESS BY MY REMOTE LOCATION,

i am confused between NAT Method,i have 2 server which are going to access one is 192,168.1.9 which is also my proxy, and 242

can any one right the configuration ,i  have done the basic config but i am not able to do the routing part and nating part kindly help me

Hi,

Wow, you request is so open, I even don't know how to get started.

If you are completely new to SRX I suggest you to delete everything and start it from the scratch. I can divide the config in several section as following.

1. System configuration, it means all configuration such as time and date, SSH or http access, DNS name server and stuff like that.

2. Interface configuration, you have to give the interface their IP addresses and subnet masks.

3. Configuring Routing stuff.

4. Configuring security zone, in you case they can be LAN, DMZ and Internet.

5. Put each interface in it's zone.

6. Write security policies between zones.

7. Load balancing between internet link need you to get into Filter Based Routing FBF. However there is no dynamic way to load balancing in SRX, but you can do it somehow, you can divide your internal network in to two subnets, you can do it in a way, that some IPs goes from first internet link, and some of them goes from the other one, or you can do it in protocol level. Fail over is supported too.

8. Configuring some other stuff like NAT.

9. Hardening you're device and zones by configuring stuff like screening and blah blah blah

But configuring these thing is so much, please read Junos study guides in here:

http://www.juniper.net/us/en/training/fasttrack/

Take some time to read these stuff, these guides are very short to read but efficient.

Please let me know if you need more information or help in specific. God I don't even know what model are you using, but no problem, we'll take care of it.

Good luck