Junos
Junos

JUNOS SYNTAX

[ Edited ]
‎06-06-2015 03:26 PM

I have series of questions regarding some junos syntax as I am transitioning from CheckPoint environment into junos. Please feel free to chime in at will and thanks in advance:

 

1.

Question is about default zones like trust and untrust. Are they default?

Do trust and untrust zones have predefined and preassigned policies to them?

Do we have to use them and if not should we delete them or avoid them since they may contain preset policies we may not like?

Do you advise to name your own custom zones and be as descriptive as possible and ignore default names altogether?

 

 

2.

root# show security nat destination | display set
set security nat destination pool web-server address 10.1.1.2/32
set security nat destination pool web-server address port 80
set security nat destination rule-set test rule 1 match destination-address <public-Ip-of-web-server>
set security nat destination rule-set test rule 1 match destination-port 80
set security nat destination rule-set test rule 1 then destination-nat pool web-server

 

Please explain word POOL and what it means in the syntax above? Can it contain severl servers?

Please explain why there are 2 rules names as follows:rule-set test rule 1

A rule within the rule? Do we need rule 1?  Can we just have everything under "test?"

 

3.

Please explain the use of proxy-arp:

set proxy-arp interface ge-0/0/0.0 address 1.1.1.200/32

7 REPLIES 7
Junos

Re: JUNOS SYNTAX

‎06-06-2015 05:28 PM

1.

Question is about default zones like trust and untrust. Are they default?

Do trust and untrust zones have predefined and preassigned policies to them?

Some branch series SRX have factory default configurations that include zones untrust and trust.  You should refer to the getting started guide for your model from the documentation landing page for the exact configurations. 

 

These are meant to allow for quick deploy of a branch device for a small remote network.  They offer a base policy and setup that can be appropriate for simple settings.

 

Do we have to use them and if not should we delete them or avoid them since they may contain preset policies we may not like?

 

The untrust/trust zones are simply pre-created zones and can be deleted along with any and all of their associated configurations.

 

Do you advise to name your own custom zones and be as descriptive as possible and ignore default names altogether?

 

These zone names are common and well understood as to their function.  If your network uses these common names then the new devices should also.  consistency across all sites managed makes troubleshooting and understanding configurations easier.  Whatever zone naming convention is choosen make sure it is well documented, deployed consistently and easy to understand from the names.

 

2.

root# show security nat destination | display set
set security nat destination pool web-server address 10.1.1.2/32
set security nat destination pool web-server address port 80
set security nat destination rule-set test rule 1 match destination-address <public-Ip-of-web-server>
set security nat destination rule-set test rule 1 match destination-port 80
set security nat destination rule-set test rule 1 then destination-nat pool web-server

 

 

Please explain word POOL and what it means in the syntax above? Can it contain severl servers?

Nat pools are simply ip addresses or ranges that can be used by the nat rules.  In this case destination servers.  They can be just ip addresses or specific to ports as well.  This is one nat pool called web-server with both an ip address and port.

 

Please explain why there are 2 rules names as follows:rule-set test rule 1

A rule within the rule? Do we need rule 1?  Can we just have everything under "test?"

 

You may want to look at this again without the | display set.  When displayed in the hierarchy, the relationship between root objects and leaf nodes are clearer.  You can see that there is one nat pool and one rule set containing one rule.

 

Test is not a rule but a rule set.  In rule sets you also have the option of restricting them by zone, interface or routing-instance at the rule set level.  And there can be multiple rules.  This allows you to organize a larger nat rule set by a convenient traffic path all in one place of the hierarchy.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Junos

Re: JUNOS SYNTAX

[ Edited ]
‎06-06-2015 06:42 PM

Thank you Steven,

 

Do I need proxy-arp for public inerface IP if I am using NAT?

 

The reason I ask is because it is in the following example:

 

http://www.juniper.net/documentation/en_US/junos12.1/topics/example/nat-security-destination-address...

 

Junos

Re: JUNOS SYNTAX

[ Edited ]
‎06-06-2015 11:53 PM

Proxy need to be configured

  1. When addresses defined in the static NAT and source NAT pool are in the same subnet as that of the ingress interface.
  2. When addresses in the original destination address entry in the destination NAT rules are in the same subnet as that of the ingress interface.

 

Please refer to the below KB for Proxy-arp scenarios. 

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21785

_
Regards
Malik
4xJNCIE, 3xJNCSP, 3xJNCDS, CCIE, HCIE, VCIX-DCV, VCIX-NV, CISSP, JNCIS-ENT-Cloud, JNCIS-DevOps, PCNSE7

[If it helped to solve your problem, Please mark it "Accept as solution"; Kudos are always Appreciated]
Junos

Re: JUNOS SYNTAX

[ Edited ]
‎06-07-2015 02:27 PM

1. If I choose to create zone PRIVATE for example instead of defeult zone trust then it would not have sreen and other default policies assigned to it and I would have to do so manually? Is that correct?

 

2. Regarding the NAT pools, if nat pools can be range of addresses then can we do the following:

 

set security nat destination pool web-server address 10.1.1.2/32
set security nat destination pool web-server address port 80

set security nat destination pool web-server address 10.1.1.3/32
set security nat destination pool web-server address port 80

set security nat destination pool web-server address 10.1.1.4/32
set security nat destination pool web-server address port 80

 

Should the 'web-server' pool name remain the same or should it be changed for each server?

Junos

Re: JUNOS SYNTAX

‎06-08-2015 03:08 AM

1. If I choose to create zone PRIVATE for example instead of defeult zone trust then it would not have sreen and other default policies assigned to it and I would have to do so manually? Is that correct?

 

That is correct.

 

2. Regarding the NAT pools, if nat pools can be range of addresses then can we do the following:

 

set security nat destination pool web-server address 10.1.1.2/32
set security nat destination pool web-server address port 80

set security nat destination pool web-server address 10.1.1.3/32
set security nat destination pool web-server address port 80

set security nat destination pool web-server address 10.1.1.4/32
set security nat destination pool web-server address port 80

 

Should the 'web-server' pool name remain the same or should it be changed for each server?

 

Each pool would need a unique name if you are sending traffic to different servers on different destination nat rules.

 

If you are trying to create a pool of ip addresses for the same destination nat then use CIDR notation for the range assigned.  

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Junos

Re: JUNOS SYNTAX

[ Edited ]
‎06-15-2015 05:02 PM

I am trying to create a pool of IP addresses for the same destination nat or in other words a range of IP addresses under the same unique POOL name. It would be great if the response can follow with some syntax example showing how this could be accomplished. I believe my syntax from #2 might be incorrect?

 

Thanks in advance.

Junos

Re: JUNOS SYNTAX

‎06-21-2015 10:26 PM

HI,

 

have a look here! http://www.tunnelsup.com/configuring-nat-in-juniper-srx-platforms-using-junos

 

This should you give the hands to achieve what you want

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------