SRX Services Gateway
SRX Services Gateway

CLI Configuration help Srx300 Srx220

‎03-17-2018 09:40 PM

hi all i had submitted a a help document but could not find it again so i started another 

 

what im trying to do i create ports for different items i have scanned off a diagram of what im attempting to accomplish 

i have 2 firewalls  one is a srx 300  and the other is   srx 220h

 

i am not good at all with the command line interface that the 2 srx devices use very new to them but this is the only thing that i have left to program 

 

i am using for the primary output on erpro-8    172.16.0.1/19  that is my DHCP and DNS i would like to have all the network devices get address through erpro-8 however i would like the srx firewall to have different zones for security on each one for instance dmz only goes out to configure the dmz but all communication from dmz is blocked to prevent connection into trusted lan dmz has managed switch will have to be accessable from time to time i would like to have help on both the srx firewalls will need NAS switch to be accessable as well and have the DLNA port open for media into both wireless (zone-director) and wired (GSM7242v2)  

 

I know this is asking alot but im desperate i am lost with these and im new to them thatnk you all for the help  Matt

Attachments

13 REPLIES 13
SRX Services Gateway

Re: CLI Configuration help Srx300 Srx220

‎03-18-2018 05:42 AM

Thanks for the diagram.  This is a pretty confusing to me setup to follow even with this.

 

The main issue I have looking at this is your erpro-8 seems to be connected to both SRX.  So it is hard to determine what your best policy options are without knowing the routing occuring around both devices.  So here are some general points to start.

 

Any flow in and out of the erpro-8 has to go through the same SRX in both directions.  So your first task is to make sure all the subnets in the network have symmetrical routing in and out.

 

Next you will add security policy to permit communications from zone to zone on that path in the direction that the first packet is sent.

 

For DHCP forwarding you will configure the bootp helper on the SRX that houses the gateway address for the subnet getting the DHCP address.  Then also have security policy to permit this through any SRX in the path of that communication.

 

Finally, I notice you have 172.16.0.1/19 noted as ip address space you are using.  Be aware that RFC1918 only permits the private usage of 172.16.0.0/12 on internal networks.  The rest of that space is valid public addressing that is assigned to other enties and is internet routable.  If you use space beyond the 172.16.0.0/12 on your network you will not be able to access any internet resouces legitimately using that assigned space.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: CLI Configuration help Srx300 Srx220

‎03-22-2018 08:49 PM

@spuluka wrote:

Thanks for the diagram.  This is a pretty confusing to me setup to follow even with this.

 

The main issue I have looking at this is your erpro-8 seems to be connected to both SRX.  So it is hard to determine what your best policy options are without knowing the routing occuring around both devices.  So here are some general points to start.

 

Any flow in and out of the erpro-8 has to go through the same SRX in both directions.  So your first task is to make sure all the subnets in the network have symmetrical routing in and out.

 

Next you will add security policy to permit communications from zone to zone on that path in the direction that the first packet is sent.

 

For DHCP forwarding you will configure the bootp helper on the SRX that houses the gateway address for the subnet getting the DHCP address.  Then also have security policy to permit this through any SRX in the path of that communication.

 

Finally, I notice you have 172.16.0.1/19 noted as ip address space you are using.  Be aware that RFC1918 only permits the private usage of 172.16.0.0/12 on internal networks.  The rest of that space is valid public addressing that is assigned to other enties and is internet routable.  If you use space beyond the 172.16.0.0/12 on your network you will not be able to access any internet resouces legitimately using that assigned space.

 



what im attempting is to have eth0 input the internet into the srx300 however have the router before the srx300 control the dhcp server, dns, ect, ect all the internet communication all im wanting the srx300 to do is segragate the different parts of my network with no NAT just a security switch for instance exactly what i want below

 

Wired Network - wireless network  (both networks can freely communicate with each other)

Wired network - internet input   (wired network can use all services on router but anyone trying to get in from router is blocked)

wireless network - internet input   (wired network can use all serviceson router but anyone trying to get in from outer is blocked)

NAS server - wired netowrk  (buth networks can freely communicate with each other)

NAS server - wireless network  (both networks can freely communicate with each other)

NAS Server - internet input  (can not access internet input network or internet input can not access nas server network)

DMZ - internet input  (both can not communicate with each-other) dmz has internet access from router before the srx300

DMZ - NAS server  (both networks can not communicate with eact other)

DMZ - wired network  (wired network can access dmz network but dmz network can not access wired network)

dmz - wireless   (wireless network can access dmz network but dmz network can not access wireless network)

 

i found this fourm https://kb.juniper.net/KB31147 its kind of what im wanting but i dont need the managment port wired and wireless both  have managment access only   why i have 2 srx devices is that the edge router is the first firewall for the secured lan and if somone can get through the edgerouter they are stoped at the srx300   and my dmz is on the edge router with internet access to dmz port so the srx 220 will stop the first attempt of access from dmz and if somone can get through the srx 220 they get stopped at the srx 300 i have a honeypot in the dmz in case of attack it can buy me some time defend its a back up firewall on both ways into my secured network i have included another picture of what im attempting to do (IMG_20180322_0001)

 

 

im also not following what was said about my ip address setup is it fine where it is at or needs to be changed to 172.16.0.0/12  i thought the current ip setup falls with in the private ip guidelines i did notice a network overlap that i had corrected is that what you were speaking of

Attachments

SRX Services Gateway

Re: CLI Configuration help Srx300 Srx220

‎03-22-2018 08:51 PM

as i have said before im very new to the juniper devices so how to configure them to do what im wanting is the problem im having 

SRX Services Gateway

Re: CLI Configuration help Srx300 Srx220

‎03-23-2018 03:04 AM

The kb article is about layer 2 transparent deploy.  this means ALL devices connected to the SRX are in the same subnet and broadcast domain.  I am pretty sure that is not what you are looking for here.

 

It seems you will have the SRX as the default gateway ip address for the subnets in all the associated domains you mention on the diagram.  This will be a standard layer 3 deploy.

 

Your default configuraiton will have an untrust zone that you can use for the ISP and a trust zone that you can use for one of these other areas and rename.

 

After that you will create a new zone and interface for each of the other areas.

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/zone-and-interface-overview.html

 

And then create security policy for what you need to be reachable between the zones.

 

https://www.juniper.net/documentation/en_US/junos/topics/example/policy-defining-cli.html

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: CLI Configuration help Srx300 Srx220

‎03-23-2018 06:51 AM
Actually i was wanting to use the subnet from the edgerouter before the srx300 the inside of my network i would have no problem i worry about the wan side of the network since i have static ISP ip address im trying to setup the srx300 with individual ports so when i have a problem with a certin device i can at a glance see what ip it has and if i have to down a switch it does not down all the network it only downs that section that im having problems with i do want restricted communication on certin ethernet ports like in particular dmz to my inside network and internet input to secured lan thouse would have to security restrictions (zones) deffently my nas servers but free communication for authorized devices that are inside my network my dmz is already on a compleatly separated network subnet i will use the srx 220 as the routing point to communicate with the dmz but i dont want to slow down the srx 300 with routing so yes i was wanting a level2 device i just need some communication between eth ports restricted on incoming communication from the outside wan
SRX Services Gateway

Re: CLI Configuration help Srx300 Srx220

‎03-24-2018 04:07 AM

You won't be able to use transparent mode for that application.  Transparent mode requires that all the interfaces be in the same broadcast domain.  In your case these are all independent subnets.

 

You can do this with secure wire mode.  This will require you use two ports for each of the connections.  This essentially inserts the SRX into the cable as a part of the "wire" between two devices.  So it may also simplify you adding the SRX this way into your system.  You just disconnect the current link from between the two devices and pass it though a pair of ports on the SRX.

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/layer-2-secure-wire-understanding.h...

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: CLI Configuration help Srx300 Srx220

‎03-25-2018 07:46 PM
Ok well that is not what i wanted to read. Ok in that case could you give me a hand in just configuring the interfaces to one single vlan using just one vlan id
SRX Services Gateway

Re: CLI Configuration help Srx300 Srx220

‎03-25-2018 10:51 PM

Hi Folks,

Just want to share that the Junos boxes have a good collection of help topics accessible from the box cli… Tons of data....

 

labroot@srx300> help apropos transparent

help reference l2-learning global-mode-security-devices

    Specify global mode for device as L2 transparent mode

 

labroot@srx300> help apropos l2-learning                               

show l2-learning

    Show l2 learning information

clear l2-learning

    Clear learned Layer 2 MAC address information

help topic l2-learning

help reference l2-learning

help reference l2-learning l2-learning-security-devices

    Configure L2 address learning and forwarding

help reference l2-learning l2-learning

    Layer 2 address learning and forwarding for entire router

 

labroot@srx300> help reference l2-learning global-mode-security-devices

global-mode (Protocols)

 

  Syntax

 

     global-mode (switching | transparent-bridge) ;

 

  Hierarchy Level

 

     [edit protocols l2-learning]

 

  Release Information

 

     Statement introduced in Junos OS Release 15.1X49-D40.

 

  Description

 

     Specify the global mode for the SRX Series device as Layer 2 transparent

     bridge mode or switching mode. After changing the mode, you must reboot

     the device for the configuration to take effect.

 

     +----------------------------------------------------------------------+

     | Note: | Switching mode is currently not supported on all SRX Series  |

     |       | devices.                                                     |

     +----------------------------------------------------------------------+

 

  Default

 

     transparent-bridge

 

  Required Privilege Level

 

     routing-To view this statement in the configuration.

     routing-control-To add this statement to the configuration.

 

  Related-Topics

 

        * l2-learning (Protocols)

 

labroot@srx300>

 

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
SRX Services Gateway

Re: CLI Configuration help Srx300 Srx220

‎03-26-2018 03:15 AM

The article you link above would create the transparent mode for a single broadcast domain then you would just need to insert the SRX into the path you want to monitor.  Remember that you can only control traffic tha goes across that path.

 

But it might be better if you go down that path to do a single secure wire as your first deploy instead.  Then you have the option to expand that to a second and subsequent links over time.  This would be the setup to have two interfaces for security wire on an access port.

 

https://www.juniper.net/documentation/en_US/junos/topics/example/layer-2-secure-wire-for-access-mode...

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: CLI Configuration help Srx300 Srx220

‎04-01-2018 12:20 AM
Ok please help getting very angry when i enter edit on cli it takes me to the esit side i start entering the commands that were listed and when i get to edit interfaces i start to enter the commands and i hit space bar and it doen som stupid thing and will not let me ue the space bar without giving me an error this is too difficult to get somthing done
SRX Services Gateway

Re: CLI Configuration help Srx300 Srx220

‎04-02-2018 02:46 AM

Junos configurations are based on the hierarchy as you noticed and navigated to the sub-tree for interface.

But the commands in the article are assuming you are at the root of the tree and not on the interface area.

 

Junos will prevent you from entering invalid command as they first appear.

And the space bar is an auto-complete key (as is tab) when you hit space after some characters it will auto fill the unique matching command.

 

So when working with the documentation link stay at the root

or

elimiate the portion of the command that matches your position in the tree as printed above your cursor.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: CLI Configuration help Srx300 Srx220

‎04-02-2018 07:03 AM
I dont mean to be a bother could you submit some examples of what was previously stated im not following what you mean stay at the root do you mean login under root i dont understand what is being convayed
SRX Services Gateway

Re: CLI Configuration help Srx300 Srx220

‎04-03-2018 02:55 AM

By root I mean the top of the configuration.  Where the prompt i just user@host# in configuration.

 

So this command from the kb is from the top or root of the config

set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access

 

If you use edit to move to the interface it shows you your current location and the new command would be

[interfaces ge-0/0/0]

user@host# unit 0 family ethernet-switching interface-mode access

 

The command includes a full location list in the confiiguration tree as well as the command object.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home