SRX

Hello,

I have two networks at home which right now are all part of the same network with the exception of two physical wireless APs on separate SSIDs; one for work and one for home.  I own a SRX240H2 Services Gateway and an EX2200-C layer 3 switch.  I would like to segregate all network traffic via VLAN and firewall rules and have a dedicated port for remote users to VPN in to on a separate VLAN as well (also firewalled off).  Right now the configuration is "flat"; meaning all clients can commuicate with all clients.

I have comcast coming into my SRX on ge0/0/0 and have reserved ge0/1/0 through ge0/7/0 for my home network.  I have reserved ge0/8/0 through ge0/14/0 for the work network.  The VPN port would be on ge0/15/0, I would have to have the SRX give the VPN server I'm using a static address and allow the VPN Server to assign DHCP addresses in the subnet.  The EX is on port ge0/1/0.  The EX would be configured to have home network clients on odd numbered ports ge0/1/0 through ge0/5/0 and the work network clients on ge/0/0/0 through ge/0/6/0.  The EX is connected to the SRX on ge/0/7/0.

Can someone please help me.  I have been struggling with this for a long time and have exhausted my Google capabilites.  I don't know if providing configurations is going to help at all considering there is nothing to it at the moment and I fear that putting my mess of a configuration up would be a red herring.

Thank you

I'd suggest breaking down the setup into sections. 

1-Setup dual VLAN and zones for your two computer segments as desired

2-Adjust the security policies as desired between the two zones

3-Add on the remote access setup

For the first two I have a sample configuration for SRX and EX in the free Day One: Ambassadors Cookbook 2014,  Managed Switching for a Small office on page 13.  This gives you the basics of getting the switch and SRX setup and the VLANs and zone policy samples.

http://forums.juniper.net/t5/Day-One-Books/Day-One-Juniper-Ambassadors-Cookbook-for-2014/ba-p/258419

Once this is working you can add a remote access VPN.  To provide this link we need to know the version of Junos you are running.  There are some significant changes to remote access VPN across versions.  But you will need to get your base network up and running first anyway.

Steve,

Thank you so much for the help.  I will start with what you have given me and work at making it all functional; and if I have issues post configuration.

Most of my struggle is around command-line syntax but I am assuming that your guide has a good mix of concepts and commands and the configuration as you had stated.

For the VPN I actually want that one port to be on a third seperate VLAN.  What I am going to do is not use the SRX for the VPN.  I will instead be allowing VPN traffic inbound and forward it on to a Debian box that I have OpenVPN on so I will have to create a third VLAN which has firewall rules to block the other two and vice versa and will need the Debian box to be able to DHCP serve addresses in the VLAN and configure that on the SRX or do I just allow the VPN in and the Debian box to do the DHCP and the rest takes care of itself?  Does this clarify?

Thank you

Kenny

Yes, that does clarify the situation.  

In that case, you will create three VLANs and zones instead of two using the same instructions above.

Then for your VPN zone you will need to configuration a destination NAT from the internet into your server.  See page 8 and following in this guide.

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

Thank you again for the assistance, I have reviewed the instructions and drawn pictures and come up with mock commands for my setup.

The only questions I have before I dig in are:

Do you know of a way to write a firewall rule to block any port and any protocol from source to destination?  Does "application any" cover that or is it something else?  I read your introduction pages on small business and home SRX and EX configuration and it is not clear to me where the denys are in place for the firewall rules in the zones.

Last question.  Is there a way to set up the management interface on the EX so that I can just plug an ethernet cable into it and hook it directly up to my computer?  Can I setup one port that is part of one of the three VLANs (work-vlan) on the SRX so that I can only manage it from that port to restrict access?  If I cannot hook directly up to the EX with my laptop is there a way that I can set it up so that I can manage the EX from the work-vlan?  I do not have the ability to set up another ethernet connection from my office which has the SRX to the ESX which is downstairs so I have to hook the SRX up to the EX for "normal" traffic.  Basically I won't have a management VLAN.

Thanks again!

The default policy on the SRX is deny.  So any traffic that you do NOT have a rule to permit between the zones will be denied by the firewall without any further need for configuration.  Generally you only need to add deny rules like that if you need to log the behavior for reference as the default deny is silent and does not log.

VMware supports having tagged interfaces for the vswitches inside the hypervisor.  So you can have a vswitch for each of your zone LAN segments and put them physically on the same port to the EX switch.  This will be a trunk port setup that includes all three VLANs.

On the VMware host, you can choose per vswitch which ones permit management.  on the vswitch setup you check the box to allow management on the desired vswitch VLAN and simply leave it off on the others.  Then you can only manage the ESX server on the desired network segment.

Any way to do this without vmware?  Just setting up specific ports on the EX and SRX for management via J-Web without using the management port on EX?  Sorry, I don't have the infrastructure for the vmware to be up this is just my home/work office.

Sorry, you message was asking about management of the ESX which is the acronym for VMware's hypervisor server.  From your comments here I'm thinking you meant the EX which is the Juniper switch.

So if I follow this correctly, you are asking if it is required that you have a separate subnet where the dedicated ME interface on the EX switch would connect (along with all other mgmt traffic as in my example).

This is not required, just a best practice to separate mgmt interfaces.  In your scenario it would also make sense to just assign the ME interface an address in your work VLAN.

Is it possible to assign the ME interface an address in the work VLAN even if there is no ethernet going into it?

I don't have two cables coming from upstairs to the downstairs.  Upstairs is where the SRX is and downstairs is where the EX is.

Sorry,

I am using the guides that you mentioned but have so many differences it is not making sense.  I do not want to allow or block certain traffic so I don't know if I have to setup zones.  I don't want an aggregate interface.  I need communication across access point DHCP clients that are on one VLAN on the SRX to be able to connect to the same VLAN on the EX and a bunch of other things that I can't seem to get to work.

Attached is a network diagram of what I am trying to accomplish.  I am hoping that can clear things up as to what I am trying to accomplish and failing miserably to do so.

Any help would be greatly appreciated.  I think it SHOULD be fairly straightforward but I'm stuck.

Attachment(s)

SRX_and_EX_Diagram.pdf   4.78 MB 1 version

So I think your best bet is to restore to factory default then and build from there on both devices:

SRX

I believe the default config has eth0/0 just as you want to face the ISP and the rest of the ports in a single trust vlan.

So in your diagram we will call trust home.

plug this in and confirm everyting works to the internet on this basic setup.

After confirmation create a new work vlan and vpn vlan by just coping the vlan setup of trust

# show vlan | display set

This will give you the command to create the vlans and just change the names

Now move to the interfaces and delete the trust and then add the desired vlan for each assignment.

skip the port facing the EX for now.

Now create two new zones modeled on trust

# show security zones security-zone trust | display set

now duplicate the security policy for internet access from trust to untrust 

# show secuirty policies | display set

duplicate the nat rules for internet access in the new zones

#show security nat | display set

duplicate the dhcp server settings for the subnets on the two new zones

#show system services dhcp  display set

Now commit and test all this that the three zones work on the SRX and have internet access.

next will be to extend to the EX switch Create a trunk port between the SRX and EX with the two vlans on this. per the guide in the day one book.  Instead of ae interface just substitute the specific interfaces on both sides.

on the EX per the book assign work vlan to the desired port and leave the home vlans as is.

Thank you so much, you are a life saver.  Every time I go in there and mess things up I am learning new things and this will be enough for me to take that next step.

I will be working on this today.

Thanks again!!!!

I want to get this marked as a solution and I really really appreciate your patience.

Awesome, everything is working perfectly.

I have attached my current configuration before I do the EX.  Any way you could look at it from a security perspective.  I have to make sure none of the Work, VPN, and Home machines can communicate with any port or protocol.  I think i have successfully moved the management of my SRX to the Work VLAN exclusively as well.

Thanks!

Attachment(s)

CurrentConfig_SRX240H2.txt   13 KB 1 version

The configuration looks good for the security policies.  They do what you want.

But note that the deny policies from zone to zone are not necessary.  The default action if there is no explicit policy is to deny traffic.  Typically we only create deny policies when there is a need to log the attempt at the denied traffic.  And to do that you would need to add the log action.  With deny policies log actions need to be at session start instead of close if you want them.

I'm not entirely sure what you mean by the start of the session as that translates to the syntax.  But I know what you mean in the log being a deny having to be in the beginning of the handshake (SYN).

Is this right based on what you have stated or no?

         then {
                   deny;
                   log {
                          session-init;
                          session-close;
                   }
         }

Yes, sorry for being a little obtuse, you have identified the two options

start: session-init

end:  session-close

So when we log permitted sessions this is typically at close so we get the bandwidth data.  But you must long on init for deny rules.

Basically, what I"m saying is if you don't need deny logs for auditiing purposes, then there is no need to create those zone to zone deny rules because the SRX is doing that already.

Thank you so much for your help.  I have not configured the EX or VPN yet but in previous attempts i think it is under control.  In addition to the help and documentation you have provided I'm certain I get how this works now.