In this lesson, we will learn how to Configure Juniper SRX as a beginner. We will configure it as our network gateway. We will perform the following activities and it will be updated day by day.
- Configuring root password
- Creating a new username
- Giving a hostname
- Set DNS server on Juniper SRX
- Enabling SSH on SRX
- Setting up ntp and time zone
- IP addressing
- Configure two zone. One will be internet facing and another will be LAN facing.
- Security policy configuration for Zone
- Configure static as a routing protocol
- OSPF configuration
- Configure NAT
- High Availability
So, let’s begin with below network topology.
If we login to the new SRX box, there will be no password for root. Just press ENTER.
login: root Password: --- JUNOS 12.1X47-D20.7 built 2015-03-03 21:53:50 UTC root@%
We need to use “cli” to enter Operational mode.
root@% cli root>
Enter configuration mode by using configure command.
root> configure Entering configuration mode  root#
Now, let’s move to the main configuration part, where we will configure Juniper SRX as a network gateway.
root# set system root-authentication plain-text-password New password: Retype new password:  root#
 root# set system login user rajib class super-user authentication plain-text-password New password: Retype new password:
 root# set system host-name letsconfig-SRX  root# commit commit complete  root@letsconfig-SRX#
 root@letsconfig-SRX# set system name-server 126.96.36.199
 root@letsconfig-SRX# set system services ssh
 root@letsconfig-SRX#set system time-zone Asia/Dhaka  root@letsconfig-SRX# set system ntp server time.google.com
I am from Bangladesh, that’s why my time zone is Asia/Dhaka. Set your own time-zone here. Important: While using the domain name as ntp server, please make sure you have reachbility to that domain and also you have DNS enable.
We can use following commands to verify our ntp.
 root@letsconfig-SRX# run show ntp status status=c035 sync_alarm, sync_unspec, 3 events, event_clock_reset, version="ntpd 4.2.0-a Tue Mar 3 22:07:26 UTC 2015 (1)", processor="i386", system="JUNOS12.1X47-D20.7", leap=11, stratum=16, precision=-19, rootdelay=0.000, rootdispersion=0.180, peer=0, refid=STEP, reftime=00000000.00000000 Thu, Feb 7 2036 12:28:16.000, poll=4, clock=df0f2f46.7604dcc4 Sat, Aug 4 2018 1:45:10.461, state=3, offset=0.000, frequency=0.000, jitter=0.002, stability=0.000  root@letsconfig-SRX# run show system uptime | match current Current time: 2018-08-04 01:45:53 BDT
Here note that, family mode inet means it’s IPv4, inet6 means IPv6.
set interfaces ge-0/0/0 unit 0 family inet address 192.168.3.100/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.1/24
set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all
I allowed everything on our network. You can restrict services and protocols here. Use a question mark (?) after “system-services” and “protocols”, check which one is needed for your network and allow them accordingly.
edit security policies from-zone trust to-zone untrust policy our-internet-policy set match source-address any set match destination-address any set match application any set then permit exit edit security policies from-zone untrust to-zone trust policy our-deny-policy set match source-address any set match destination-address any set match application any set then deny exit commit
In this section, i allowed everything in outgoing path and deny everything in incoming path.
set routing-options static route 0.0.0.0/0 next-hop 192.168.3.1
This is the way to configure static in JunOS.
I have started a series on OSPF configuration on Juniper.
Here is a basic PAT configuration of PAT on Juniper SRX.
set security nat source rule-set our-nat-rule-set from zone trust set security nat source rule-set our-nat-rule-set to zone untrust set security nat source rule-set our-nat-rule-set rule our-nat-rule match source-address 10.1.1.0/24 set security nat source rule-set our-nat-rule-set rule our-nat-rule match destination-address 0.0.0.0/0 set security nat source rule-set our-nat-rule-set rule our-nat-rule then source-nat interface
I will publish multiple tutorials on High Availability. Hope, following articles will help you all.
Note: If you want to know more about Juniper SRX product line, please have a look https://www.juniper.net/us/en/products-services/security/srx-series/.