In this lesson, we will learn how to Configure Juniper SRX as a beginner. We will configure it as our network gateway. We will perform the following activities and it will be updated day by day.

So, let’s begin with below network topology.

Network topology

Configure Juniper SRX from scratch topology

If we login to the new SRX box, there will be no password for root. Just press ENTER.

login: root
Password:

--- JUNOS 12.1X47-D20.7 built 2015-03-03 21:53:50 UTC
root@%

We need to use “cli” to enter Operational mode.

root@% cli
root>

Enter configuration mode by using configure command.

root> configure
Entering configuration mode

[edit]
root#

Now, let’s move to the main configuration part, where we will configure Juniper SRX as a network gateway.

Use “commit” command to apply candidate configuration as active configuration.

Configuring root password:

root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root#

Creating a new user name:

[edit]
root# set system login user rajib class super-user authentication plain-text-password
New password:
Retype new password:

Giving a hostname.

[edit]
root# set system host-name letsconfig-SRX

[edit]
root# commit
commit complete

[edit]
root@letsconfig-SRX#

Set DNS server on Juniper SRX:

[edit]
root@letsconfig-SRX# set system name-server 8.8.8.8

Enabling SSH on SRX:

[edit]
root@letsconfig-SRX# set system services ssh

Setting up ntp and time zone:

[edit]
root@letsconfig-SRX#set system time-zone Asia/Dhaka
[edit]
root@letsconfig-SRX# set system ntp server time.google.com

I am from Bangladesh, that’s why my time zone is Asia/Dhaka. Set your own time-zone here. Important: While using the domain name as ntp server, please make sure you have reachbility to that domain and also you have DNS enable.

We can use following commands to verify our ntp.

[edit]
root@letsconfig-SRX# run show ntp status
status=c035 sync_alarm, sync_unspec, 3 events, event_clock_reset,
version="ntpd 4.2.0-a Tue Mar 3 22:07:26 UTC 2015 (1)",
processor="i386", system="JUNOS12.1X47-D20.7", leap=11, stratum=16,
precision=-19, rootdelay=0.000, rootdispersion=0.180, peer=0,
refid=STEP, reftime=00000000.00000000 Thu, Feb 7 2036 12:28:16.000,
poll=4, clock=df0f2f46.7604dcc4 Sat, Aug 4 2018 1:45:10.461, state=3,
offset=0.000, frequency=0.000, jitter=0.002, stability=0.000


[edit]
root@letsconfig-SRX# run show system uptime | match current
Current time: 2018-08-04 01:45:53 BDT

IP addressing:

Here note that, family mode inet means it’s IPv4, inet6 means IPv6.

set interfaces ge-0/0/0 unit 0 family inet address 192.168.3.100/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.1/24

Zone configuration:

set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all

set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

I allowed everything on our network. You can restrict services and protocols here. Use a question mark (?) after “system-services” and “protocols”, check which one is needed for your network and allow them accordingly.

Security policy configuration for Zone:

edit security policies from-zone trust to-zone untrust policy our-internet-policy
            set match source-address any
            set match destination-address any
            set match application any
            set then permit
            exit

edit security policies from-zone untrust to-zone trust policy our-deny-policy 
            set match source-address any
            set match destination-address any
            set match application any
            set then deny
            exit
commit

In this section, i allowed everything in outgoing path and deny everything in incoming path.

Configure static as a routing protocol:

set routing-options static route 0.0.0.0/0 next-hop 192.168.3.1

This is the way to configure static in JunOS.

OSPF configuration:

I have started a series on OSPF configuration on Juniper.

Configure NAT/PAT:

Here is a basic PAT configuration of PAT on Juniper SRX.

set security nat source rule-set our-nat-rule-set from zone trust
set security nat source rule-set our-nat-rule-set to zone untrust
set security nat source rule-set our-nat-rule-set rule our-nat-rule match source-address 10.1.1.0/24
set security nat source rule-set our-nat-rule-set rule our-nat-rule match destination-address 0.0.0.0/0
set security nat source rule-set our-nat-rule-set rule our-nat-rule then source-nat interface

High Availability:

I will publish multiple tutorials on High Availability. Hope, following articles will help you all.

VPN:

Note: If you want to know more about Juniper SRX product line, please have a look https://www.juniper.net/us/en/products-services/security/srx-series/.

Written by Rajib Kumer Das

I am Rajib Kumer Das, a network engineer with 7+ years of experience in multi-vendor environment. In my current company, I am responsible to take care critical projects and it's support cases. I do have several vendor certificates and have plans to go further.

This article has 2 comments

  1. Johnson Reply

    I will need help to configure vSRX on Ubuntu in the cloud. I need help

Leave a Comment

Your email address will not be published. Required fields are marked *