Configure Juniper SRX from scratch

In this lesson, we will learn how to Configure Juniper SRX as a beginner. We will configure it as our network gateway. We will perform the following activities and it will be updated day by day.

So, let’s begin with below network topology.

Network topology

Configure Juniper SRX from scratch topology

If we login to the new SRX box, there will be no password for root. Just press ENTER.

Advertisements
login: root
Password:

--- JUNOS 12.1X47-D20.7 built 2015-03-03 21:53:50 UTC
root@%

We need to use “cli” to enter Operational mode.

root@% cli
root>

Enter configuration mode by using configure command.

root> configure
Entering configuration mode

[edit]
root#

Now, let’s move to the main configuration part, where we will configure Juniper SRX as a network gateway.

Use “commit” command to apply candidate configuration as active configuration.

Configuring root password:

root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root#

Creating a new user name:

[edit]
root# set system login user rajib class super-user authentication plain-text-password
New password:
Retype new password:

Giving a hostname.

[edit]
root# set system host-name letsconfig-SRX

[edit]
root# commit
commit complete

[edit]
root@letsconfig-SRX#

Set DNS server on Juniper SRX:

[edit]
root@letsconfig-SRX# set system name-server 8.8.8.8

Enabling SSH on SRX:

[edit]
root@letsconfig-SRX# set system services ssh

Setting up ntp and time zone:

[edit]
root@letsconfig-SRX#set system time-zone Asia/Dhaka
[edit]
root@letsconfig-SRX# set system ntp server time.google.com

I am from Bangladesh, that’s why my time zone is Asia/Dhaka. Set your own time-zone here. Important: While using the domain name as ntp server, please make sure you have reachbility to that domain and also you have DNS enable.

We can use following commands to verify our ntp.

[edit]
root@letsconfig-SRX# run show ntp status
status=c035 sync_alarm, sync_unspec, 3 events, event_clock_reset,
version="ntpd 4.2.0-a Tue Mar 3 22:07:26 UTC 2015 (1)",
processor="i386", system="JUNOS12.1X47-D20.7", leap=11, stratum=16,
precision=-19, rootdelay=0.000, rootdispersion=0.180, peer=0,
refid=STEP, reftime=00000000.00000000 Thu, Feb 7 2036 12:28:16.000,
poll=4, clock=df0f2f46.7604dcc4 Sat, Aug 4 2018 1:45:10.461, state=3,
offset=0.000, frequency=0.000, jitter=0.002, stability=0.000


[edit]
root@letsconfig-SRX# run show system uptime | match current
Current time: 2018-08-04 01:45:53 BDT

IP addressing:

Here note that, family mode inet means it’s IPv4, inet6 means IPv6.

Advertisements
set interfaces ge-0/0/0 unit 0 family inet address 192.168.3.100/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.1/24

Zone configuration:

set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all

set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

I allowed everything on our network. You can restrict services and protocols here. Use a question mark (?) after “system-services” and “protocols”, check which one is needed for your network and allow them accordingly.

Security policy configuration for Zone:

edit security policies from-zone trust to-zone untrust policy our-internet-policy
            set match source-address any
            set match destination-address any
            set match application any
            set then permit
            exit

edit security policies from-zone untrust to-zone trust policy our-deny-policy 
            set match source-address any
            set match destination-address any
            set match application any
            set then deny
            exit
commit

In this section, i allowed everything in outgoing path and deny everything in incoming path.

Configure static as a routing protocol:

set routing-options static route 0.0.0.0/0 next-hop 192.168.3.1

This is the way to configure static in JunOS.

OSPF Configuration:

I have started a series on OSPF configuration on Juniper.

BGP Configuration:

You will find a BGP series on this blog. This list of articles which will be updated day by day. So, keep in touch.

Configure NAT/PAT:

Here is a basic PAT configuration of PAT on Juniper SRX.

set security nat source rule-set our-nat-rule-set from zone trust
set security nat source rule-set our-nat-rule-set to zone untrust
set security nat source rule-set our-nat-rule-set rule our-nat-rule match source-address 10.1.1.0/24
set security nat source rule-set our-nat-rule-set rule our-nat-rule match destination-address 0.0.0.0/0
set security nat source rule-set our-nat-rule-set rule our-nat-rule then source-nat interface

High Availability:

I will publish multiple tutorials on High Availability. Hope, following articles will help you all.

VPN:

Finally, here is list of articles on VPN.

Note: If you want to know more about Juniper SRX product line, please have a look https://www.juniper.net/us/en/products-services/security/srx-series/.

This article will be updated day by day. So, if you want me to write on any particular topic. Please feel free to contact me. 🙂

Leave a Comment

Your email address will not be published. Required fields are marked *

32 thoughts on “Configure Juniper SRX from scratch”

  1. Hi, I need some assistance with migrating from SSG5 to SRX300. I only use the SSG5 for an IPSec VPN back to my PA. Is there an easy way to convert my SSG5 config to work with the SRX300? Very basic and simple config.

    Thanks!

  2. Hi,
    Please how can I configure two different ports as different zones and allow internet traffic for each zones

  3. Hi. I am new to Juniper and need some help and guidance.

    I have to do a basic setup with a SRX300. I am getting a fiber line from ISP which is connected to a ZyXel GPON converter that givesme the chance to use RJ45.

    Basically, what I want is, ge0/0/0 to be for the ISP, ge0/0/1 and ge0/0/2 to be used for my NAS server, ge0/0/3 for client PC and ge0/0/4+ge0/0/5 for access points.
    Of course if it’s possible, I get rid of the ZyXel convertor and use SFP module on ge0/0/7.

    Also, my ISP provider says that I need to set ViD 101 on the WAN in order to access the www.

    Can anyone advise on this? Every help would appreciated!

    Thanks in advance!

  4. Hi, Rajib

    my cisco configuration is

    ip route 0.0.0.0 0.0.0.0 172.24.138.118

    ip nat pool 1 117.242.156.49 117.242.156.54 netmask 255.255.255.248
    ip nat inside source list 1 pool 1 overload

    ip access-list standard 1
    permit any

    what is the configuration on juniper srx320?
    Please solve this.

  5. Hi rajib,
    in my scenario 192.168.0.1/24 is trust zone int ge-1 & 172.24.138.117/30 is untrust zone int ge- 3 and gateway is 172.24.138.118, and public ip is
    117.242.156.49 – 117.242.156.54

    how to configure in this scenario?

    1. The configuration depends on your requirements. However, I think, you only need basic configuration which is already mentioned here. If you face any problem during the implementation, you always can reach out to me through comment.

  6. Hi,

    Thanks for your reply .below are commands configured for cisco router

    snmp-server group MYGROUP v3 priv
    snmp-server trap-source GigabitEthernet0
    snmp-server host 192.126.111.214 version 3 priv MYUSER
    snmp-server host 192.126.124.18 version 3 priv MYUSER

    MYPRTG1—- For PRTG Monitoring
    Auth – M0nit!
    DES
    pri- Prtg!@24×7

    MYUSER— For SNMP Monitoring
    Auth – M0n24!
    DES
    pri- Nnm!4×7

    Can u share me juniper configuration for SNMP configuration on SRX 550 Juniper .Also share how to configure management interface in juniper ??

  7. Hi

    Static NAT is configured in Cisco Router .
    ip nat inside source static 10.10.10.1 134.101.115.29

    I want to configure same into juniper SRX 550 router .Can u share me equivalent Juniper configuration ??

    1. Hi Naresh, below are your desire commands. Hope it will help.

      set security nat static rule-set OUR-RS-01 from zone UNTRUST
      set security nat static rule-set OUR-RS-01 rule OUR-RULE-01 match destination-address 134.101.115.29/32
      set security nat static rule-set OUR-RS-01 rule OUR-RULE-01 then static-nat 10.10.10.1/32

      Keep in mind, if you are not doing NAT with interface IP, then you need to configure proxy ARP.

      set security nat proxy-arp interface ge-0/0/0.0 address 134.101.115.29/32
  8. Hi
    I am new to juniper .Can u explain meaning of below commands ??

    set applications application tcp_8080 protocol tcp
    set applications application tcp_8080 destination-port 8080

    set applications application udp_3200-3205 protocol udp
    set applications application udp_3200-3205 destination-port 3200-3205
    set applications application-set SAP_Router_Acess application tcp_3200-3205
    set applications application-set SAP_Router_Acess application udp_3200-3205
    set applications application-set SAP_Router_Acess application tcp_102
    set applications application-set SAP_Router_Acess application tcp_3299

    1. This is the way to create custom application and application-set. In first part of the above commands, it’s forwarding all the traffic to destination port 8080. You need to add policy for this application to complete full configuration.

Scroll to Top