Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Juniper SRX NOOBIE

Posted on 2011-09-29
12
Medium Priority
?
1,133 Views
Last Modified: 2012-06-27

I am complete noob to JunOS and SRX so I am trying to use the J-Web interface to configure a new SRX240.  Of course I cannot figure out how to do the most basic thing.  I need to configure the outside "untrust" interface to have the IP of 1.2.3.4/30 with the gateway of 1.2.3.5.  But I cannot see where to add the gateway for the external facing interface (ge 0/0/0.0).  Thus I cannot get connectivity to the internet.  Perhaps I need to add services or protocols to the untrust zone; I have not made any changes to this zone since the intial config wizard set this up.  Any help would be great
0
Comment
Question by:bruce8024
  • 6
  • 6
12 Comments
 
LVL 32

Accepted Solution

by:
harbor235 earned 2000 total points
ID: 36890949


under routing options,

CLI:
routing-options {
    static {
        route 0.0.0.0/0 next-hop 1.2.3.4;
       
JWEB:
http://www.juniper.net/techpubs/en_US/junos11.3/topics/task/configuration/routing-policy-ex-series-j-web.html

harbor235 ;}

0
 

Author Comment

by:bruce8024
ID: 36893180
Do I need to add the external gateway for 1.2.3.4?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36893188

substitute your gateway for 1.2.3.4, it was just an example.

harbor235 ;}
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:bruce8024
ID: 36893206
Ok just to be clear 1.2.3.4/32 is the IP the ISP has provisioned me, 1.2.3.5 is the gateway the ISP has given me for that IP.  Should the route be for 1.2.3.4 or 1.2.3.5?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36893207

You know i did not even see you used that address, so you would add 1.2.4.5 as your gateway.

it must have been in my head but did not realize it, DOH?  but that range is not your real range anyway, it was an example as well, correct?

harbor235 ;}
0
 

Author Comment

by:bruce8024
ID: 36893344
Yes these were example IPs.  For some reason I didn't want to use my actual IPs ... :)
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36893362


I have configured several SRXs, let me know how it goes.

harbor235 ;}
0
 

Author Comment

by:bruce8024
ID: 36921026
Harbor You still there?

I am trying to setup just a basic NAT and policy.  I want to nat port 3389 from 65.x.x.115 to 192.x.x.5.  I am using J-web again, I setup up the NAT, I added to the 65.x.x.115 to the untrust interface (ge/0/0/0), and I added a firewall policy that goes from untrust/any to untrust/65.x.x.115 and it allows 3389.  Am I missing something cause it won't work...
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36924276


I do not use J-WEB so it is hard to say, can you post teh resulting NAT config J-WEB generated?

Here is an example of command line destination NAT:

security {
    nat {
        static {
            rule-set SERVERS {
                from zone untrust;
                rule server1 {
                    match {
                        destination-address 1.2.3.4/32;
                    }
                    then {
                        static-nat prefix 172.22.210.50/32;
                    }
                }
                rule server2 {
                    match {
                        destination-address 1.2.3.5/32;
                    }
                    then {
                        static-nat prefix 172.22.210.51/32;
                    }
                }
            }
        }
        proxy-arp {
            interface fe-0/0/0.0 {
                address {
                    1.2.3.4/32;
                    1.2.3.5/32;
                }
            }
        }
    }
0
 

Author Comment

by:bruce8024
ID: 36925430
yes this helps because I was trying to use destination nats, ill try using static nats... thanks again
0
 

Author Comment

by:bruce8024
ID: 36925440
although where do you designate which ports are allowed on that specific nat?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36926566


my eample is a one to one NAT, you can allow whatever ports through with your security policy,
remember this is not PAT

harbor235 ;}
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introducing Priority Question, our latest feature.
Ready to get certified? Check out some courses that help you prepare for third-party exams.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question