Juniper SRX NOOBIE


I am complete noob to JunOS and SRX so I am trying to use the J-Web interface to configure a new SRX240.  Of course I cannot figure out how to do the most basic thing.  I need to configure the outside "untrust" interface to have the IP of 1.2.3.4/30 with the gateway of 1.2.3.5.  But I cannot see where to add the gateway for the external facing interface (ge 0/0/0.0).  Thus I cannot get connectivity to the internet.  Perhaps I need to add services or protocols to the untrust zone; I have not made any changes to this zone since the intial config wizard set this up.  Any help would be great
bruce8024Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
harbor235Connect With a Mentor Commented:


under routing options,

CLI:
routing-options {
    static {
        route 0.0.0.0/0 next-hop 1.2.3.4;
       
JWEB:
http://www.juniper.net/techpubs/en_US/junos11.3/topics/task/configuration/routing-policy-ex-series-j-web.html

harbor235 ;}

0
 
bruce8024Author Commented:
Do I need to add the external gateway for 1.2.3.4?
0
 
harbor235Commented:

substitute your gateway for 1.2.3.4, it was just an example.

harbor235 ;}
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
bruce8024Author Commented:
Ok just to be clear 1.2.3.4/32 is the IP the ISP has provisioned me, 1.2.3.5 is the gateway the ISP has given me for that IP.  Should the route be for 1.2.3.4 or 1.2.3.5?
0
 
harbor235Commented:

You know i did not even see you used that address, so you would add 1.2.4.5 as your gateway.

it must have been in my head but did not realize it, DOH?  but that range is not your real range anyway, it was an example as well, correct?

harbor235 ;}
0
 
bruce8024Author Commented:
Yes these were example IPs.  For some reason I didn't want to use my actual IPs ... :)
0
 
harbor235Commented:


I have configured several SRXs, let me know how it goes.

harbor235 ;}
0
 
bruce8024Author Commented:
Harbor You still there?

I am trying to setup just a basic NAT and policy.  I want to nat port 3389 from 65.x.x.115 to 192.x.x.5.  I am using J-web again, I setup up the NAT, I added to the 65.x.x.115 to the untrust interface (ge/0/0/0), and I added a firewall policy that goes from untrust/any to untrust/65.x.x.115 and it allows 3389.  Am I missing something cause it won't work...
0
 
harbor235Commented:


I do not use J-WEB so it is hard to say, can you post teh resulting NAT config J-WEB generated?

Here is an example of command line destination NAT:

security {
    nat {
        static {
            rule-set SERVERS {
                from zone untrust;
                rule server1 {
                    match {
                        destination-address 1.2.3.4/32;
                    }
                    then {
                        static-nat prefix 172.22.210.50/32;
                    }
                }
                rule server2 {
                    match {
                        destination-address 1.2.3.5/32;
                    }
                    then {
                        static-nat prefix 172.22.210.51/32;
                    }
                }
            }
        }
        proxy-arp {
            interface fe-0/0/0.0 {
                address {
                    1.2.3.4/32;
                    1.2.3.5/32;
                }
            }
        }
    }
0
 
bruce8024Author Commented:
yes this helps because I was trying to use destination nats, ill try using static nats... thanks again
0
 
bruce8024Author Commented:
although where do you designate which ports are allowed on that specific nat?
0
 
harbor235Commented:


my eample is a one to one NAT, you can allow whatever ports through with your security policy,
remember this is not PAT

harbor235 ;}
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.