Solved

Juniper SRX NOOBIE

Posted on 2011-09-29
12
1,122 Views
Last Modified: 2012-06-27

I am complete noob to JunOS and SRX so I am trying to use the J-Web interface to configure a new SRX240.  Of course I cannot figure out how to do the most basic thing.  I need to configure the outside "untrust" interface to have the IP of 1.2.3.4/30 with the gateway of 1.2.3.5.  But I cannot see where to add the gateway for the external facing interface (ge 0/0/0.0).  Thus I cannot get connectivity to the internet.  Perhaps I need to add services or protocols to the untrust zone; I have not made any changes to this zone since the intial config wizard set this up.  Any help would be great
0
Comment
Question by:bruce8024
  • 6
  • 6
12 Comments
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 36890949


under routing options,

CLI:
routing-options {
    static {
        route 0.0.0.0/0 next-hop 1.2.3.4;
       
JWEB:
http://www.juniper.net/techpubs/en_US/junos11.3/topics/task/configuration/routing-policy-ex-series-j-web.html

harbor235 ;}

0
 

Author Comment

by:bruce8024
ID: 36893180
Do I need to add the external gateway for 1.2.3.4?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36893188

substitute your gateway for 1.2.3.4, it was just an example.

harbor235 ;}
0
 

Author Comment

by:bruce8024
ID: 36893206
Ok just to be clear 1.2.3.4/32 is the IP the ISP has provisioned me, 1.2.3.5 is the gateway the ISP has given me for that IP.  Should the route be for 1.2.3.4 or 1.2.3.5?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36893207

You know i did not even see you used that address, so you would add 1.2.4.5 as your gateway.

it must have been in my head but did not realize it, DOH?  but that range is not your real range anyway, it was an example as well, correct?

harbor235 ;}
0
 

Author Comment

by:bruce8024
ID: 36893344
Yes these were example IPs.  For some reason I didn't want to use my actual IPs ... :)
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 32

Expert Comment

by:harbor235
ID: 36893362


I have configured several SRXs, let me know how it goes.

harbor235 ;}
0
 

Author Comment

by:bruce8024
ID: 36921026
Harbor You still there?

I am trying to setup just a basic NAT and policy.  I want to nat port 3389 from 65.x.x.115 to 192.x.x.5.  I am using J-web again, I setup up the NAT, I added to the 65.x.x.115 to the untrust interface (ge/0/0/0), and I added a firewall policy that goes from untrust/any to untrust/65.x.x.115 and it allows 3389.  Am I missing something cause it won't work...
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36924276


I do not use J-WEB so it is hard to say, can you post teh resulting NAT config J-WEB generated?

Here is an example of command line destination NAT:

security {
    nat {
        static {
            rule-set SERVERS {
                from zone untrust;
                rule server1 {
                    match {
                        destination-address 1.2.3.4/32;
                    }
                    then {
                        static-nat prefix 172.22.210.50/32;
                    }
                }
                rule server2 {
                    match {
                        destination-address 1.2.3.5/32;
                    }
                    then {
                        static-nat prefix 172.22.210.51/32;
                    }
                }
            }
        }
        proxy-arp {
            interface fe-0/0/0.0 {
                address {
                    1.2.3.4/32;
                    1.2.3.5/32;
                }
            }
        }
    }
0
 

Author Comment

by:bruce8024
ID: 36925430
yes this helps because I was trying to use destination nats, ill try using static nats... thanks again
0
 

Author Comment

by:bruce8024
ID: 36925440
although where do you designate which ports are allowed on that specific nat?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 36926566


my eample is a one to one NAT, you can allow whatever ports through with your security policy,
remember this is not PAT

harbor235 ;}
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now