Configure Juniper

I've inherited a J2320 which is the WAN connection for an internal LAN and I need some fast advice on how to configure it.  I understand the technology, I have configured many Cisco routers in the past, but for this J2320 I don't have a SMARTNET-like contract with Juniper to get help.  On-line documentation stinks.  What I need is this:

My public WAN IP is  That is the only IP alloted for the LAN.  There are three internal LANs with private IP, and  The downstream connection from the J2320 is a Cisco switch configured with VLANs 10, 20 and 30 for those three private subnets.  The J2320 will have one port connected to the public IP and another port connected to the switch over a trunk consisting of the three VLANs (subnets).
Right now -on that first subnet will be a Subversion server, and a Web server and an FTP server  On the second subnet are the laptops of folks that need to get out on the internet as well as have access to the three servers.  They will get DHCP from the J2320 on the   Third subnet, what I'll do in the future is add a proxy server for all internet access for all users, not doing that yet.
Can I get help on this?  Can someone give the configuation they would do for this?  
In order of importance...
Most concerned about the port forwarding to get the servers to be available to the public.  
Second concern is getting the DHCP server to work for the workstations on the network and the Natting so the workstations can get out on internet.  
Third most important is the trunking connection between the J2320 and the switch.
Fourth is making sure the firewall capability is working for the J2320 to protect all three subnets as well as the router itself from the internet.  
Last on the list is the provision for the proxy  -(which I imagine has to do with the security zones)
Please, this may seem like a lot but not for someone versed in Juniper.  I would really appreciate the help.  If you have a config for this please share.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You would need to configure the router in FLOW mode; use the latest JTAC recommended image 10.4R8.5 [image link (requires authentication):].

You can use on-board ports, the setup would something like this:

Internet------ge-0/0/0=J2320=ge-0/0/1------Internal switch

You would create two security zones, say trust for internal network and untrust for external network.

Assign ge-0/0/0.0 to untrust and ge-0/0/1.10, ge-0/0/1.20, ge-0/0/1.30 to trust [you can use separate physical interface rather than using just ge-0/0/1 if you wish].

If you use single interface then configure ge-0/0/1 for vlan-trunking and configure vlan-id 10, 20, 30 [I have used units or logical interface name as 10,20,30 for ease of understanding but you can use anything you wish].

You would add source nat from trust to untrust matching source 0/0 and do interface nat for all outbound traffic.

There would be a security policy from trust to untrust allowing ALL traffic.

To allow traffic from ge-0/0/1.10 to ge-0/0/1.20, you would add a security policy from-zone trust to-zone trust, and allow specific/ALL traffic as you wish.

For allowing traffic from untrust to trust for specific services [svn/ftp/http], it would be preferred that you configure static NAT; you can use destination NAT either as well.

For configuring j2320 as DHCP server, under system service you would configure DHCP with proper router-id [default gateway which would be J2320 interface IP, in my illustration ge-0/0/1.20].
Please note J2320 does not act as DNS proxy, so configure DNS server as given by your ISP or internal DNS server [as applicable] in DHCP settings.

Finally when you configure proxy on ge-0/0/1.30, I do not understand how you would redirect web traffic; J2320 does not act as web re-director. May be you can look into this later.

For CLIs/web UI configuration steps, refer links below:


Interface and security zones:

Configuring DNS on J2320:

Configuring security policies:

Configuring NAT:

I understand that you might get stuck, as you are doing configuration for the first time and at times CLI/UI might not be intuitive; so please let know the exact place and method you use to configure and we can assist you further.

Thank you.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mrkentAuthor Commented:
Thank you.  I ran into a couple problems immediately, perhaps you can help?
Firstly, I wasn't able to download the new software because Juniper told me I don't have a support contract,  (Remeber I inherited the router) based on my serial number.  Seriously???

So, do I really need to be in flow mode?  And what is flow mode?

Which of the above configurations can I still do?

As for you comment on the proxy server, I was planning on installing squid proxy for the internal users to use.  All access for them would be via the proxy.  Not sure what you mean by the router doing re-directing web traffic?
There are two modes in which a J-series router can work.
As a dedicated router: packet mode; the packets are transmitted on per packet basis or as they arrive.

As a firewall+IPS+UTM device: Flow mode; here the device maintains the session table and keep track of flow as against an individual packet.

In flow mode you can do all the configuration I listed.

To check the status, issue command [hopefully would work in the OS version you have]: show security flow status

If you are in packet mode, you would not be able to configure zones or configure security policy or firewall policies. Just normal routing configuration would be available.

Which version of Junos you running:
on CLI issue: show version
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

mrkentAuthor Commented:
version 10.2R3.10

Is that good enough? If so, how do I go from "packet" mode to "flow" mode and visa versa?

If not, would the zone and security policy and firewall policy config the only thing I can't do?
Yes 10.2R3.10 is good enough.

show security flow status

This command would tell you if you are in packet or flow mode.

In packet mode J2320 is a router; in flow mode a firewall+Router+switch+VPN+UTM device

to change to packet mode:
set security forwarding-options family mpls mode packet-based

to change to flow:
delete security forwarding-options

Thank you.
mrkentAuthor Commented:
For the most part, I think I am making progress so far.
However at the moment I can't ping from the router.  So I'm missing something.  I tried to ping the default gateway and known IP sites like etc.  Also, it is not answering ping from other hosts on the WAN.
You would need to enable host-inbound-traffic on the security zone, something like:
set security zones security-zone trust host-inbound-traffic system-services [ping|all...]

Once you configure above your box would start to ping from outside.

You should be able to ping the directly connected interfaces from the router; and then from the end hosts you should ping the internal interface IP; then external interface IP.

Finally remember to configure source NAT so that internal machines can get on to the internet.

Please check and update.

Thank you.
mrkentAuthor Commented:
Thanks I'll try that shortly.  I haven't gotten to the point yet where I am testing internal machines to the outside.  Just testing the router itself.

"You should be able to ping the directly connected interfaces from the router;" ...
Did you mean even before I enabled host-inbound-traffic on the security zone, I should have been able to do this?
Yes; you would not be able to ping from other devices to router itself till you allow host-inbound traffic; but from router you would be able to ping others.

What is the output of:
show security flow status
mrkentAuthor Commented:
Well... I screwed something up and never got a chance to show you that output.  In the process of configuring the security zone information, I got kicked out when my configs were being commited.  Can't get back in thru that maint interface any more (the web config login interface).   Nexct step, get in thru console and try to undo what I did.
Stand by...
In the meantime, any words of wisdom?
mrkentAuthor Commented:
I went back into the console and did a 'rollback' so that I can get back in thru the web config interface.  Found that my problem was that I didn't include my web interface port among my interfaces allowing in the "host-inbount-traffic" in my security-sone trust.

So here is the output you were looking for:

root@juno-rtr> show security flow status
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off

Is that what you expected to see?

I still have a litte work to do, it is not providing dhcp service...  still troubleshooting as it may be a connectivity issue between this router and the dhcp clients...
Yes that is what I expected to see.

Sorry i missed your previous update and didnt respond when you were unable to login; rollback through console is one of the good things which juniper provides; there is also commit confirm you can try! :)

For DHCP server; ensure that you have enabled DHCP host-inbound service on the security zone and that the interface does not override the zone config.

Let me know if you need more details.

Thank you.
mrkentAuthor Commented:
I believe I have that covered.  I have this in the security-zone trust section, and the interface that I want the DHCP service is in this section too:
host-inbound-traffic {
                system-services {
                protocols {
               interfaces {
                etc...         ;

and in the interface config...
unit 3 {
            vlan-id 3;
            family inet {

There is a switch between the router and its DHCP clients so I'm troubleshooting that.

BTW-diff subj, is it OK to have more than one subnet in the same security-zone trust?  I have more than one interface assigned to it, for instance my web config interface port.
mrkentAuthor Commented:
TYPO... that's

"unit 30 {
            vlan-id 30;"
mrkentAuthor Commented:
Got it to work!  DHCP is working.  Problem was in the switch as I suspected.

Just got these last two questions and I'm done...
1.  Previous question about it being OK for having more than one subnet, more than one interface in the same security-zone trust?
2.  syntax issue that doesn't seem to take:  I'm trying to do port forwarding to a udp port instead of tcp.  
    security nat destination rule-set inbound rule newserver-nat match destination-port udp 888
Problem is it doesn't like udp port there.   How would I do this?

Thank you!
Yes it is fine to have multiple interfaces with different subnet in same security zone. If you wish to allow traffic between subnets you would need to define an intrazone security policy like:
 set security policies from-zone trust to-zone trust policy blah

We would define the port without saying if it is TCP or UDP. We can then further specify match condition as protocol.

 set security nat destination pool dst-nat-pool-1 address
 set security nat destination rule-set r1 from zone untrust
 set security nat destination rule-set r1 rule r1 match destination-address
 set security nat destination rule-set r1 rule r1 match destination-port 888
 set security nat destination rule-set r1 rule r1 match protocol udp
 set security nat destination rule-set r1 rule r1 then destination-nat pool dst-nat-pool-1

Additionally if you wish to have port redirection on target machine to be any other port than 888; when specifying pool also specify port.
 set security nat destination pool dst-nat-pool-1 address port 999

Please implement and update.
mrkentAuthor Commented:
Got it.  I'll be in the office tomorrow and finish it and will update.
Thank you!
mrkentAuthor Commented:
"set security nat destination rule-set r1 rule r1 match protocol udp"

It doesn't give me the option to assign a protocol after "match" so it appears I can't choose udp ports to port-forward to?  (Also, if I ever get this working I want to port forward serveral udp ports, a range of 888 to 958)

As I continue to troubleshoot this, I have started the squid proxy configuration.  It will have it's own private statically assigned IP  Browsers need to be set to looking to that IP and squid's port 3128 for proxy.  Squid proxy in trust zone.  ---Any further configuration needed in this router?
I think match protocol is not in 10.2R3; I had checked on a router running 11.4R1.

To forward range, you would need to define each port one at a time. Use may be excel or some script to generate the output, for example on MS-DOS command prompt issue:
@echo off
for /L %i in (888,1,958) do echo set security nat destination rule-set r1 rule r1 match destination-port %i
@echo on

For squid proxy as all machine would auto send packets to squid J2320 would not come in picture hence no configuration required on J2320.
When squid would forward all packets to J2320, J2320 would see only one host on internal network sending too many outbound request, it would do source NAT as configured and send the traffic out as permitted by security policy.

For inbound traffic as configured it would do destination or static NAT and as configured by security policy permit the traffic in to the specified internal host.

Thank you.
mrkentAuthor Commented:
Not having "match protocol" in my IOS is going to set me back.  If it is not available in 10.2R3.10 I'm stuck because I don't have a maintenance contract with Juniper to get an IOS upgrade.  -Don't I need that?  So there is no other way to do port forwarding on a udp port?

Regarding inbound traffic, my squid proxy will be, statically assigned, and will get source natted (PAT) to the public when it browses on behalf of the internal users.  All return traffic gets back to the proxy because of the router maintaining "stateful" sessions.  There will be no initiating from outside to the proxy (unless I have squid proxy procedures wrong) -so there would be no destination or static NAT with regards to the squid proxy.   -Unlike what is being done with the web and subversion and ftp servers.   If I seem redundant I just want to make sure I have that right in my head.  Correct?
If you do not have match protocol then NAT rule would match both TCP and UDP; it would not be much of problem as in further packet processing security policy is the one which would only allow UDP inbound so you are covered from security perspective.

Should work all good [source NAT for proxy and destination/static NAT for servers]!

Please go ahead with implementation and update how things go.

Thank you.
mrkentAuthor Commented:
Thank you for your help.  You have been tremendous.  I wish I had more points to give.
Happy I could be of assistance!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.