Solved

Configure Juniper

Posted on 2012-03-14
23
2,033 Views
Last Modified: 2012-04-30
I've inherited a J2320 which is the WAN connection for an internal LAN and I need some fast advice on how to configure it.  I understand the technology, I have configured many Cisco routers in the past, but for this J2320 I don't have a SMARTNET-like contract with Juniper to get help.  On-line documentation stinks.  What I need is this:

My public WAN IP is 124.35.45.202.  That is the only IP alloted for the LAN.  There are three internal LANs with private IP 10.1.1.0.24, 10.2.1.0/24 and 10.3.1.0/24.  The downstream connection from the J2320 is a Cisco switch configured with VLANs 10, 20 and 30 for those three private subnets.  The J2320 will have one port connected to the public IP and another port connected to the switch over a trunk consisting of the three VLANs (subnets).
Right now -on that first subnet will be a Subversion server 10.1.1.35, and a Web server 10.1.1.36 and an FTP server 10.1.1.37.  On the second subnet are the laptops of folks that need to get out on the internet as well as have access to the three servers.  They will get DHCP from the J2320 on the 10.2.1.0/24.   Third subnet, what I'll do in the future is add a proxy server for all internet access for all users, not doing that yet.
Can I get help on this?  Can someone give the configuation they would do for this?  
In order of importance...
Most concerned about the port forwarding to get the servers to be available to the public.  
Second concern is getting the DHCP server to work for the workstations on the 10.2.1.0/24 network and the Natting so the workstations can get out on internet.  
Third most important is the trunking connection between the J2320 and the switch.
Fourth is making sure the firewall capability is working for the J2320 to protect all three subnets as well as the router itself from the internet.  
Last on the list is the provision for the proxy  -(which I imagine has to do with the security zones)
Please, this may seem like a lot but not for someone versed in Juniper.  I would really appreciate the help.  If you have a config for this please share.
0
Comment
Question by:mrkent
  • 13
  • 10
23 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 37732471
You would need to configure the router in FLOW mode; use the latest JTAC recommended image 10.4R8.5 [image link (requires authentication): https://download.juniper.net/software/junos/10.4R8.5/junos-jsr-10.4R8.5-domestic.tgz].

You can use on-board ports, the setup would something like this:

Internet------ge-0/0/0=J2320=ge-0/0/1------Internal switch

You would create two security zones, say trust for internal network and untrust for external network.

Assign ge-0/0/0.0 to untrust and ge-0/0/1.10, ge-0/0/1.20, ge-0/0/1.30 to trust [you can use separate physical interface rather than using just ge-0/0/1 if you wish].

If you use single interface then configure ge-0/0/1 for vlan-trunking and configure vlan-id 10, 20, 30 [I have used units or logical interface name as 10,20,30 for ease of understanding but you can use anything you wish].

You would add source nat from trust to untrust matching source 0/0 and do interface nat for all outbound traffic.

There would be a security policy from trust to untrust allowing ALL traffic.

To allow traffic from ge-0/0/1.10 to ge-0/0/1.20, you would add a security policy from-zone trust to-zone trust, and allow specific/ALL traffic as you wish.

For allowing traffic from untrust to trust for specific services [svn/ftp/http], it would be preferred that you configure static NAT; you can use destination NAT either as well.

For configuring j2320 as DHCP server, under system service you would configure DHCP with proper router-id [default gateway which would be J2320 interface IP, in my illustration ge-0/0/1.20].
Please note J2320 does not act as DNS proxy, so configure DNS server as given by your ISP or internal DNS server [as applicable] in DHCP settings.

Finally when you configure proxy on ge-0/0/1.30, I do not understand how you would redirect web traffic; J2320 does not act as web re-director. May be you can look into this later.

For CLIs/web UI configuration steps, refer links below:

DHCP:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB15754

Interface and security zones:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16556

Configuring DNS on J2320:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB15656

Configuring security policies:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16553

Configuring NAT:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB15758

I understand that you might get stuck, as you are doing configuration for the first time and at times CLI/UI might not be intuitive; so please let know the exact place and method you use to configure and we can assist you further.

Thank you.
0
 

Author Comment

by:mrkent
ID: 37761546
Thank you.  I ran into a couple problems immediately, perhaps you can help?
Firstly, I wasn't able to download the new software because Juniper told me I don't have a support contract,  (Remeber I inherited the router) based on my serial number.  Seriously???

So, do I really need to be in flow mode?  And what is flow mode?

Which of the above configurations can I still do?

As for you comment on the proxy server, I was planning on installing squid proxy for the internal users to use.  All access for them would be via the proxy.  Not sure what you mean by the router doing re-directing web traffic?
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 500 total points
ID: 37762244
There are two modes in which a J-series router can work.
As a dedicated router: packet mode; the packets are transmitted on per packet basis or as they arrive.

As a firewall+IPS+UTM device: Flow mode; here the device maintains the session table and keep track of flow as against an individual packet.

In flow mode you can do all the configuration I listed.

To check the status, issue command [hopefully would work in the OS version you have]: show security flow status

If you are in packet mode, you would not be able to configure zones or configure security policy or firewall policies. Just normal routing configuration would be available.

Which version of Junos you running:
on CLI issue: show version
0
 

Author Comment

by:mrkent
ID: 37766738
version 10.2R3.10

Is that good enough? If so, how do I go from "packet" mode to "flow" mode and visa versa?

If not, would the zone and security policy and firewall policy config the only thing I can't do?
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 500 total points
ID: 37770959
Yes 10.2R3.10 is good enough.

show security flow status

This command would tell you if you are in packet or flow mode.

In packet mode J2320 is a router; in flow mode a firewall+Router+switch+VPN+UTM device

to change to packet mode:
set security forwarding-options family mpls mode packet-based

to change to flow:
delete security forwarding-options

Thank you.
0
 

Author Comment

by:mrkent
ID: 37783094
For the most part, I think I am making progress so far.
However at the moment I can't ping from the router.  So I'm missing something.  I tried to ping the default gateway and known IP sites like 4.2.2.2 etc.  Also, it is not answering ping from other hosts on the WAN.
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 500 total points
ID: 37783116
You would need to enable host-inbound-traffic on the security zone, something like:
set security zones security-zone trust host-inbound-traffic system-services [ping|all...]

Once you configure above your box would start to ping from outside.

You should be able to ping the directly connected interfaces from the router; and then from the end hosts you should ping the internal interface IP; then external interface IP.

Finally remember to configure source NAT so that internal machines can get on to the internet.

Please check and update.

Thank you.
0
 

Author Comment

by:mrkent
ID: 37783291
Thanks I'll try that shortly.  I haven't gotten to the point yet where I am testing internal machines to the outside.  Just testing the router itself.

"You should be able to ping the directly connected interfaces from the router;" ...
Did you mean even before I enabled host-inbound-traffic on the security zone, I should have been able to do this?
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 500 total points
ID: 37783373
Yes; you would not be able to ping from other devices to router itself till you allow host-inbound traffic; but from router you would be able to ping others.

What is the output of:
show security flow status
0
 

Author Comment

by:mrkent
ID: 37788407
Well... I screwed something up and never got a chance to show you that output.  In the process of configuring the security zone information, I got kicked out when my configs were being commited.  Can't get back in thru that maint interface any more (the web config login interface).   Nexct step, get in thru console and try to undo what I did.
Stand by...
In the meantime, any words of wisdom?
0
 

Author Comment

by:mrkent
ID: 37804524
I went back into the console and did a 'rollback' so that I can get back in thru the web config interface.  Found that my problem was that I didn't include my web interface port among my interfaces allowing in the "host-inbount-traffic" in my security-sone trust.

So here is the output you were looking for:

root@juno-rtr> show security flow status
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off

Is that what you expected to see?

I still have a litte work to do, it is not providing dhcp service...  still troubleshooting as it may be a connectivity issue between this router and the dhcp clients...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 500 total points
ID: 37804919
Yes that is what I expected to see.

Sorry i missed your previous update and didnt respond when you were unable to login; rollback through console is one of the good things which juniper provides; there is also commit confirm you can try! :)

For DHCP server; ensure that you have enabled DHCP host-inbound service on the security zone and that the interface does not override the zone config.

Let me know if you need more details.

Thank you.
0
 

Author Comment

by:mrkent
ID: 37805742
I believe I have that covered.  I have this in the security-zone trust section, and the interface that I want the DHCP service is in this section too:
host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
               interfaces {
                ge-0/0/1.10;
                ge-0/0/1.20;
                ge-0/0/1.30;
                etc...         ;


and in the interface config...
unit 3 {
            vlan-id 3;
            family inet {
                address 10.2.1.1/24;
            }
        }

There is a switch between the router and its DHCP clients so I'm troubleshooting that.

BTW-diff subj, is it OK to have more than one subnet in the same security-zone trust?  I have more than one interface assigned to it, for instance my web config interface port.
0
 

Author Comment

by:mrkent
ID: 37805754
TYPO... that's

"unit 30 {
            vlan-id 30;"
0
 

Author Comment

by:mrkent
ID: 37808882
Got it to work!  DHCP is working.  Problem was in the switch as I suspected.

Just got these last two questions and I'm done...
1.  Previous question about it being OK for having more than one subnet, more than one interface in the same security-zone trust?
2.  syntax issue that doesn't seem to take:  I'm trying to do port forwarding to a udp port instead of tcp.  
    security nat destination rule-set inbound rule newserver-nat match destination-port udp 888
Problem is it doesn't like udp port there.   How would I do this?

Thank you!
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 500 total points
ID: 37809496
Yes it is fine to have multiple interfaces with different subnet in same security zone. If you wish to allow traffic between subnets you would need to define an intrazone security policy like:
 set security policies from-zone trust to-zone trust policy blah

We would define the port without saying if it is TCP or UDP. We can then further specify match condition as protocol.

 set security nat destination pool dst-nat-pool-1 address 192.168.1.200/32
 set security nat destination rule-set r1 from zone untrust
 set security nat destination rule-set r1 rule r1 match destination-address 1.1.1.1/32
 set security nat destination rule-set r1 rule r1 match destination-port 888
 set security nat destination rule-set r1 rule r1 match protocol udp
 set security nat destination rule-set r1 rule r1 then destination-nat pool dst-nat-pool-1


Additionally if you wish to have port redirection on target machine to be any other port than 888; when specifying pool also specify port.
 set security nat destination pool dst-nat-pool-1 address 192.168.1.200/32 port 999

Please implement and update.
0
 

Author Comment

by:mrkent
ID: 37821837
Got it.  I'll be in the office tomorrow and finish it and will update.
Thank you!
0
 

Author Comment

by:mrkent
ID: 37847130
"set security nat destination rule-set r1 rule r1 match protocol udp"

It doesn't give me the option to assign a protocol after "match" so it appears I can't choose udp ports to port-forward to?  (Also, if I ever get this working I want to port forward serveral udp ports, a range of 888 to 958)

As I continue to troubleshoot this, I have started the squid proxy configuration.  It will have it's own private statically assigned IP 10.3.1.10.  Browsers need to be set to looking to that IP and squid's port 3128 for proxy.  Squid proxy in trust zone.  ---Any further configuration needed in this router?
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 500 total points
ID: 37848754
I think match protocol is not in 10.2R3; I had checked on a router running 11.4R1.

To forward range, you would need to define each port one at a time. Use may be excel or some script to generate the output, for example on MS-DOS command prompt issue:
@echo off
for /L %i in (888,1,958) do echo set security nat destination rule-set r1 rule r1 match destination-port %i
@echo on

For squid proxy as all machine would auto send packets to squid J2320 would not come in picture hence no configuration required on J2320.
When squid would forward all packets to J2320, J2320 would see only one host on internal network sending too many outbound request, it would do source NAT as configured and send the traffic out as permitted by security policy.

For inbound traffic as configured it would do destination or static NAT and as configured by security policy permit the traffic in to the specified internal host.

Thank you.
0
 

Author Comment

by:mrkent
ID: 37849652
Not having "match protocol" in my IOS is going to set me back.  If it is not available in 10.2R3.10 I'm stuck because I don't have a maintenance contract with Juniper to get an IOS upgrade.  -Don't I need that?  So there is no other way to do port forwarding on a udp port?

Regarding inbound traffic, my squid proxy will be 10.3.1.10, statically assigned, and will get source natted (PAT) to the public 124.35.45.202 when it browses on behalf of the internal users.  All return traffic gets back to the proxy because of the router maintaining "stateful" sessions.  There will be no initiating from outside to the proxy (unless I have squid proxy procedures wrong) -so there would be no destination or static NAT with regards to the squid proxy.   -Unlike what is being done with the web and subversion and ftp servers.   If I seem redundant I just want to make sure I have that right in my head.  Correct?
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 500 total points
ID: 37850158
If you do not have match protocol then NAT rule would match both TCP and UDP; it would not be much of problem as in further packet processing security policy is the one which would only allow UDP inbound so you are covered from security perspective.

Should work all good [source NAT for proxy and destination/static NAT for servers]!

Please go ahead with implementation and update how things go.

Thank you.
0
 

Author Comment

by:mrkent
ID: 37911634
Thank you for your help.  You have been tremendous.  I wish I had more points to give.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37913096
Happy I could be of assistance!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now