Ted
asked on
Configure Juniper
I've inherited a J2320 which is the WAN connection for an internal LAN and I need some fast advice on how to configure it. I understand the technology, I have configured many Cisco routers in the past, but for this J2320 I don't have a SMARTNET-like contract with Juniper to get help. On-line documentation stinks. What I need is this:
My public WAN IP is 124.35.45.202. That is the only IP alloted for the LAN. There are three internal LANs with private IP 10.1.1.0.24, 10.2.1.0/24 and 10.3.1.0/24. The downstream connection from the J2320 is a Cisco switch configured with VLANs 10, 20 and 30 for those three private subnets. The J2320 will have one port connected to the public IP and another port connected to the switch over a trunk consisting of the three VLANs (subnets).
Right now -on that first subnet will be a Subversion server 10.1.1.35, and a Web server 10.1.1.36 and an FTP server 10.1.1.37. On the second subnet are the laptops of folks that need to get out on the internet as well as have access to the three servers. They will get DHCP from the J2320 on the 10.2.1.0/24. Third subnet, what I'll do in the future is add a proxy server for all internet access for all users, not doing that yet.
Can I get help on this? Can someone give the configuation they would do for this?
In order of importance...
Most concerned about the port forwarding to get the servers to be available to the public.
Second concern is getting the DHCP server to work for the workstations on the 10.2.1.0/24 network and the Natting so the workstations can get out on internet.
Third most important is the trunking connection between the J2320 and the switch.
Fourth is making sure the firewall capability is working for the J2320 to protect all three subnets as well as the router itself from the internet.
Last on the list is the provision for the proxy -(which I imagine has to do with the security zones)
Please, this may seem like a lot but not for someone versed in Juniper. I would really appreciate the help. If you have a config for this please share.
My public WAN IP is 124.35.45.202. That is the only IP alloted for the LAN. There are three internal LANs with private IP 10.1.1.0.24, 10.2.1.0/24 and 10.3.1.0/24. The downstream connection from the J2320 is a Cisco switch configured with VLANs 10, 20 and 30 for those three private subnets. The J2320 will have one port connected to the public IP and another port connected to the switch over a trunk consisting of the three VLANs (subnets).
Right now -on that first subnet will be a Subversion server 10.1.1.35, and a Web server 10.1.1.36 and an FTP server 10.1.1.37. On the second subnet are the laptops of folks that need to get out on the internet as well as have access to the three servers. They will get DHCP from the J2320 on the 10.2.1.0/24. Third subnet, what I'll do in the future is add a proxy server for all internet access for all users, not doing that yet.
Can I get help on this? Can someone give the configuation they would do for this?
In order of importance...
Most concerned about the port forwarding to get the servers to be available to the public.
Second concern is getting the DHCP server to work for the workstations on the 10.2.1.0/24 network and the Natting so the workstations can get out on internet.
Third most important is the trunking connection between the J2320 and the switch.
Fourth is making sure the firewall capability is working for the J2320 to protect all three subnets as well as the router itself from the internet.
Last on the list is the provision for the proxy -(which I imagine has to do with the security zones)
Please, this may seem like a lot but not for someone versed in Juniper. I would really appreciate the help. If you have a config for this please share.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
version 10.2R3.10
Is that good enough? If so, how do I go from "packet" mode to "flow" mode and visa versa?
If not, would the zone and security policy and firewall policy config the only thing I can't do?
Is that good enough? If so, how do I go from "packet" mode to "flow" mode and visa versa?
If not, would the zone and security policy and firewall policy config the only thing I can't do?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For the most part, I think I am making progress so far.
However at the moment I can't ping from the router. So I'm missing something. I tried to ping the default gateway and known IP sites like 4.2.2.2 etc. Also, it is not answering ping from other hosts on the WAN.
However at the moment I can't ping from the router. So I'm missing something. I tried to ping the default gateway and known IP sites like 4.2.2.2 etc. Also, it is not answering ping from other hosts on the WAN.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks I'll try that shortly. I haven't gotten to the point yet where I am testing internal machines to the outside. Just testing the router itself.
"You should be able to ping the directly connected interfaces from the router;" ...
Did you mean even before I enabled host-inbound-traffic on the security zone, I should have been able to do this?
"You should be able to ping the directly connected interfaces from the router;" ...
Did you mean even before I enabled host-inbound-traffic on the security zone, I should have been able to do this?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well... I screwed something up and never got a chance to show you that output. In the process of configuring the security zone information, I got kicked out when my configs were being commited. Can't get back in thru that maint interface any more (the web config login interface). Nexct step, get in thru console and try to undo what I did.
Stand by...
In the meantime, any words of wisdom?
Stand by...
In the meantime, any words of wisdom?
ASKER
I went back into the console and did a 'rollback' so that I can get back in thru the web config interface. Found that my problem was that I didn't include my web interface port among my interfaces allowing in the "host-inbount-traffic" in my security-sone trust.
So here is the output you were looking for:
root@juno-rtr> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Is that what you expected to see?
I still have a litte work to do, it is not providing dhcp service... still troubleshooting as it may be a connectivity issue between this router and the dhcp clients...
So here is the output you were looking for:
root@juno-rtr> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Is that what you expected to see?
I still have a litte work to do, it is not providing dhcp service... still troubleshooting as it may be a connectivity issue between this router and the dhcp clients...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I believe I have that covered. I have this in the security-zone trust section, and the interface that I want the DHCP service is in this section too:
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.10;
ge-0/0/1.20;
ge-0/0/1.30;
etc... ;
and in the interface config...
unit 3 {
vlan-id 3;
family inet {
address 10.2.1.1/24;
}
}
There is a switch between the router and its DHCP clients so I'm troubleshooting that.
BTW-diff subj, is it OK to have more than one subnet in the same security-zone trust? I have more than one interface assigned to it, for instance my web config interface port.
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.10;
ge-0/0/1.20;
ge-0/0/1.30;
etc... ;
and in the interface config...
unit 3 {
vlan-id 3;
family inet {
address 10.2.1.1/24;
}
}
There is a switch between the router and its DHCP clients so I'm troubleshooting that.
BTW-diff subj, is it OK to have more than one subnet in the same security-zone trust? I have more than one interface assigned to it, for instance my web config interface port.
ASKER
TYPO... that's
"unit 30 {
vlan-id 30;"
"unit 30 {
vlan-id 30;"
ASKER
Got it to work! DHCP is working. Problem was in the switch as I suspected.
Just got these last two questions and I'm done...
1. Previous question about it being OK for having more than one subnet, more than one interface in the same security-zone trust?
2. syntax issue that doesn't seem to take: I'm trying to do port forwarding to a udp port instead of tcp.
security nat destination rule-set inbound rule newserver-nat match destination-port udp 888
Problem is it doesn't like udp port there. How would I do this?
Thank you!
Just got these last two questions and I'm done...
1. Previous question about it being OK for having more than one subnet, more than one interface in the same security-zone trust?
2. syntax issue that doesn't seem to take: I'm trying to do port forwarding to a udp port instead of tcp.
security nat destination rule-set inbound rule newserver-nat match destination-port udp 888
Problem is it doesn't like udp port there. How would I do this?
Thank you!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Got it. I'll be in the office tomorrow and finish it and will update.
Thank you!
Thank you!
ASKER
"set security nat destination rule-set r1 rule r1 match protocol udp"
It doesn't give me the option to assign a protocol after "match" so it appears I can't choose udp ports to port-forward to? (Also, if I ever get this working I want to port forward serveral udp ports, a range of 888 to 958)
As I continue to troubleshoot this, I have started the squid proxy configuration. It will have it's own private statically assigned IP 10.3.1.10. Browsers need to be set to looking to that IP and squid's port 3128 for proxy. Squid proxy in trust zone. ---Any further configuration needed in this router?
It doesn't give me the option to assign a protocol after "match" so it appears I can't choose udp ports to port-forward to? (Also, if I ever get this working I want to port forward serveral udp ports, a range of 888 to 958)
As I continue to troubleshoot this, I have started the squid proxy configuration. It will have it's own private statically assigned IP 10.3.1.10. Browsers need to be set to looking to that IP and squid's port 3128 for proxy. Squid proxy in trust zone. ---Any further configuration needed in this router?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not having "match protocol" in my IOS is going to set me back. If it is not available in 10.2R3.10 I'm stuck because I don't have a maintenance contract with Juniper to get an IOS upgrade. -Don't I need that? So there is no other way to do port forwarding on a udp port?
Regarding inbound traffic, my squid proxy will be 10.3.1.10, statically assigned, and will get source natted (PAT) to the public 124.35.45.202 when it browses on behalf of the internal users. All return traffic gets back to the proxy because of the router maintaining "stateful" sessions. There will be no initiating from outside to the proxy (unless I have squid proxy procedures wrong) -so there would be no destination or static NAT with regards to the squid proxy. -Unlike what is being done with the web and subversion and ftp servers. If I seem redundant I just want to make sure I have that right in my head. Correct?
Regarding inbound traffic, my squid proxy will be 10.3.1.10, statically assigned, and will get source natted (PAT) to the public 124.35.45.202 when it browses on behalf of the internal users. All return traffic gets back to the proxy because of the router maintaining "stateful" sessions. There will be no initiating from outside to the proxy (unless I have squid proxy procedures wrong) -so there would be no destination or static NAT with regards to the squid proxy. -Unlike what is being done with the web and subversion and ftp servers. If I seem redundant I just want to make sure I have that right in my head. Correct?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your help. You have been tremendous. I wish I had more points to give.
Happy I could be of assistance!
ASKER
Firstly, I wasn't able to download the new software because Juniper told me I don't have a support contract, (Remeber I inherited the router) based on my serial number. Seriously???
So, do I really need to be in flow mode? And what is flow mode?
Which of the above configurations can I still do?
As for you comment on the proxy server, I was planning on installing squid proxy for the internal users to use. All access for them would be via the proxy. Not sure what you mean by the router doing re-directing web traffic?